How to Enable TPM 2.0 and Secure Boot for Windows 11 and Games — Fast Step-by-Step Guide
💡Building or upgrading your PC and hit a “Windows 11 requires TPM 2.0 / Secure Boot” message? Or maybe your favourite game now needs Secure Boot enabled? Don’t panic — this quick guide explains what these are and how to enable them safely in your BIOS.
This is a comprehensive guide which should work for everyone, regardless of your hardware. The only thing I ask is that you pay attention and follow the whole process 😊
The guide is geared towards desktop PCs, but is likely to have a similar method on laptops too.
🧬 Built to last, designed to evolve — that’s the PC36 way. We hand-build every system with TPM 2.0 and Secure Boot already configured and tested, so you’ll never need to worry about it. But if you’re upgrading or building your own, this guide will walk you through it step-by-step for free.
What is TPM / Secure Boot?
TPM (Trusted Platform Module) and Secure Boot are two features designed to protect your system from tampering or unauthorised software — but they’ve recently become essential for more than just security.
- TPM 2.0 is a small chip (or firmware module) that safely stores encryption keys used by Windows for features like BitLocker, Windows Hello, and system integrity checks.
- Secure Boot makes sure only trusted software runs when your PC starts up — blocking rootkits or modified bootloaders.
Originally introduced for enterprise security, these are now required for Windows 11, and more recently, many online games use them for anti-cheat systems (including Valorant, Warzone, and Fortnite).
So even if you’re not upgrading Windows, it’s still worth enabling both — you’ll avoid compatibility issues later.
System requirements
TPM is fairly modern. If your gear is too old you can't enable it. Your CPU must be this new, or newer:
- Intel 8000 series (e.g. i7-8700K) and later
- Ryzen 2000 series (e.g. Ryzen 5 2600) and later
- These are from around 2018
(Older CPUs may still offer firmware TPM for Windows 10, but aren’t on Microsoft’s Windows 11 supported list.)
Your graphics card must be new enough to work (technical jargon: must have a UEFI-compatible VBIOS). Your GPU must be this new, or newer:
- NVIDIA: All RTX cards, all GTX cards from 10-series and newer (GTX 900-series also likely fine)
- Radeon: RX 580 and newer (RX 400 series also likely fine)
- Intel: All Intel ARC graphics
- Generally any GPU from 2018 and newer will be OK
Further note (technical stuff). Pretty much all Windows installs nowadays will be in UEFI and GPT formats, and this combination is mandatory for Secure Boot to work. In some cases, you may instead have a CSM +/- MBR Windows setup (especially if you are still on a Windows 10 install from many years ago and have not reinstalled). This may cause issues for a very small number of you, in which case I advise either a fresh reinstall of Windows (a good thing to do anyway) with a USB stick, or using a tool like “MBR2GPT” (beyond the scope of this guide).
Bottom line: The likelihood is, that if your PC is good enough to run Windows 11 with any games that require Secure Boot to be on, it is likely your hardware is fine.
Is the process the same for all PCs?
No. But there are many common steps, and most of the settings you need will be in a similar place regardless of hardware. That said, we will update this guide with all manufacturers over time, so everyone is covered.
Check if it's already done!
Sometimes your PC will already have TPM/Secure Boot enabled. You can check using the following method:
1a. For TPM: Press Windows key 🪟 + R together to bring up the Run window. Type in tpm.msc and press Enter.
1b. If it says “Ready for use”, you’re good to go.
2a. For Secure Boot: In the Windows search bar type msinfo. Open System Information.
2b. Check to see if Secure Boot State is On. If it is, you’re good to go and there’s no need to follow the rest!
Method
1) Get to the BIOS
So you’ve worked out you need to enable one or both of these. Let’s do it. We need to enter the BIOS of your computer’s motherboard — don’t worry, it’s essentially just a settings panel and I will guide you through.
To get to the BIOS, there are two methods:
Method 1:
Turn your PC off. Then turn it on and, as soon as it powers up, repeatedly press “Del” on your keyboard until the BIOS screen is shown. For some motherboards it is “F2” rather than “Del” (and remember if you’re on a laptop you may need to also press the Fn key, too). This is the ideal method.
Method 2:
Another method, if Method 1 does not work, is via Windows. Click the Windows button, find “Restart”, and hold the Shift key on your keyboard while you click it. On screen it will say “Please wait”.
Click Troubleshoot.
Click Advanced options.
Click UEFI Firmware Settings.
That should get you into the BIOS. Every manufacturer’s BIOS will look a little different, so look below and find your motherboard manufacturer (we will update this over time). If your brand is not found, it is still worth reading below because the steps are very similar on most brands.
2) Updating TPM / Secure Boot by manufacturer
Jump to: ASRock · ASUS · Gigabyte · MSI · NZXT
Once in your BIOS, if you don’t see the menus on screen, you may need to find a button on screen for “Advanced” mode (some BIOSes have an “Easy” and “Advanced” mode).
If you cannot see options for TPM or Secure Boot and your system is modern, you may need to update your BIOS (beyond the scope of this guide but guidance is available on the motherboard manufacturer's website).
The below are from AMD systems — if you use an Intel CPU the process will be very similar, with TPM sometimes being called PTT rather than fTPM for example.
ASRock
TPM: Under Advanced → Trusted Computing, ensure Security Device Support is set to Enable.
For Secure Boot: Go to Security → Secure Boot and change it to Enabled.
If this works you can go to Exit then Save & Exit.
But on ASRock boards it is likely you’ll have an error message or some more steps.
It is likely you’ll get this message but we can sort it.
Go to Boot → CSM.
Set CSM to Disabled.
Then save changes and exit (we have to do this before trying to enable Secure Boot again).
Load back into the BIOS and you should be able to enable Secure Boot. Then save and exit again and you’re good to go. You can now log in to Windows to check if the Secure Boot State is now on.
⚠️ ASRock troubleshooting
Issue 1: User mode / enrolling keys error
You can install the default keys via the button on the page. That should hopefully work, and you can save and exit.
Issue 2: When Secure Boot is enabled, your PC will no longer load into Windows. Instead it just loads right into the BIOS. Try the below:
In the Secure Boot menu, go to Key Management.
Ensure Factory Key Provision is enabled.
Click Enroll EFI Image then select from the list. Likely, you’ll want the one that says Part1 at the end, but you may need to try several. Once selected you can Save and Exit.
⚠️ If you still have Windows boot issues after this, you can disable Secure Boot and re-enable CSM to get back in, but in order to use Secure Boot you will need to reinstall Windows from a USB stick (after disabling CSM in the BIOS).
ASUS
[Coming soon — follow the other manufacturers to get an idea of the settings to look for.]
Gigabyte
Apologies for the low-res screenshots but they are legible.
You should be in the Advanced mode of the BIOS to get these settings.
Under Settings, go to Miscellaneous.
Then Trusted Computing.
If Security Device is enabled, then TPM is working.
Under Boot, open Secure Boot.
It may say enabled, but if your testing earlier showed Secure Boot State off in Windows, you’ll need to tweak it (see it says Not Active).
Change the Mode to Custom.
Click to restore the Factory Keys.
This will prompt the BIOS to exit — allow this. You can now log in to Windows to check if the Secure Boot State is now on.
⚠️ Troubleshooting
If you encounter issues enabling Secure Boot, ensure that CSM is disabled (this is under the Boot section of the BIOS).
If after disabling CSM you cannot load into Windows, you will need to reinstall Windows with a bootable USB drive. In the meantime you can re-enable CSM to allow use of your PC, but Secure Boot is not possible with CSM enabled.
MSI
[Coming soon — follow the other manufacturers to get an idea of the settings to look for.]
NZXT
⬆️ See ASRock above (ASRock are the OEM for NZXT boards).
Done!
Hopefully now, you have Secure Boot and TPM enabled, and can get to gaming and creating with ease. If it helped, or you have questions, please leave a comment using the form below. Enjoy 🙌
And don’t forget to check out our PCs and digital build guides for your next rig 💪
Keep Learning
Explore more free guides on our blog:
👉 PC Building and Maintenance Tips
▶️ Want cinematic builds, fixes, and PC news?
Follow my YouTube channel: Computer Surgeon
📬 Get exclusive tips, discount codes, and new PC alerts:
Join the PC36 Free Newsletter
About the Author
By Dr Jack Clulow
Founder of PC36 LTD — boutique custom PC builder in South Devon.
10,000+ hours of PC building experience helping gamers, creators, and students get the most out of their systems. I also make step-by-step digital build guides so you can build confidently without the headaches.
