BIOS Settings for Windows 11: TPM, Secure Boot & UEFI Guide

Windows 11 requires three BIOS/UEFI settings that older systems may have disabled by default: TPM 2.0, Secure Boot, and UEFI boot mode. If any of these are off, Windows 11 won’t install — or it may show a “This PC doesn’t meet Windows 11 requirements” error.

This guide shows you how to access your BIOS, enable each setting, and verify everything works, with instructions for Intel, AMD, and all major motherboard brands.

Key Takeaways

• Windows 11 requires TPM 2.0, Secure Boot enabled, and UEFI boot mode (not Legacy/CSM). All three must be active to install or upgrade.
• TPM is labeled differently depending on your platform: Intel calls it PTT (Platform Trust Technology), AMD calls it fTPM (firmware TPM).
• You can verify your settings without entering BIOS: run tpm.msc to check TPM and msinfo32 to check Secure Boot status.

---

How to Access BIOS/UEFI Settings

Method 1: Key on Startup (Most Common)

Restart your PC and press the BIOS key repeatedly as soon as the screen turns on:

Manufacturer	BIOS Key
Dell	F2
HP	F10 (or Esc → F10)
Lenovo	F2 (or Fn + F2)
ASUS	Del or F2
MSI	Del
Gigabyte	Del
Acer	F2
ASRock	F2 or Del

Method 2: Through Windows Settings

1. Open Settings → System → Recovery.
2. Under “Advanced startup,” click Restart now.
3. After reboot, select Troubleshoot → Advanced options → UEFI Firmware Settings → Restart.
4. Your PC boots directly into BIOS.

---

How to Enable TPM 2.0

TPM (Trusted Platform Module) 2.0 is a security chip that Windows 11 uses for device encryption, Windows Hello, and BitLocker. Most modern CPUs (Intel 8th gen+, AMD Ryzen 2000+) have a firmware TPM built in — it just needs to be enabled.

For Intel Systems (PTT)

1. Enter BIOS (see above).
2. Navigate to Advanced → Security or Trusted Computing.
3. Find Intel Platform Trust Technology (PTT) or Intel Trusted Platform Module.
4. Set it to Enabled.
5. Press F10 to save and exit.

For AMD Systems (fTPM)

1. Enter BIOS.
2. Navigate to Advanced → Security or AMD fTPM Configuration.
3. Find AMD fTPM switch or AMD PSP fTPM.
4. Set it to Enabled (or select AMD CPU fTPM instead of Discrete TPM).
5. Press F10 to save and exit.

Verify TPM Is Active

1. Press Windows + R, type tpm.msc, press Enter.
2. Under “TPM Manufacturer Information,” check the Specification Version — it must say 2.0.
3. The status should read: “The TPM is ready for use.”

If tpm.msc says “Compatible TPM cannot be found,” the setting is still disabled in BIOS or your CPU doesn’t support TPM 2.0.

---

How to Enable Secure Boot

Secure Boot prevents unauthorized software (rootkits, bootkits) from loading during startup. Windows 11 requires it.

Steps (All Motherboards)

1. Enter BIOS.
2. Navigate to Boot or Security tab.
3. Find Secure Boot and set it to Enabled.
4. If Secure Boot is grayed out, you need to disable CSM first (see next section).
5. Press F10 to save and exit.

Verify Secure Boot Is Active

1. Press Windows + R, type msinfo32, press Enter.
2. In System Summary, find Secure Boot State.
3. It should say On.

Important — Secure Boot Certificate Update (2026): Microsoft is updating Secure Boot certificates that were originally issued in 2011. If you’re running a supported Windows version, this update happens automatically through Windows Update. No manual action needed.

---

How to Switch from Legacy/CSM to UEFI

Legacy BIOS (also called CSM — Compatibility Support Module) is an older boot mode that doesn’t support Secure Boot. Windows 11 requires UEFI mode.

Check Your Current Boot Mode

1. Press Windows + R, type msinfo32, press Enter.
2. Find BIOS Mode in System Summary:
3. UEFI — you’re already in the right mode.
4. Legacy — you need to switch.

Switch to UEFI

1. Enter BIOS.
2. Navigate to Boot tab.
3. Find CSM (or Launch CSM or Compatibility Support Module).
4. Set CSM to Disabled.
5. Ensure Boot Mode is set to UEFI.
6. Press F10 to save and exit.

Warning: Switching from Legacy to UEFI may prevent Windows from booting if it was installed in Legacy mode. You may need to convert your disk from MBR to GPT partition style. Use the built-in mbr2gpt tool:

mbr2gpt /convert /allowfullos

Run this in Command Prompt as administrator before switching to UEFI in BIOS.

---

Other BIOS Settings for Windows 11

Virtualization (VBS / Hyper-V)

Windows 11 uses Virtualization-Based Security (VBS) for enhanced protection. Enable virtualization in BIOS: – Intel: Enable Intel VT-x (or Intel Virtualization Technology) in Advanced → CPU Configuration. – AMD: Enable SVM Mode in Advanced → CPU Configuration.

Boot Order

Set your primary boot device: 1. Navigate to Boot → Boot Priority or Boot Order. 2. Set your Windows drive (SSD/NVMe) as the first boot device. 3. If installing from USB, temporarily set the USB drive first.

---

BIOS Settings Checklist for Windows 11

Setting	Required Value	Where to Find
TPM 2.0	Enabled	Advanced → Security or Trusted Computing
Secure Boot	Enabled	Boot or Security tab
CSM / Legacy Boot	Disabled	Boot tab
Boot Mode	UEFI	Boot tab
Virtualization (VT-x/SVM)	Recommended	Advanced → CPU Configuration

---

Troubleshooting

“This PC doesn’t meet Windows 11 requirements” Run the PC Health Check tool to see which requirement fails. Most commonly, TPM 2.0 or Secure Boot is disabled — enable them in BIOS using the steps above.

Secure Boot option is grayed out Disable CSM first. Secure Boot can only be enabled in pure UEFI mode. Save, exit, re-enter BIOS, then enable Secure Boot.

PC won’t boot after switching to UEFI Your Windows installation was done in Legacy mode with an MBR disk. Boot from a Windows USB, open Command Prompt, and run mbr2gpt /convert to convert the disk to GPT without losing data.

TPM shows version 1.2 instead of 2.0 Update your BIOS to the latest version from your manufacturer’s website. Some older BIOS versions report TPM 1.2 even when the hardware supports 2.0. After the BIOS update, check tpm.msc again.

After resolving BIOS settings, activate Windows 11 to unlock all features.

---

Frequently Asked Questions

---