P3 · Endpoint & Device Management

Windows 11 Upgrade Blocked — TPM 2.0 and Secure Boot Disabled in BIOS Despite Hardware Support

Windows 11 setup and PC Health Check report TPM 2.0 and/or Secure Boot as missing, blocking upgrade even though the hardware supports both features. The root cause is that TPM 2.0 (discrete, Intel PTT, or AMD fTPM) and/or Secure Boot are present in firmware but disabled in BIOS/UEFI settings. Remediation requires entering BIOS/UEFI to enable TPM and Secure Boot, ensuring UEFI boot mode is active. BitLocker must be suspended before TPM changes to avoid recovery key lockout.

Indicators

PC Health Check tool reports 'This PC can't run Windows 11' with TPM 2.0 and/or Secure Boot listed as not meeting requirements
Windows 11 setup reports 'This PC doesn't meet the minimum system requirements to install this version of Windows'
Device Manager or tpm.msc shows no TPM device or lists TPM as disabled/not ready
msinfo32 shows 'BIOS Mode: Legacy' or 'Secure Boot State: Off' despite UEFI-capable hardware
Windows Security app reports 'Your device may be missing important security features' relating to Secure Boot or TPM
Get-Tpm returns TpmPresent=False on hardware known to have TPM capability

Likely causes

TPM 2.0 chip (discrete or firmware-based: Intel PTT / AMD fTPM) is present in hardware but disabled in UEFI firmware settings
Secure Boot is disabled in UEFI, often because the system was previously configured for legacy/CSM boot mode or dual-boot with an OS requiring legacy mode
BIOS was reset to factory defaults which may default TPM and Secure Boot to off on some OEM systems
IT administrator or user manually disabled TPM or Secure Boot for compatibility with older software or operating systems
System is booting in CSM/Legacy mode rather than native UEFI mode, which prevents Secure Boot from functioning even if enabled

Diagnostic steps

Run the Windows PC Health Check tool or open tpm.msc to confirm the reported failure mode

Confirms whether Windows sees no TPM at all (disabled in BIOS) versus a TPM 1.2 (wrong version) so the correct BIOS setting to change is identified
Open msinfo32 (System Information) and check 'BIOS Mode' (should be UEFI, not Legacy) and 'Secure Boot State' (should be On)

Determines whether the system is booting in UEFI mode — a prerequisite for Secure Boot — and whether Secure Boot is currently active
In an elevated PowerShell prompt, run: Get-Tpm

Returns TpmPresent, TpmReady, TpmEnabled, and TpmActivated properties — TpmPresent=False with hardware known to exist confirms TPM is disabled in firmware rather than physically absent
Reboot into BIOS/UEFI (typically Del, F2, F10, or F12 at POST) and navigate to the Security or Advanced section to locate TPM, Intel PTT, or AMD fTPM settings and note their current state

Directly confirms whether TPM is listed but set to Disabled/Off, distinguishing configuration issue from missing hardware
Within BIOS/UEFI, check the Boot section for 'Boot Mode' (CSM/Legacy vs UEFI) and the Secure Boot option, noting whether Secure Boot is present but disabled

Identifies whether CSM mode is forcing legacy boot and suppressing Secure Boot, which requires switching to UEFI boot mode before Secure Boot can be enabled

Resolution path

1. If BitLocker is active, suspend it before proceeding: open an elevated PowerShell and run 'Suspend-BitLocker -MountPoint C: -RebootCount 1' (or use Control Panel > BitLocker > Suspend protection) to avoid a TPM-change lockout requiring recovery key entry.
2. Reboot into BIOS/UEFI firmware settings (press Del, F2, F10, or F12 during POST — consult OEM documentation for the exact key). Navigate to Security > TPM Configuration (or Advanced > PCH-FW Configuration on Intel, or AMD CBS > AMD PBS for fTPM). Set TPM Device to 'Enabled', Intel PTT to 'Enabled', or AMD fTPM to 'Enabled' as appropriate for the platform. Save and reboot.
3. Re-enter BIOS/UEFI. Navigate to the Boot section and confirm 'Boot Mode' or 'Boot Option Filter' is set to 'UEFI Only' (not CSM or Legacy). If it was set to Legacy/CSM, change it to UEFI — note this may require the OS disk to have a GPT partition table; if the disk is MBR this step requires converting the disk using mbr2gpt.exe or reinstalling the OS.
4. Still in BIOS/UEFI, navigate to Security > Secure Boot and set Secure Boot to 'Enabled'. If the option is greyed out, ensure Boot Mode is set to UEFI (step 3) and that no legacy option ROMs are loaded. Save all changes and reboot.
5. After rebooting into Windows, run tpm.msc and confirm the TPM is now 'Ready for use' with Specification Version 2.0. Run msinfo32 and confirm 'Secure Boot State: On'. Re-run PC Health Check to confirm Windows 11 compatibility is now met.
6. Resume BitLocker if it was suspended: 'Resume-BitLocker -MountPoint C:' in elevated PowerShell, or via Control Panel > BitLocker > Resume protection.

Prevention

Establish a BIOS/UEFI baseline configuration standard for all managed endpoints that explicitly requires TPM enabled (PTT/fTPM/discrete), Secure Boot enabled, and UEFI-only boot mode — enforce via OEM BIOS management tools (HP BIOS Config Utility, Dell Command Configure, Lenovo BIOS to WMI) or MDM/SCCM compliance policies.
Include TPM 2.0 presence and Secure Boot state in pre-deployment hardware acceptance testing and in ongoing endpoint compliance reporting (e.g., via Microsoft Endpoint Manager / Intune's device compliance policies with 'Require TPM' and 'Require Secure Boot' conditions) so drift is detected before it blocks upgrades.
Set a BIOS/UEFI administrator password on all managed systems to prevent unauthorised changes to TPM, Secure Boot, or boot mode settings.
Before any Windows major version upgrade project, run a compatibility assessment (PC Health Check at scale, or Intune/ConfigMgr hardware readiness reports) to identify systems with TPM/Secure Boot disabled with enough lead time to remediate through normal change management.

Tools

tpm.msc — TPM Management console (view TPM status and specification version)
msinfo32 — System Information (verify BIOS Mode: UEFI and Secure Boot State: On)
PC Health Check — Microsoft tool to verify Windows 11 hardware compatibility
Get-Tpm (PowerShell cmdlet) — returns detailed TPM state properties
Suspend-BitLocker / Resume-BitLocker (PowerShell) — manage BitLocker protection state around TPM changes
mbr2gpt.exe — converts MBR disk to GPT in-place without data loss, required if switching from Legacy to UEFI boot mode
BIOS/UEFI firmware setup utility (OEM-specific, accessed at POST)

References

TPM 2.0Secure BootUEFIWindows 11hardware compatibilityBIOS firmwareupgrade blockerBitLockerfTPMIntel PTTCSMMBR to GPTendpoint managementcompliancePC Health Check