https://www.techtarget.com/searchenterprisedesktop/tip/How-to-fix-Windows-11-when-Secure-Boot-and-TPM-dont-work
Some of the most common causes for Windows 11 upgrade failure are incompatible hardware, most likely CPU -- or firmware -- Unified Extensible Firmware Interface (UEFI), Secure Boot or Trusted Platform Module (TPM).
As a desktop administrator, you need to know what UEFI is and understand the importance of Secure Boot and TPM. This will help you support Windows 11 desktops better, understand why these components cause Windows 11 installation to fail and learn workarounds to install Windows 11.
For important context, you should keep Windows 11 requirements in mind, including but not limited to TPM and UEFI requirements.
You can use the PC Health Check tool included in Windows 10 to determine Windows 11 compatibility for existing devices. Failure to install Windows 11 is probably due to incompatibility with system requirements, which include the following:
Some of these requirements are very straightforward, such as internet connectivity and the specified version of Windows 10, but the requirements for UEFI and TPM come with more questions.
The Windows desktop BIOS provides a low-level ability for OSes and applications to communicate with hardware such as the CPU, disk drives and network adapters. BIOS provides hardware initialization during boot and was created with the first IBM compatible PCs in the 1970s. While BIOS was originally stored in ROM chips, it eventually moved to flash memory to enable updates and features required for new hardware.
Pressing F1, F2 or F12 -- depending on the manufacturer -- will bring up a management program that administrators still refer to as "The BIOS." This will happen before Windows starts up. The BIOS program lets users configure hardware by enabling certain boot features, virtualization, security features, hard drive testing and more (see Figure 1).
BIOS only has 1 MB executable space to start devices such as hard disks, USB drives, displays, ports and other controllers. New hardware devices are beyond the scope of the original BIOS design, making booting slow and inefficient. In addition, BIOS allowed any software with a bootloader to boot up the PC. Any skilled engineer could write this so it could take over the PC.
While these limitations were known for decades, it took until 2007 for OEMs to agree to use UEFI as a replacement for BIOS. While Microsoft supported the specification as early as Windows 8, it wasn't required until Windows 11, even though peripherals such as disk drives might require UEFI.
UEFI has several significant features, including the following:
Secure Boot and TPM are frequently used interchangeably, especially when viewing diagnostic tools and BIOS menu settings. TPM is the hardware or firmware enablement of Secure Boot features.
Secure Boot is a security standard supported by UEFI which, through firmware enablement, an OEM or an administrator can configure to boot a trusted OS. It first became available as a feature in UEFI in 2016, about the time of Windows 8. Thus, all PCs built since then most likely support Secure Boot.
This limits the OS a PC can boot and prevents rogue boot loaders from booting to an unapproved or malicious OS to take over the machine. It also effectively lets an organization restrict PCs to only boot a desired OS. For example, one organization may restrict some PCs to running Linux and others to Windows based on applications used. Microsoft enforces Secure Boot on Windows 11 machines to enable this security feature.
To determine if a Windows installation has Secure Boot enabled, open the MSInfo32.exe or enter System Information in the Windows search bar. Look for Secure Boot State and note the status (see Figure 2).
The status may be as follows:
Secure Boot is enabled or disabled within the BIOS program. Depending on the OEM, this may be called Secure Boot or TPM. Consider this example on an HP Envy laptop (see Figure 3).
TPM is a chip -- or a function built into more modern CPU chips and graphics cards -- installed in the motherboards of computers to provide cryptographic services. The UEFI makes Secure Boot through TPM possible. The TPM performs functions such as managing, storing and creating the cryptographic keys that generate device signatures.
The PC checks these signatures during boot to validate that the devices, any drives and even OS software are allowed. If not, TPM prevents them from loading. This is done using public and private encryption keys stored in the hardware, and the process protects PCs from malware because an attacker can't modify those keys.
TPM 2.0 is the latest version of this technology and a requirement for Windows 11. You can verify its presence on any Windows PC by opening TPM.msc to see if it's enabled (see Figure 4).
If the tool shows TPM 1.2, it won't pass Windows 11 requirements for installation. If the tool doesn't open, then TPM isn't enabled.
To enable TPM, boot the machine into the BIOS tool, navigate to the TPM option and ensure the field is enabled. This is typically under the Security settings but can be called different things by different OEMs, so look carefully and don't be afraid to research this topic.
The internet is full of well-meaning hackers who show how to install Windows 11 on an older machine. However, some of these methods are extremely unreliable because the Windows 11 OS will run via a method that Microsoft doesn't endorse or support.
Microsoft provides the ability to install Windows 11 outside the Windows Upgrade utility. You can even perform an install from Media using the Windows 11 file. However, these methods still depend on conforming to system requirements and could present continuity and security risks.
Bypassing the requirements isn't a big risk if you're only an enthusiast who enjoys getting an old device to load Windows when it isn't supposed to. However, this can have significant consequences if you're a desktop administrator for an enterprise or small business for the following reasons.
Windows 11 has important enterprise features, and you would be better off committing time and budget to install it sooner through supported means rather than bypassing the requirements. With Windows 10 mainstream end of life set for October 2025, that's plenty of time to refresh desktop hardware within a typical PC lifecycle before migrating to Windows 11.
30 Jan 2023