How to fix Windows 11 when Secure Boot and TPM are not working

Some of the most common causes of Windows 11 upgrade failure are incompatible hardware, most likely CPU – or firmware – Unified Extensible Firmware Interface (UEFI), Secure Boot or Trusted Platform Module (TPM).

As a desktop administrator, you need to know what UEFI is and understand the importance of Secure Boot and TPM. This will help you better support Windows 11 desktops, understand why these components are causing Windows 11 installation to fail, and learn workarounds for Windows 11 installation.

Windows 11 and Secure Boot requirements

For important context, consider Windows 11 requirements, including but not limited to TPM and UEFI requirements.

You can use the PC Health Check tool included with Windows 10 to determine Windows 11 compatibility for existing devices. Windows 11 installation failure is likely due to incompatibility with system requirements, which include:

  • approved CPU
  • TPM 2.0 enabled
  • 4GB of RAM
  • 64 GB memory or hard drive
  • UEFI firmware
  • internet connection
  • Windows 10 version 2004 or higher

Some of these requirements are very simple, e.g. B. Internet connection and the specified version of Windows 10, but the requirements for UEFI and TPM are associated with other questions.

What is the difference between BIOS and UEFI?

The Windows desktop BIOS provides a low-level ability for operating systems and applications to communicate with hardware such as the CPU, hard drives, and network adapters. The BIOS provides hardware initialization during boot and was developed with the first IBM-compatible personal computers in the 1970s. While the BIOS was originally stored in ROM chips, it was eventually moved to flash memory to allow for updates and features required by new hardware.

Pressing F1, F2, or F12—depending on the manufacturer—invokes a management utility that administrators still refer to as “The BIOS.” This happens before Windows starts. The BIOS utility allows users to configure hardware by enabling specific boot features, virtualization, security features, hard drive testing, and more (see Figure 1).

Figure 1. The BIOS settings on an HP laptop show options for setting security, virtualization, and system configurations.

The BIOS only has 1MB of executable space to boot devices like hard drives, USB drives, displays, ports and other controllers. New hardware devices go beyond the scope of the original BIOS design, making booting slow and inefficient. In addition, the BIOS allowed any software with a bootloader to boot the PC. Any experienced engineer could write this so it could take over the pc.

Although these limitations had been known for decades, it wasn’t until 2007 that OEMs agreed to use UEFI as a replacement for BIOS. While Microsoft supported the specification as early as Windows 8, it wasn’t required until Windows 11, although peripherals like hard drives may require UEFI.

UEFI has several important functions, including the following:

  1. UEFI stores code in non-volatile storage, which can be RAM, a file on a hard drive, or even a network share. Note that on a Windows PC, the EFI folder is in the \Windows\Boot\EFI Directory structure, including .efi and .dll files required by the hardware.
  2. UEFI supports the Global Partition Table, which supports up to an 18 exabyte disk for 64-bit systems. The BIOS, on the other hand, only supports a hard drive size of up to 2.2 TB, which is also a feature of a 32-bit system. Windows now only runs on 64-bit systems to take advantage of UEFI and larger capacity storage devices and has a practical limit of 16TB hard drives.
  3. UEFI includes a feature called Secure Boot. Secure Boot restricts a PC to booting only one specific operating system.

What are Secure Boot and the Trusted Platform Module used for?

Secure Boot and TPM are often used interchangeably, especially when viewing diagnostic tools and BIOS menu settings. TPM is the hardware or firmware activation of Secure Boot features.

What is Secure Boot

Secure Boot is a security standard supported by UEFI that an OEM or administrator can configure through firmware activation to boot a trusted operating system. It first became available as a feature in UEFI in 2016, around the time of Windows 8. So all PCs built since then most likely support Secure Boot.

This limits the operating system that a PC can boot and prevents malicious bootloaders from booting into an unauthorized or malicious operating system to take over the machine. It also effectively allows an organization to restrict PCs to only booting a desired operating system. For example, an organization may restrict some PCs to run Linux and others to run Windows based on the applications used. Microsoft enforces Secure Boot on Windows 11 computers to enable this security feature.

To determine if Secure Boot is enabled on a Windows installation, open or type MSInfo32.exe system information in the Windows search bar. Seek Safe start state and note the status (see Figure 2).

The System Summary menu in the System Information utility shows basic information for several Windows settings.
Figure 2. The System Information utility shows that Secure Boot is enabled on this PC.

The status can be as follows:

  • Unsupported. This means that Secure Boot is not supported on the PC, probably because the PC is too old.
  • At. Secure Boot is supported and enabled.
  • Out of. Secure Boot is supported but not enabled.
The BIOS menu shows security settings with the TPM status set to available.
Figure 3. Example of an HP laptop running Windows, TPM compatible and enabled.

Secure Boot is enabled or disabled in the BIOS program. Depending on the OEM, this may be referred to as Secure Boot or TPM. Consider this example on an HP Envy laptop (see Figure 3).

What is the Trusted Platform Module?

TPM is a chip — or a feature built into more modern CPU chips and graphics cards — that is installed on computer motherboards to provide cryptographic services. The UEFI enables Secure Boot via TPM. The TPM performs functions such as managing, storing, and creating the cryptographic keys that generate device signatures.

The PC checks these signatures during the boot process to confirm that the devices, all drives, and even the operating system software are legitimate. If not, TPM prevents loading. It does this using public and private encryption keys stored in hardware, and the process protects PCs from malware because an attacker cannot change these keys.

TPM 2.0 is the latest version of this technology and is a requirement for Windows 11. You can verify its presence on any Windows PC by opening TPM.msc to see if it is enabled (see Figure 4).

The Trusted Platform Module settings on a local computer show that TPM 2.0 is present.
Figure 4. TPM.msc indicates that TPM 2.0 is present.

If the tool shows TPM 1.2, it doesn’t meet the Windows 11 requirements for installation. If the tool doesn’t open, TPM isn’t enabled.

To enable TPM, boot the computer into the BIOS tool, navigate to the TPM option and ensure the box is checked. This is usually under the Security Settings, but can be labeled differently by different OEMs, so take a close look and don’t be afraid to research this topic.

Force Windows 11 to install on an old unsupported computer

The internet is full of well-meaning hackers showing how to install Windows 11 on an older machine. However, some of these methods are extremely unreliable as the Windows 11 operating system runs through a method that Microsoft does not endorse or support.

Microsoft offers the ability to install Windows 11 outside of the Windows Upgrade Utility. You can even do an install from media using the Windows 11 file. However, these methods still depend on meeting system requirements and may pose continuity and security risks.

Should You Bypass Windows 11 Installation Requirements?

Bypassing the requirements isn’t much of a risk if you’re just an enthusiast who enjoys tricking an old device into loading Windows when it’s not supposed to. However, this can have significant ramifications if you are a desktop admin for an enterprise or small business for the following reasons.

  • Disabling Secure Boot in UEFI will revert the system to the old BIOS, exposing the system to malware attack.
  • Ignoring Windows 11 updates and running old OS versions eliminates the Secure Boot requirement required to run certain hardware and can leave your fleet of PCs vulnerable to malware attacks.
  • Manipulation of the installation, e.g. Tasks such as editing dynamic link libraries present significant challenges for anyone attempting to provide support for these PCs. Making these changes and supporting these hacked PCs is not practical even if it works. And the elimination of Secure Boot’s security protection introduces additional security challenges.
  • Adding TPM chips or upgraded CPUs to motherboards that don’t have them may not work. This requires special skills and is not practical on a large number of PCs.
  • Even if you can get Windows 11 to run on a computer that doesn’t meet the system requirements, it might not perform as expected.

Windows 11 has important enterprise features and you’d better invest time and budget to install it sooner by assisted means rather than bypassing the requirements. With Windows 10 Mainstream end-of-life scheduled for October 2025, that’s plenty of time to upgrade desktop hardware within a typical PC lifecycle before migrating to Windows 11.

Leave a Reply

Your email address will not be published. Required fields are marked *