/
  • Last updated
/
  • 8 min read

How to Enable TPM 2.0 on a Windows 11 PC

by Mikhail Blacer, IT Technical Writer
How to Enable TPM 2.0 on a Windows 11 PC blog banner image

Key Points

  • Enable TPM 2.0 for Windows 11 Security & Compliance – TPM 2.0 (Trusted Platform Module) is required for Windows 11 installation and vital for features like BitLocker, Windows Hello, and Secure Boot. It ensures compliance with modern hardware-based security standards and protects enterprise systems.
  • Verify TPM 2.0 Status Using Windows Tools – Check TPM availability and version via tpm.msc (TPM Management Console) or PowerShell. Look for “The TPM is ready for use” and confirm that SpecVersion 2.0 or higher is installed to meet Windows 11 system requirements.
  • Enable TPM 2.0 via BIOS/UEFI Settings – If TPM is disabled, access BIOS or UEFI firmware and enable it. Use PTT (Intel Platform Trust Technology) or fTPM (AMD Firmware TPM), depending on your system. Save and reboot to activate TPM for Windows 11 compatibility.
  • Leverage TPM 2.0 for Advanced Security Policies – Once enabled, configure Group Policy settings for BitLocker encryption, Credential Guard, and Secure Boot validation. TPM 2.0 enhances data protection, prevents firmware attacks, and supports remote attestation for IT-managed environments.
  • Troubleshoot and Maintain TPM Functionality – Resolve TPM detection issues through firmware updates, enabling fTPM/PTT, or installing a dedicated TPM module. Reset TPM when necessary (with recovery key backups) to restore functionality and maintain system security integrity.

TPM, or Trusted Platform Module, is a hardware-based security feature integrated into modern PCs. Windows 11 requires TPM 2.0 for installation, as it is essential for enabling several Windows security features, including BitLocker, Windows Hello, and Secure Boot. TPM might be present but could be disabled in firmware by default on some systems.

Enabling TPM is essential for managed or enterprise environments and vital to any IT infrastructure’s security strategy. It helps ensure compliance with hardware security baselines and supports modern security features. If you’re looking for guidance on how to enable TPM 2.0, this guide covers several methods, including TPM Management, PowerShell, and BIOS or UEFI.

Requirements to enable TPM 2.0 on a Windows 11 PC

Before attempting to enable TPM 2.0 on your PC, you must meet the following prerequisites:

  • TPM 2.0 hardware support. Your device must have a Trusted Platform Module 2.0 chip embedded in the motherboard. Most PCs and laptops manufactured after 2016 have them by default. However, it’s essential to verify compatibility, especially on older systems.
  • Access to UEFI/BIOS settings. To enable this, you will need to enter the system’s firmware. You can access this by pressing a specific key, like F2, DEL, or ESC, right after powering your device.
  • Administrative privileges. You must be logged on to a Windows account with the appropriate permissions to configure settings on tools like PowerShell and the TPM Management Console.
  • Original Equipment Manufacturer-specific variations. Depending on the manufacturer, TPM settings may be referred to by different names. For example, some systems, such as Intel’s, may refer to it as PTT or Platform Trust Technology, while AMD calls it fTPM.

How to check TPM 2.0 status

Method 1: Check TPM status using tpm.msc

Using the built-in TPM Management Console, this method lets you check if TPM 2.0 is present and enabled on your system. Here are the required steps for this method:

  1. Open the Run dialog by pressing Win + R on your keyboard.
  2. Type tpm.msc to launch the TPM Management Console.
  3. Next, review the TPM Status. In the TPM Management on Local Computer window, look for the following:
    1. If it shows “The TPM is ready for use,” then the TPM is installed and active.
    2. If it shows “Compatible TPM cannot be found,” the chip may be disabled in firmware, or it may not be present.
  4. Locate the Specification Version in the TPM Manufacturer Information section. Note that Windows 11 requires version 2.0. If it’s 1.2 or missing, your system may not meet the Windows TPM requirement.

Method 2: Validate TPM via PowerShell

You can also validate TPM status using PowerShell as an administrator. This method is excellent for system admins or IT staff who need to check TPM status in a managed environment across multiple devices.

  1. Open PowerShell as an administrator. Note: You can also use Windows Terminal (Admin) if available.
  2. Next, run the TPM Query Command:

Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftTpm" -Class Win32_Tpm

  1. Look for the following in the output:
    1. IsEnabled_InitialValue = True – This indicates the TPM hardware is enabled.
    2. IsActivated_InitialValue = True – This confirms the TPM has been activated in BIOS/UEFI.
    3. SpecVersion = 2.0 or higher – Confirms the TPM version meets the requirement for Windows 11.

Once you have verified that the TPM is not found or disabled, enable it in the BIOS/UEFI settings. The following method will detail how.

How to enable TPM 2.0 in BIOS/UEFI

While some steps may vary depending on the device, you can enable TPM 2.0 through UEFI and BIOS settings. Here’s how:

  1. The first step is to restart your computer. Press the button that triggers BIOS/UEFI as soon as the screen begins restarting. This can be F2, F10, F12, Delete, or Esc, depending on the PC’s configuration.
  2. Once inside BIOS/UEFI, navigate to Security, Advanced, or Trusted Computing Section. Its exact location depends on the manufacturer.
  3. Find and enable TPM.
    1. Look for PTT (Platform Trust Technology) on Intel systems and enable it.
    2. Locate and enable fTPM (Firmware TPM) or AMD fTPM configuration on systems with AMD chipsets.
    3. Some BIOS versions may appear as TPM Device or Trusted Platform Module.
  4. Press F10 (or the designated key) to save changes and reboot.
  5. Lastly, verify if TPM is enabled on Windows using the tpm.msc or PowerShell methods.

However, interfaces vary, depending on the manufacturer. In some cases, TPM options may appear as unavailable until a firmware update is applied.

TPM 2.0 Group Policy and security use cases

Once TPM 2.0 has been enabled, it unlocks a wide range of security features you can configure through Group Policy in Windows. These Windows strengthen system security, protect sensitive data, and reduce cyber attack opportunities, especially in enterprise environments.

Use cases for TPM in Group Policy

  • BitLocker Drive Encryption. TPM securely stores encryption keys, which enable drive encryption and protect data even if the drive is removed. Plus, you can enforce BitLocker policies via Group Policy.
  • Credential Guard. This uses virtualization-based security to isolate login credentials from the OS, protecting them from malware. It uses TPM to store and safeguard secrets while helping with system integrity checks.
  • Secure Boot Validation. TPM aids in validating firmware and bootloader integrity during startup, preventing rootkits and bootkits (types of malware that attack network security) from executing before Windows loads.

How to access and configure TPM policies

  1. Activate the Run dialog with the Win + R shortcut, then type gpedit.msc and press Enter. This will open the Local Group Policy Editor (not available on Windows Home Editions).
  2. Navigate to:

Computer Configuration > Administrative Templates > System > Trusted Platform Module Services

  1. You can then configure policies such as:
    1. Enabling or restricting TPM for BitLocker.
    2. Allowing remote attestation of TPM-protected devices lets IT admins ensure systems have not been tampered with, even when off-site.
    3. Enforce TPM startup key or PIN requirements.

Troubleshooting TPM 2.0 issues

You may encounter problems when enabling TPM 2.0. Here are some of the most common, along with their solutions.

Issue: TPM cannot be detected

If the TPM Management Console and PowerShell show no TPM, be sure to check the following:

  • Firmware version. You may have an outdated BIOS/UEFI that does not support TPM. Your best path forward is to visit your system manufacturer’s site (HP, Lenovo, Asus, etc.) to download the latest patch and update the BIOS on your Windows PC.
  • Hardware absence. TPM may not be physically installed on older (pre-2016) and custom-built PCs. Check your motherboard’s specs to confirm physical presence. You can try to:
    • Look up your motherboard model on the manufacturer’s website. Most manuals include a section on TPM support, where you can find out whether a header exists for an add-on module.
    • Inspect for a TPM header. Some desktops have a TPM header on the motherboard where a discrete TPM chip can be installed. If installed, you can purchase a compatible TPM module from the manufacturer.
    • Check BIOS/UEFI for options related to firmware TPM (fTPM/PTT). Many modern systems include a firmware-based TPM that you can enable using the BIOS. Try rechecking the BIOS settings to make sure it is absent.

Issue: BIOS password required

If firmware settings are locked, you need an admin or supervisor password to modify security configurations, including enabling TPM. You can retrieve credentials via your IT department or refer to your manufacturer’s manual or documentation.

Issue: Inconsistent TPM detection

Systems with Fast Startup enabled may not fully initialize the TPM during a reboot. To disable it, follow these steps:

  1. Open Control Panel and navigate to Power Options.
  2. Next, select Choose what the power buttons do, then click Change settings that are currently unavailable. 
  3. Uncheck Turn on fast startup.
  4. Reboot and recheck the TPM status.

How to reset TPM

If TPM behaves unexpectedly or was previously used in another environment, you can reset it via the following steps:

  1. Open the Run dialog (Win + R), then type tpm.msc. Press Enter to open the TPM Management Console.
  2. In the right pane, select Clear TPM. If the option is nonexistent, click Refresh. 
  3. Follow the prompts and reboot.

IMPORTANT: Clearing TPM can erase keys tied to features like BitLocker, locking you out of encrypted files. Import and back up your recovery and encryption keys to eliminate this possibility. 

Quick-Start Guide

NinjaOne doesn’t have a direct one-click TPM 2.0 enablement script, the platform supports several scripts and methods related to Windows 11 compatibility and upgrades:

1. NinjaOne offers a “Check Windows 11 Upgrade Compatibility” script that can help verify if a device meets the TPM 2.0 requirement.

2. For Windows 11 upgrades, NinjaOne provides scripts to:   – Block Windows 10 to 11 Upgrade   – Update Windows 10 to Windows 11 using the Installation Assistant

3. While TPM 2.0 specifically isn’t directly addressed, the platform supports various Windows configuration scripts that could potentially be used to prepare a device for Windows 11.

For the most accurate and current method to enable TPM 2.0, I recommend:– Consulting your specific device’s BIOS/UEFI settings– Using Microsoft’s official Windows 11 compatibility tools– Leveraging NinjaOne’s scripting capabilities to create a custom solution if needed

Enabling TPM 2.0 keeps your Windows 11 systems secure

Enabling TPM 2.0 on your PC and managed environments is extremely important for ensuring Windows 11 compliance and unlocking security features like BitLocker and Credential Guard.

You can check the TPM status using tpm.msc or PowerShell and ensure the version is 2.0 or higher. If it isn’t detected, access your BIOS settings and enable PTT and fTPM. Once activated, you can use Group Policy to enforce TPM-backed protections, making it part of your provisioning process.

Start your Free Trial

FAQs

TPM 2.0 (Trusted Platform Module) is a security chip that protects sensitive data like encryption keys and passwords. Windows 11 requires TPM 2.0 to enable advanced security features such as BitLocker, Secure Boot, and Windows Hello.

You can check TPM status using msc via the Run command or through PowerShell by running the Get-WmiObject TPM query. Ensure the SpecVersion is 2.0 or higher for Windows 11 compatibility.

Restart your PC and access the BIOS/UEFI menu using keys like F2, F10, or DEL. Look under Security or Advanced Settings to enable PTT (Intel) or fTPM (AMD), then save and reboot.

Update your system’s BIOS/UEFI firmware, check for firmware TPM (fTPM/PTT) options, or verify if your motherboard supports an add-on TPM module. Systems made before 2016 may lack a built-in TPM chip.

Officially, Windows 11 requires TPM 2.0. While bypass methods exist, they reduce security and may prevent updates. It’s best to enable TPM 2.0 to ensure full compliance and protection.

TPM 2.0 secures system integrity by validating boot files, storing encryption keys, and enabling features like BitLocker, Credential Guard, and Secure Boot, making it critical for both home and enterprise environments.

Resetting TPM erases keys linked to encrypted data. Always back up BitLocker recovery keys and other credentials before clearing TPM to avoid losing access to encrypted files.

You might also like

How to Run a Quarterly Service Alignment Audit With Clients blog banner image

How to Run a Quarterly Service Alignment Audit With Clients

How to Justify IT Spending Through Downtime Avoidance blog banner image

How to Justify IT Spending Through Downtime Avoidance

How to Document the Business Value of Preventive IT Maintenance blog banner image

How to Document the Business Value of Preventive IT Maintenance

How to Flag IT Lifecycle Management Changes for Quarterly Planning and QBRs blog banner image

How to Flag IT Lifecycle Management Changes for Quarterly Planning and QBRs

How to Present Technical Planning Recommendations Without Overwhelming Clients blog banner image

How to Present Technical Planning Recommendations Without Overwhelming Clients

How to Clarify File Ownership for Shared Department Resources blog banner image

How to Clarify File Ownership for Shared Department Resources

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo