updated on Articles

TPM 2.0 and Secure Boot BIOS Guide: Fix “This PC Can’t Run Windows 11” Installation Errors

Windows 11 installation can stop suddenly with the message “This PC can’t run Windows 11”, even on computers that appear modern and powerful enough. In many cases, the problem is not the processor, memory, or storage, but firmware settings related to TPM 2.0, Secure Boot, and UEFI mode. When these options are disabled, hidden, or incorrectly configured in the BIOS or UEFI firmware, the Windows 11 installer may reject the system before installation begins.

TLDR: Windows 11 usually requires TPM 2.0, Secure Boot, and UEFI boot mode to be enabled in the BIOS. On Intel systems, TPM is often called PTT; on AMD systems, it is often called fTPM. If Secure Boot cannot be enabled, the system drive may need to use the GPT partition style instead of MBR. After changing firmware settings, the PC Health Check tool or Windows 11 installer should be run again to confirm compatibility.

Why Windows 11 Shows the Installation Error

The “This PC can’t run Windows 11” error appears when the installer detects that one or more hardware or firmware requirements are not met. Windows 11 was designed with stronger baseline security than previous versions of Windows, so Microsoft requires several protections to be available and active.

The most common causes include:

  • TPM 2.0 is disabled in the BIOS or UEFI firmware.
  • Secure Boot is disabled or unavailable because the system is in Legacy BIOS mode.
  • The system drive uses MBR instead of GPT.
  • CSM, also called Compatibility Support Module, is enabled.
  • The processor, RAM, or storage does not meet Windows 11 requirements.
  • The BIOS firmware is outdated and does not expose the required security options.

In many upgrade scenarios, the hardware is compatible, but the firmware was configured years earlier for Windows 10 or older operating systems. That means the fix is often a BIOS settings change rather than a hardware replacement.

Understanding TPM 2.0

TPM stands for Trusted Platform Module. It is a security technology used to store cryptographic keys, protect sign-in credentials, support BitLocker encryption, and help verify system integrity. Windows 11 requires TPM 2.0, not the older TPM 1.2 standard.

TPM may exist as a physical chip on the motherboard, but many modern computers use firmware-based TPM instead. This is why the setting may not literally be named “TPM” in the BIOS.

  • On Intel systems, TPM is commonly called Intel PTT, short for Platform Trust Technology.
  • On AMD systems, TPM is commonly called AMD fTPM, short for firmware TPM.
  • On some business systems, it may appear as Security Device, TPM Device, Trusted Computing, or TPM State.

Understanding Secure Boot

Secure Boot is a firmware security feature that helps ensure only trusted boot software loads when the computer starts. It is designed to block certain bootkits, rootkits, and unauthorized bootloaders before the operating system launches.

Secure Boot requires the computer to boot in UEFI mode. If the system is using Legacy BIOS mode or has CSM enabled, Secure Boot may be unavailable, greyed out, or impossible to activate.

For Windows 11 installation, Secure Boot generally needs to be supported and enabled. On some systems, the installer checks only for Secure Boot capability, but enabling it is still the recommended configuration for proper Windows 11 security.

Before Changing BIOS Settings

Before a user or technician changes firmware settings, several precautions are important. BIOS changes affect how the computer starts, and incorrect settings can temporarily prevent the operating system from booting.

  • Back up important files to an external drive or cloud storage.
  • If BitLocker is enabled, save the BitLocker recovery key from the Microsoft account or system administrator portal.
  • Record current BIOS settings with photos before making changes.
  • Make sure the laptop is connected to power during firmware changes.
  • Update the BIOS only from the official motherboard or PC manufacturer website.

Important: Changing TPM settings may trigger BitLocker recovery on encrypted systems. The recovery key should be available before TPM, Secure Boot, or boot mode settings are modified.

How to Enter the BIOS or UEFI Menu

The BIOS or UEFI menu can usually be opened during startup. The correct key depends on the manufacturer, but common keys include Delete, F2, F10, F12, and Esc.

Common access keys include:

  • Dell: F2 for BIOS, F12 for boot menu
  • HP: Esc or F10
  • Lenovo: F1, F2, or the Novo button
  • ASUS: Delete or F2
  • MSI: Delete
  • Gigabyte: Delete
  • Acer: F2 or Delete

Windows also provides a firmware restart path. From Windows 10, the user can open Settings, go to Update & Security, choose Recovery, select Advanced startup, and click Restart now. After restart, the system can enter Troubleshoot > Advanced options > UEFI Firmware Settings.

Step 1: Enable TPM 2.0 in BIOS

Once inside the BIOS or UEFI interface, the TPM setting is usually located under a security, advanced, or trusted computing section. The wording varies by manufacturer.

The technician should look for options such as:

  • TPM Device
  • TPM State
  • Security Device Support
  • Trusted Computing
  • Intel Platform Trust Technology or Intel PTT
  • AMD fTPM

The option should be set to Enabled. If the BIOS asks whether to use Discrete TPM or Firmware TPM, most modern consumer systems can use firmware TPM unless a dedicated TPM chip is installed and required by policy.

After enabling TPM, the change should be saved, but the system may need additional Secure Boot adjustments before exiting.

Step 2: Enable UEFI Mode and Disable CSM

Secure Boot depends on UEFI. If the system is set to Legacy mode, Secure Boot may not work. The relevant options are commonly found under Boot, Startup, or Advanced Boot.

The desired configuration is usually:

  • Boot Mode: UEFI
  • CSM: Disabled
  • Legacy Boot: Disabled
  • UEFI Boot: Enabled

However, this step requires care. If Windows was installed on an MBR disk in Legacy mode, simply disabling CSM may cause the PC to fail to boot. In that case, the system drive should be converted from MBR to GPT before switching fully to UEFI mode.

Step 3: Check Whether the Disk Uses GPT or MBR

Windows 11 works best with a system disk using the GPT partition style. GPT is designed for UEFI systems, while MBR is associated with older Legacy BIOS installations.

To check the partition style inside Windows 10, the user can open Disk Management, right-click the system disk label such as Disk 0, choose Properties, and open the Volumes tab. The Partition style field will show either GUID Partition Table (GPT) or Master Boot Record (MBR).

If the disk is already GPT, UEFI and Secure Boot can usually be enabled with minimal trouble. If it is MBR, conversion may be required.

Step 4: Convert MBR to GPT When Needed

Microsoft provides a command-line tool called MBR2GPT that can convert many Windows 10 system disks from MBR to GPT without deleting files. Even so, a full backup is strongly recommended before conversion.

A typical conversion process from an elevated Command Prompt is:

  1. Open Command Prompt as administrator.
  2. Run mbr2gpt /validate /allowFullOS.
  3. If validation succeeds, run mbr2gpt /convert /allowFullOS.
  4. Restart into BIOS or UEFI settings.
  5. Switch boot mode from Legacy or CSM to UEFI.
  6. Enable Secure Boot.

If validation fails, the disk layout may not be compatible, or there may be too many partitions. In that case, professional assistance or a clean installation may be safer.

Step 5: Enable Secure Boot

After UEFI mode is active, Secure Boot can usually be enabled under the Boot, Security, or Authentication section of the BIOS.

Common Secure Boot settings include:

  • Secure Boot: Enabled
  • Secure Boot Mode: Standard
  • OS Type: Windows UEFI Mode
  • Key Management: Install default Secure Boot keys

If Secure Boot is greyed out, the firmware may require an administrator BIOS password temporarily, default key installation, or CSM to be disabled first. Some motherboards also require the setting OS Type to be changed from Other OS to Windows UEFI Mode.

Step 6: Save Changes and Recheck Windows 11 Compatibility

After TPM, UEFI mode, and Secure Boot are configured, the BIOS changes should be saved. The usual key is F10, although each firmware interface may use different wording such as Save & Exit.

Once Windows starts again, compatibility can be checked using:

  • PC Health Check from Microsoft
  • Windows Update upgrade readiness messages
  • System Information by checking BIOS Mode and Secure Boot State
  • TPM Management by running tpm.msc

In System Information, BIOS Mode should show UEFI, and Secure Boot State should show On. In TPM Management, the specification version should show 2.0.

What If TPM 2.0 Is Missing?

If TPM 2.0 does not appear anywhere in the BIOS, several explanations are possible. The firmware may be outdated, the CPU may not support firmware TPM, or a dedicated TPM module may be required. On desktop motherboards, TPM headers sometimes allow a separate module, but compatibility must match the exact motherboard model and pin layout.

Before buying hardware, the motherboard support page should be checked for BIOS updates and TPM documentation. Many systems gained Windows 11-ready TPM options through firmware updates released after Windows 11 was announced.

What If the Processor Is Unsupported?

Some PCs successfully enable TPM 2.0 and Secure Boot but still fail the Windows 11 check because the processor is not on Microsoft’s supported CPU list. This is common with older Intel Core and AMD Ryzen generations. While unofficial installation workarounds exist, they may affect updates, support, and long-term reliability.

For a stable production machine, the recommended path is to use supported hardware. For testing, lab use, or noncritical systems, advanced users may choose alternative installation methods, but those methods are outside a standard BIOS compliance fix.

Common BIOS Names by Manufacturer

Because firmware menus differ widely, the same option can have different labels. A user may need to search several menus before finding the correct setting.

  • ASUS: PCH FW Configuration, Intel PTT, AMD fTPM, Windows UEFI Mode
  • MSI: Security Device Support, TPM Device Selection, Secure Boot
  • Gigabyte: Intel Platform Trust Technology, AMD CPU fTPM, CSM Support
  • Dell: TPM 2.0 Security, Secure Boot Enable, UEFI Boot Path Security
  • HP: TPM Device, TPM State, Secure Boot Configuration
  • Lenovo: Security Chip, Intel PTT, AMD Platform Security Processor, Secure Boot

Final Checklist for Fixing the Windows 11 Error

Before retrying the installation, the system should meet this checklist:

  • TPM 2.0: Enabled and detected in Windows.
  • Secure Boot: Enabled in BIOS and shown as On in Windows.
  • BIOS Mode: UEFI, not Legacy.
  • System Disk: GPT partition style.
  • CSM: Disabled.
  • CPU: Supported by Windows 11.
  • RAM: At least 4 GB, though 8 GB or more is preferable.
  • Storage: At least 64 GB available for installation.

When these requirements are satisfied, the “This PC can’t run Windows 11” message usually disappears, and the installation can continue normally. The key is understanding that Windows 11 compatibility depends not only on hardware specifications, but also on how the motherboard firmware is configured.

FAQ

What is TPM 2.0?

TPM 2.0 is a security standard used to protect encryption keys, credentials, and system integrity. Windows 11 requires TPM 2.0 for its baseline security features.

Is Intel PTT the same as TPM 2.0?

In most modern Intel systems, Intel PTT provides firmware-based TPM 2.0 functionality. Enabling Intel PTT usually satisfies the Windows 11 TPM requirement.

Is AMD fTPM acceptable for Windows 11?

Yes. AMD fTPM is firmware-based TPM and normally meets the Windows 11 TPM 2.0 requirement when enabled in BIOS.

Why is Secure Boot greyed out?

Secure Boot may be greyed out because CSM or Legacy Boot is enabled, Secure Boot keys are not installed, or the firmware is set to an “Other OS” mode instead of Windows UEFI mode.

Does enabling Secure Boot delete files?

Enabling Secure Boot does not normally delete files. However, changing boot mode from Legacy to UEFI without converting the disk from MBR to GPT can prevent Windows from booting.

How can TPM be checked in Windows?

The user can press Windows + R, type tpm.msc, and press Enter. The TPM console should show that TPM is ready and that the specification version is 2.0.

How can Secure Boot status be checked?

The user can open System Information and look for Secure Boot State. It should show On when Secure Boot is enabled correctly.

Can Windows 11 be installed without TPM 2.0?

Unofficial workarounds exist, but they are not recommended for most users. Unsupported installations may have update, security, or compatibility limitations.

Should the BIOS be updated before enabling TPM and Secure Boot?

A BIOS update can help if TPM or Secure Boot options are missing or malfunctioning. Firmware should only be downloaded from the official PC or motherboard manufacturer website.

What is the safest fix for the “This PC can’t run Windows 11” error?

The safest fix is to back up data, confirm the disk uses GPT, enable TPM 2.0, switch to UEFI mode, enable Secure Boot, and then rerun the Windows 11 compatibility check.

Share
Tweet
Pin
Share
Share

Recommended Articles

Share
Tweet
Pin
Share
Share