Skip to main content

Windows 11's TPM Requirement Surprised PC Builders, but You Can Enable It in BIOS

Gigabyte BIOS showing enabled fTPM
(Image credit: Screenshot by Tom's Hardware / Gigabyte BIOS)

Windows 11 was announced today, and one of its minimum requirements was a bit of a surprise to PC builders: TPM 2.0.

TPM, or Trusted Platform Modules, safely store encryption keys, passwords and certificates, as well as ensuring the integrity of your PC. TPM is found in most recent laptops and in enterprise systems, but is less common in custom-build or DIY desktops, or if it exists, it’s often off by default.

And that may cause confusion. We've reached out to Microsoft for more clarity on the TPM 2.0 requirement, but haven't heard back yet.

When I first checked on my desktop using Microsoft's PC Health Checker, which isn't the most recent but far exceeds the minimum requirements by far, I was told I couldn't upgrade. 

See more

Indeed, I don't have a physical TPM module in my system. But it ends up, there's a workaround.

I fiddled around in the UEFI, where I found a setting to enable Firmware TPM, or fTPM. (In Intel parlance, it will be called PTT, or Platform Trust Technology). On my Asus X370 Prime Pro motherboard, it was under Advanced > AMD fTPM configuration, where I switched from Discrete TPM to enable a Firmware TPM.

Then, I rebooted and returned to PC Health Checker and it said I could install Windows 11 without issue. Of course, to do that, I'll have to sign up for upcoming Windows Insider Builds or wait until the release this holiday. 

Windows 11 PC Health

(Image credit: Tom's Hardware Screenshot)

So, if you don't have a hardware TPM chip, there may be an option to enable fTPM. Just check your BIOS. Do note that in a 2018 document, Microsoft wrote in a security document that "TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature."

I am, however, seeing a number of people who have tried it and aren't seeing the same results. It's unclear yet why that is, and which other settings or specifications may causing issues.

If you have an older piece of hardware in your system that doesn't work with UEFI and requires CSM, it may not work. You may also need to check your your boot drive is in GUID Partition Table format (GPT) rather than Master Boot Record (MBR) for similar reasons.

In 2016, Microsoft wrote that "all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0."

That means that, over the last four years, plenty of devices and components have been released that should, in theory, support this new Windows 11 requirement. You'll also want to check the lists of AMD and Intel CPUs that are compatible with Windows 11.

Of course, people often keep their gaming desktops for several years, while mostly just upgrading the graphics card. So some people with fairly capable machines may be locked out of Windows 11 without upgrading their CPU platform or at least getting and plugging in a physical TPM module, as not all processors support PTT or fTPM.

Updated June 24 with more clarity on where to enable TPM.

Andrew E. Freedman

Andrew E. Freedman is a senior editor at Tom's Hardware focusing on laptops, desktops and gaming as well as keeping up with the latest news. He holds a M.S. in Journalism (Digital Media) from Columbia University. A lover of all things gaming and tech, his previous work has shown up in Kotaku, PCMag, Complex, Tom's Guide and Laptop Mag among others.

  • saudor
    Interesting how lowly ATOM processors can get the update but an i5 6600k with 32 GB RAM cannot, despite also having TPM 2.0 support.

    Looks like they took a page out of Apple on this one!
    Reply
  • hotaru.hino
    Firmware based TPM implementations require the CPU to have something called a Trusted Execution Environment.

    If you just want the tl;dr of what has this:
    Hardware supportThe following hardware technologies can be used to support TEE implementations:
    AMD:
    Platform Security Processor (PSP)AMD Secure Encrypted Virtualization and the Secure Nested Paging extensionARM:
    TrustZoneIBM:
    IBM Secure Service Container, formerly zACI, first introduced in IBM z13 generation machines (including all LinuxONE machines) in driver level 27.IBM Secure Execution, introduced in IBM z15 and LinuxONE III generation machines on April 14, 2020.Intel:
    Trusted Execution TechnologySGX Software Guard Extensions"Silent Lake" (available on Atom processors)RISC-V:
    MultiZone™ Security Trusted Execution EnvironmentKeystone Customizable TEE FrameworkPenglai Scalable TEE for RISC-V
    Reply
  • Colif
    I think ftpm is just AMD systems, Intel ones call it Intel Trusted Platform Module.

    I went from not able to get it to being eligible by changing it in BIOS. So it works.
    Reply
  • USAFRet
    I seriously think that 'requirement' will be pulled out of the final release.
    Far far too many systems that are currently running Win 10 just fine are not capable of that.
    Reply
  • Colif
    Do MS have shares in Hardware companies?

    On 1 hand win 10 support ends 2025
    On other hand, win 11 needs TPM which many PC don't have.

    Lots of unforced upgrades in coming years?

    the changes needed to make it work on anything are minimal.
    Reply
  • Reclusive Eagle
    Ok so I have a i5 9600k (Microsoft lists intel 8th gen and up as compatible) and an MSI Gaming Plus Z390 motherbaord.
    Motherboard does not have TPM (has socket for external one) but the 9600k has a dTPM.

    The health app is garbage and says I am not compatible (TPM disabled). My question is am I compatible? Do you specifically NEED PTT TPM 2.0 or does dTPM 2.0 work as well??? I have Secure boot with UEFI+Legacy support
    Reply
  • Colif
    7 hours after reveal, these are questions we will discover answers to in coming days I guess.

    If win 10 runs on PC, no reason win 11 won't. I seen people run it on really old dell laptops.
    Reply
  • Reclusive Eagle
    Colif said:
    7 hours after reveal, these are questions we will discover answers to in coming days I guess.

    If win 10 runs on PC, no reason win 11 won't. I seen people run it on really old dell laptops.
    That's because there is a work around to disable TPM requirements on the leaked build by hacking the iso builder. These requirements will be hard coded on official release
    Reply
  • velocityg4
    USAFRet said:
    I seriously think that 'requirement' will be pulled out of the final release.
    Far far too many systems that are currently running Win 10 just fine are not capable of that.

    They better if they don't want this to be one of the slowest roll outs in Windows history. Loads of computers which may have TPM support may have Secure Boot disabled. Meaning a lot of those people won't upgrade either. As they won't think their computers can run it.

    Also, what about computers which don't pass the compatibility check. Is Windows 11 going to keep haunting them with an upgrade offer which won't work? Just like Windows 10 did.

    One nice thing is MS is not Apple. They're a bit more responsive to user push back. This sounds like a decision which looked great on paper. In a room full of tech geeks with the latest hardware. Waiting for reality to take a dump on it.
    Reply
  • Reclusive Eagle
    velocityg4 said:
    They better if they don't want this to be one of the slowest roll outs in Windows history. Loads of computers which may have TPM support may have Secure Boot disabled. Meaning a lot of those people won't upgrade either. As they won't think their computers can run it.

    Also, what about computers which don't pass the compatibility check. Is Windows 11 going to keep haunting them with an upgrade offer which won't work? Just like Windows 10 did.

    One nice thing is MS is not Apple. They're a bit more responsive to user push back. This sounds like a decision which looked great on paper. In a room full of tech geeks with the latest hardware. Waiting for reality to take a dump on it.
    I honestly think this is may end up being the deal breaker for Windows 11's success. Like do you know how many people are running 7th gen and down? (MS lists Windows 11 compatibility with Intel 8th Gen +) Like I don't even think gen 1 ryzen is compatible with TPM 2.0.
    Reply