/
  • Last updated
/
  • 8 min read

How to Enable TPM 2.0 on a Windows 11 PC

How to Enable TPM 2.0 on a Windows 11 PC blog banner image

TPM, or Trusted Platform Module, is a hardware-based security feature integrated into modern PCs. Windows 11 requires TPM 2.0 for installation, considering it is essential for enabling several Windows security features, including BitLocker, Windows Hello, and Secure Boot. TPM might be present but could be disabled in firmware by default on some systems.

Enabling TPM is essential for managed or enterprise environments and vital to any IT infrastructure’s security strategy. It helps ensure compliance with hardware security baselines and supports modern security features. If you’re looking for guidance on how to enable TPM 2.0, this guide covers several methods, including TPM Management, PowerShell, and BIOS or UEFI.

Methods to enable TPM 2.0 on a Windows 11 PC

Before attempting to enable TPM 2.0 on your PC, you must meet the following prerequisites:

  • TPM 2.0 hardware support. Your device must have a Trusted Platform Module 2.0 chip embedded in the motherboard. Most PCs and laptops manufactured after 2016 have them by default. However, it’s essential to verify compatibility, especially on older systems.
  • Access to UEFI/BIOS settings. To enable this, you will need to enter the system’s firmware. You can access this by pressing a specific key, like F2, DEL, or ESC, right after powering your device.
  • Administrative privileges. You must be logged on to a Windows account with the appropriate permissions to configure settings on tools like PowerShell and the TPM Management Console.
  • Original Equipment Manufacturer-specific variations. Depending on the manufacturer, TPM settings might be called differently. For example, some systems, like Intel, may call it PTT or Platform Trust Technology, while AMD calls it fTPM.

Method 1: Check TPM status using tpm.msc

Using the built-in TPM Management Console, this method lets you check if TPM 2.0 is present and enabled on your system. Here are the required steps for this method:

  1. Open the Run dialog by pressing Win + R on your keyboard.
  2. Type tpm.msc to launch the TPM Management Console.
  3. Next, review the TPM Status. In the TPM Management on Local Computer window, look for the following:
    1. If it shows “The TPM is ready for use,” then the TPM is installed and active.
    2. If it shows “Compatible TPM cannot be found,” the chip may be disabled in firmware, or it may not be present.
  4. Locate the Specification Version in the TPM Manufacturer Information section. Note that Windows 11 requires version 2.0. If it’s 1.2 or missing, your system may not meet the Windows TPM requirement.

If TPM is not found or disabled, enable it in the BIOS/UEFI settings. The following method will detail how.

Method 2: Enable TPM via BIOS or UEFI

If it is present but disabled, you can enable TPM 2.0 through UEFI and BIOS. Here’s how:

  1. The first step is to restart your computer. Press the button that triggers BIOS/UEFI as soon as the screen goes dark. This can be F2, F10, F12, Delete, or Esc.
  2. Once inside BIOS/UEFI, navigate to Security, Advanced, or Trusted Computing Section. Its exact location depends on the manufacturer.
  3. Find and enable TPM.
    1. Look for PTT (Platform Trust Technology) on Intel systems and enable it.
    2. Locate and enable fTPM (Firmware TPM) or AMD fTPM configuration on those with AMD chipsets.
    3. Some BIOS versions may appear as TPM Device or Trusted Platform Module.
  4. Press F10 (or the designated key) to save changes and reboot.
  5. Lastly, check TPM.MSC to verify if TPM is enabled on Windows.

However, interfaces vary, depending on the manufacturer. In some cases, some may show TPM options as unavailable until a firmware update is applied.

Method 3: Validate TPM via PowerShell

Apart from the BIOS settings, you can also validate TPM using PowerShell as an administrator. This method is excellent for system admins or IT staff who need to check TPM status in a managed environment across multiple devices.

  1. Open PowerShell as an administrator. Note: You can also use Windows Terminal (Admin) if available.
  2. Next, run the TPM Query Command:

Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftTpm" -Class Win32_Tpm

  1. Look for the following in the output:
    1. IsEnabled_InitialValue = True – This indicates the TPM hardware is enabled.
    2. IsActivated_InitialValue = True – This confirms the TPM has been activated in BIOS/UEFI.
    3. SpecVersion = 2.0 or higher – Confirms the TPM version meets the requirement for Windows 11.

TPM 2.0 Group Policy and security use cases

Once TPM 2.0 has been enabled, it unlocks a wide range of security features you can configure through Group Policy in Windows. These Windows strengthen system security, protect sensitive data, and reduce cyber attack opportunities, especially in enterprise environments.

Use cases for TPM in Group Policy

  • BitLocker Drive Encryption. TPM securely stores encryption keys, which enables drive encryption and protects data even if the drive is removed. Plus, you can enforce BitLocker policies via Group Policy.
  • Credential Guard. This uses virtualization-based security to isolate login credentials from the OS, protecting them from malware. It uses TPM to store and safeguard secrets while helping with system integrity checks.
  • Secure Boot Validation. TPM aids in validating firmware and bootloader integrity during startup, preventing rootkits and bootkits (types of malware that attack network security) from executing before Windows loads.

How to access and configure TPM policies

  1. Activate the Run dialog with the Win + R shortcut, then type gpedit.msc and press Enter. This will open the Local Group Policy Editor (not available on Windows Home Editions).
  2. Navigate to:

Computer Configuration > Administrative Templates > System > Trusted Platform Module Services

  1. You can then configure policies such as:
    1. Enabling or restricting TPM for BitLocker.
    2. Allowing remote attestation of TPM-protected devices lets IT admins ensure systems have not been tampered with, even when off-site.
    3. Enforce TPM startup key or PIN requirements.

Troubleshooting TPM 2.0 issues

You may encounter problems when enabling TPM 2.0. Here are some of the most common, along with their solutions.

Issue: TPM cannot be detected

If the TPM Management Console and PowerShell show no TPM, be sure to check the following:

  • Firmware version. You may have an outdated BIOS/UEFI that does not support TPM. Your best path forward is to go to your system manufacturer’s site (HP, Lenovo, Asus, etc.) to download the latest patch and update the BIOS on your Windows PC.
  • Hardware absence. TPM may not be physically installed on older (pre-2016) and custom-built PCs. Check your motherboard’s specs to confirm physical presence. You can try to:
    • Look up your motherboard model on the manufacturer’s website. Most manuals include a section on TPM support, where you can find out whether a header exists for an add-on module.
    • Inspect for a TPM header. Some desktops have a TPM header on the motherboard where a discrete TPM chip can be installed. If installed, you can purchase a compatible TPM module from the manufacturer.
    • Check BIOS/UEFI for options related to firmware TPM (fTPM/PTT). Many modern systems include a firmware-based TPM that you can enable using the BIOS. Try rechecking the BIOS settings to make sure it is absent.

Issue: BIOS password required

If firmware settings are locked, you need an admin or supervisor password to modify security configurations, including enabling TPM. You can retrieve credentials via your IT department or refer to your manufacturer’s manual or documentation.

Issue: Inconsistent TPM detection

Systems with Fast Startup enabled may not fully initialize the TPM during a reboot. To disable it, follow these steps:

  1. Open Control Panel and navigate to Power Options.
  2. Next, select Choose what the power buttons do, then click Change settings that are currently unavailable. 
  3. Uncheck Turn on fast startup.
  4. Reboot and recheck the TPM status.

How to reset TPM

If TPM behaves unexpectedly or was previously used in another environment, you can reset it via the following steps:

  1. Open the Run dialog (Win + R), then type tpm.msc. Press Enter to open the TPM Management Console.
  2. In the right pane, select Clear TPM. If the option is nonexistent, click Refresh. 
  3. Follow the prompts and reboot.

IMPORTANT: Clearing TPM can erase keys tied to features like BitLocker, locking you out of encrypted files. Import and back up your recovery and encryption keys to eliminate this possibility. 

Enabling TPM 2.0 keeps your Windows 11 systems secure

Enabling TPM 2.0 on your PC and managed environments is extremely important for ensuring Windows 11 compliance and unlocking security features like BitLocker and Credential Guard.

You can check the TPM status using tpm.msc or PowerShell and ensure the version is 2.0 or higher. If it isn’t detected, access your BIOS settings and enable PTT and fTPM. Once activated, you can use Group Policy to enforce TPM-backed protections, making it part of your provisioning process.

Start your Free Trial

You might also like

Install or Uninstall Windows Media Player Legacy App in Windows 11 blog banner image

How to Install or Uninstall Windows Media Player Legacy App in Windows 11

How to Turn On or Off Caret Browsing in Microsoft Edge blog banner image

How to Turn On or Off Caret Browsing in Microsoft Edge

How to Switch Between Open Windows in Windows 11 blog banner image

How to Switch Between Open Windows in Windows 11

How to Open Command Prompt at Boot in Windows 11 blog banner image

How to Open Command Prompt at Boot in Windows 11

How to Enable or Disable Graphics Hardware Acceleration in Microsoft Edge blog banner image

How to Enable or Disable Graphics Hardware Acceleration in Microsoft Edge

How to Fix “LSA Package is Not Signed as Expected” Warning in Windows 11 blog banner image

How to Fix “LSA Package is Not Signed as Expected” Warning in Windows 11

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept