Common Errors When Updating to Windows 11
In some instances when using the Windows 11 compatibility tool
you may experience the following errors.
This PC can’t run Windows 11′ error: How to fix the problem with TPM and Secure Boot
If you’ve tried installing Windows 11 Insider Preview or using the Microsoft PC Health Check app and were greeted with an error message reading, “This PC can’t run Windows 11,” your system might not have two essential security settings turned on: Secure Boot and TPM 2.0.
Many modern computers and processing chips from Intel and AMD have these features built in, and both are now required for all machines running Windows 11.
Once you’ve downloaded the PC Health Check app, you can click Check Now to begin the scanning process. The app will tell you whether your computer will support Windows 11, or what it’s missing, and you can click See All Results for more information.
If your machine is new enough to support both, enabling TPM (short for Trusted Platform Module) and Secure Boot is often quite easy. No special skills are needed, and you’ll just be clicking through menus. If you’ve never heard the words “BIOS menu” you might feel out of your element, but don’t be intimidated. With a little patience, any first-timer can do this.
Here’s what you need to know.
What are TPM and Secure Boot?
TPM microchips are small devices known as secure cryptoprocessors. Some TPMs are virtual or firmware varieties but, as a chip, a TPM is attached to your motherboard during the build and designed to enhance hardware security during computer startup. A TPM has been a mandatory piece of tech on Windows machines since 2016, so machines older than this may not have the necessary hardware or firmware. Previously, Microsoft required original equipment manufacturers of all models built to run Windows 10 to ensure that the machines were TPM 1.2-capable. TPM 2.0 is the most recent version required.
TPMs are controversial among security specialists and governments. An updated and enabled TPM is a strong preventative against firmware attacks, which have risen steadily and drawn Microsoft’s attention. However, it also allows remote attestation (authorized parties can see when you make certain changes to your computer) and may restrict the kinds of software your machine is allowed to run. TPM-equipped machines generally aren’t shipped in countries where western encryption is banned. China uses its state-regulated alternative, TCM. In Russia, TPM use is only allowed with permission from the government.
Secure Boot is a feature in your computer’s software that controls which operating systems are allowed to be active on the machine. It’s both a good and bad thing for a Windows machine. On the one hand, it can prevent certain classes of invasive malware from taking over your machine and is a core defense against ransomware.
On the other hand, it can prevent you from being able to install a second operating system on your machine, giving you two to choose from when you first start up your computer. So, if you wanted to experiment with Linux operating systems, for instance, Secure Boot could stop you. Secure Boot also plays a part in preventing Windows pirating.
Is my device capable of TPM 2.0 and Secure Boot?
If the PC Health Checker suggested that TPM isn’t enabled, you should first find out whether that’s an accurate diagnosis. Here’s how.
1. From your desktop, press the Windows key next to the spacebar + R. This will bring up a dialog box.
2. In the text field of the box, type tpm.msc and hit Enter. This should bring up a new window labelled “TPM Management on Local Computer.”
3. Click Status. If you see a message that says “The TPM is ready for use” then the PC Health Checker has misdiagnosed you, and the steps below won’t help. At this point, there are several reasons you might be receiving the wrong error message from Microsoft, so your best bet is to get a professional to take a look at your machine.
How do I enable TPM 2.0?
You’re going to need to get to your BIOS menu so you can get to your TPM switch, and there are two ways to do that. We’ll cover both here. The first is for much newer PCs, the second method for those a few years older. Regardless of which you choose, though, you’re going to need to restart your machine. So save any work and close any open windows or programs before proceeding.
From Windows 10’s Start menu
If you have a newer machine running Windows 10, your boot time may be too fast for you to try the traditional method of hitting a particular key to get to your BIOS menu before Windows can fully load. Here’s how to get to it from inside your normal desktop.
1. Start your computer normally and open the Start menu by clicking on that Windows button on the far left bottom of your screen. Click on the gear-shaped Settings icon on the left side of the menu.
2. Within the Settings window that appears, click Update & Security. On the left-side pane that appears, click Recovery. Under the Advanced startup header, click Restart now.
Your computer will immediately restart, and instead of restarting and bringing you to your normal desktop screen, you’ll be brought to a blue screen with a few options.
3. Click Troubleshoot, followed by Advanced options, followed by UEFI Firmware Settings.
Your device will restart again.
From here, go to Step 2 in the section below and follow the remaining steps.
From start-up
You’re going to need to move very quickly for Step 1. You’ll only have a few seconds to get into the BIOS before your operating system loads. If you miss your window, no harm done, you’ll just have to restart the computer and try again. After Step 1, though, feel free to take your sweet time.
1. Restart your computer, and as it’s booting up you should see a message telling you to press a certain key to enter the BIOS, whether it uses that word or another. On most Dells, for instance, you should see “Press F2 to enter Setup.” Other messages might be “Setup = Del” (meaning Delete) or “System Configuration: F2.” Press whatever key the prompt tells you to and enter the Setup menu.
Depending on what kind of computer you have, a different key may be needed to enter your Setup menu. It could be F1, F8, F10, F11, Delete or another key. If there’s no message on the screen with instructions, the general rule is to hit the key when you see the manufacturer’s logo but before Windows loads. To find out which key will get you in, search online for your laptop’s make and model along with the phrase “BIOS key.”
2. In the BIOS or UEFI menu, there should be at least one option or tab labelled Security. Using your keyboard, navigate to it and hit Enter. On some systems, you might need to use the + key to expand a submenu instead.
3. Once you’re inside the Security section, you’re going to be looking for the TPM settings. This might be clearly labeled “TPM Device,” “TPM Security” or some variation. On Intel machines, it will sometimes be labeled “PTT” or “Intel Trusted Platform Technology.” It might also appear as “AMD fTPM Switch.”
Warning: Stay alert here. Within most TPM settings menus, you generally have an option to clear your TPM, update it or restore it to factory default. Do not do that right now. Clearing the TPM will cause you to lose all data encrypted by the TPM and all keys to the encryption. This action can not be undone or reversed.
4. From inside the TPM settings menu, you’re on one mission only: Find the switch that turns on the TPM. You’re not touching anything else. Look through the options inside this menu for one that shows some form of toggle or switch beside the word “Enable” or “Unavailable” or even just “Off.” Use your arrow keys to flip that toggle or switch.
5. Once you’ve kicked on the TPM, look around the screen for Save. Once you’ve saved this setting, restart the computer.
How do I enable Secure Boot?
You’ll save yourself a headache if you keep one thing in mind about enabling Secure Boot. Sometimes after you enable Secure Boot on a machine that’s running software incompatible with Secure Boot, the machine will refuse to load Windows properly on restart. If that happens, don’t panic. You didn’t break anything.
No matter which method you’ve used to get to the boot menu to begin with — either via Windows 10’s Start menu, or by the traditional method of hitting a specific key during start-up — you can still use the traditional method to get back to the boot menu and disable Secure Boot again.
From Windows 10’s Start menu
Follow the steps above to access the UEFI Firmware Settings.
1. Once you’re in the UEFI, you’re going to be looking for the Secure Boot setting. There are a few possible places this could be — check under any tabs labelled Boot, Security or Authentication.
2. Once you’ve checked the tabs and found the Secure Boot setting, toggle the switch beside it to turn it on or enable it.
3. Find your Save feature and, after you’ve saved your changes and exited the menu, your computer should reboot and bring you back to a normal Windows desktop.
There are some PCs on which you may not be able to readily find the Secure Boot setting. Some computers will load Secure Boot keys under a Custom tab. Some computers won’t allow you to enable Secure Boot until certain factory settings are restored. If you’re unable to access Secure Boot, or get roadblocked here, it’s best to get help from a professional rather than take chances.
From start-up
If you’re not working with UEFI, then you should be able to just enable Secure Boot in BIOS.
1. Just as you did when enabling your TPM, hit F2 (or whichever key your manufacturer specifies) as your computer is booting up and enter the BIOS menu.
2. Go to the tab or option that says BIOS Setup, and then select Advanced.
3. Next, select Boot Options and a list of them should appear.
4. In that list, find Secure Boot. Enable it.
5. Hit Save, exit the menu system, and restart your computer if it does not restart automatically.