TPM 2.0 vs Secure Boot: What Windows 11 Actually Requires

Windows 11 blocks installation if your PC fails its hardware checklist. Two of the most confusing requirements are TPM 2.0 and Secure Boot — people often think they're the same thing, or that fixing one fixes the other. They are not the same, and you need both. This article explains exactly what each one is, how to check both, and what to do if either is missing or disabled.

What Is TPM 2.0?

TPM stands for Trusted Platform Module. It's a dedicated security chip — either built into your motherboard as a physical chip, or integrated into your CPU as a firmware feature. Its job is to store encryption keys, credentials, and boot integrity measurements in a place that the operating system itself cannot tamper with.

TPM 2.0 is the version Windows 11 requires. The older TPM 1.2 standard is not sufficient — the upgrade will fail even if a TPM chip is present. Most PCs manufactured after 2016 have TPM 2.0 hardware available, but on a large percentage of those systems the feature is disabled by default in BIOS.

On Intel systems the feature is usually called Intel PTT (Platform Trust Technology). On AMD systems it's called fTPM (firmware TPM). Both satisfy the Windows 11 requirement.

What Is Secure Boot?

Secure Boot is a UEFI firmware feature — not a chip. It validates the digital signature of the bootloader and key system files before Windows is allowed to load, preventing malware and unsigned code from hijacking the boot process.

Secure Boot requires the system to be running in UEFI mode with a GPT partition table. Legacy BIOS systems with MBR disks cannot use Secure Boot at all. The key distinction: Secure Boot is a software/firmware setting, while TPM is a physical or firmware-emulated hardware component. They are separate requirements that work together but solve different problems.

Do You Need Both for Windows 11?

Yes. Microsoft requires both TPM 2.0 and Secure Boot enabled to install or upgrade to Windows 11. Passing one check while failing the other will still block the upgrade. Microsoft's PC Health Check tool will tell you which one (or both) is failing — run it first to know what you're dealing with.

How to Check TPM 2.0 Status

1. Press Win + R, type tpm.msc, and press Enter.
2. If the window shows TPM Manufacturer Information and "Specification Version 2.0", you're good.
3. If it says "Compatible TPM cannot be found", TPM is either disabled in BIOS or not present.
4. Reboot into BIOS and look under Security or Advanced settings for Intel PTT or AMD fTPM. Enable it.
5. Save, reboot, and re-run tpm.msc to confirm the version now shows 2.0.

How to Check Secure Boot Status

1. Press Win + R, type msinfo32, and press Enter.
2. Look at the Secure Boot State field.
3. If it says On, Secure Boot is active.
4. If it says Off, it's supported but disabled — enable it in BIOS.
5. If it says Unsupported, your system is in Legacy/CSM mode and needs UEFI conversion before Secure Boot can be enabled at all.

Most Common Scenarios and What to Do

• TPM disabled, Secure Boot off → Enable both in BIOS. Straightforward.
• TPM enabled, Secure Boot greyed out → CSM is still on. Disable CSM first, then enable Secure Boot.
• TPM shows 1.2 instead of 2.0 → Look for an fTPM or PTT option and switch to it. The 1.2 reading often means a discrete TPM chip is active while the firmware TPM 2.0 is sitting unused.
• Both show enabled but upgrade still blocked → Your boot partition is MBR and needs GPT conversion. This is the hardest case.

That last scenario is where things break. Wrong steps during MBR-to-GPT conversion can leave the system unbootable, and recovering from a failed conversion usually requires a full reinstall.

When the Fix Goes Deeper Than BIOS Settings

MBR-to-GPT conversion, boot record repair, and Secure Boot certificate enrollment all require more than flipping switches. Each operation touches a different layer of the system, and an error at any layer can cascade.

This is what SecureBootFix was built for — automated detection across TPM status, Secure Boot state, partition table, and boot certificates in a single pass, with the right repair applied at each layer and rollback if anything fails verification.

Wrapping Up

TPM 2.0 and Secure Boot are separate requirements that both must be satisfied for Windows 11. Most fixes are doable manually if you know where to look in BIOS. The edge cases — MBR disks, broken EFI partitions, missing certificates — are where things go sideways. Check both, fix the easy ones first, and use the toolkit if you hit the deeper layer.