Question Secure Boot and TPM 2.0 Enabling

[Atakan Kirpi]

Hi Everyone, recently I installed Windows 11 and wanted to play Valorant but I couldn't because it wanted me to enable Secure Boot and TPM 2.0. I started researching and found out that some PC's may not boot after enabling them. I wonder if my PC will if I enable them? In systeminfo my BIOS is UEFI and my drivers are GPT but in BIOS I saw something like UEFI + Legacy and now I am afraid to enable them. What should I do now? Is my BIOS Legacy or UEFI

 

[drea.drechsler]

Hi Everyone, recently I installed Windows 11 and wanted to play Valorant but I couldn't because it wanted me to enable Secure Boot and TPM 2.0. I started researching and found out that some PC's may not boot after enabling them. I wonder if my PC will if I enable them? In systeminfo my BIOS is UEFI and my drivers are GPT but in BIOS I saw something like UEFI + Legacy and now I am afraid to enable them. What should I do now? Is my BIOS Legacy or UEFI

What motherboard/CPU do you have? Some systems aren't at TPM 2.0 level so it wouldn't matter if you did.

Otherwise: I understand it's anti-cheat depends on TPM 2.0 to function....so how bad do you want to play Valorant? You'll have to disable legacy or CSM mode to enable UEFI and secure boot, and enable the fTPM or find another game.

 

[Atakan Kirpi]

What motherboard/CPU do you have? Some systems aren't at TPM 2.0 level so it wouldn't matter if you did.

Otherwise: I understand it's anti-cheat depends on TPM 2.0 to function....so how bad do you want to play Valorant? You'll have to disable legacy or CSM mode to enable UEFI and secure boot, and enable the fTPM or find another game.

I have enabled TPM2.0 before installing Win11 so I think my system is at that level. Ryzen 5 3600 and B450M PRO M2 MAX are my CPU and Motherboard.
Actually, I'm not that into Multiplayer shooter games but I don't know nowadays I want to play Valorant so badly. I don't understand, is my BIOS Legacy or UEFI now? as I said in systeminfo my BIOS Mode is UEFI but in BIOS it is UEFI+Legacy. Can't I enable them without set UEFI+Legacy to only UEFI?

 

[drea.drechsler]

...systeminfo my BIOS Mode is UEFI but in BIOS it is UEFI+Legacy. Can't I enable them without set UEFI+Legacy to only UEFI?

Ryzen 3600 CPU's do have an fTPM that's 2.0 compatible, so you are good to go there.

I've noticed that oddness with my BIOS too (TUF B550m Plus/5800X) ...that is, it has a UEFI+Legacy setting and it reported it was in UEFI mode with Secure Boot enabled. I'm not sure what it meant, but I flipped it to UEFI mode only with no issues encountered. Apparently it didn't matter which setting it was in as the machine's in UEFI mode with secure boot either way.

You said you only just installed Windows11, so I assume the OS is "pristine" and new, so to speak. If so, now's the time to switch everything on so first is to enable Secure Boot, but do not mess with custom keys. If the system is NOT in UEFI mode it will not let you turn on secure boot. Then also turn on the fTPM...it may be called a "security processor" in BIOS settings, that's the case with mine.

If the OS refuses to start you can reset CMOS, even re-install Win11 if you need to since it's fresh. So not much lost. The best way to install the OS is with UEFI enabled, Secure Boot enabled and the fTPM enabled. That way it knows exactly what to do and sets up correctly. Most recent BIOS' enable those things by default.

BTW: from within Windows, go into the Device Security systems settings (type it in the Search box). You're looking to see if you have the Security Processor and Secure Boot enabled at least. You might also need to enable SVM in BIOS: that's Secure Virtual Mode which allows apps to create secure virtual machines. It can create problems with other apps though so I leave it disabled unless it's needed.

 

[Atakan Kirpi]

Ryzen 3600 CPU's do have an fTPM that's 2.0 compatible, so you are good to go there.

I've noticed that oddness with my BIOS too (TUF B550m Plus/5800X) ...that is, it has a UEFI+Legacy setting and it reported it was in UEFI mode with Secure Boot enabled. I'm not sure what it meant, but I flipped it to UEFI mode only with no issues encountered.

You said you only just installed Windows11, so I assume the OS is "pristine" and new, so to speak. If so, now's the time to switch everything on so first is to enable Secure Boot, but do not mess with custom keys. Then also turn on the fTPM...it may be called a "security processor" in BIOS settings, that's the case with mine. If the OS refuses to start you can reset CMOS, even re-install Win11 if you need to since it's fresh. So not much lost.

BTW: from within Windows, go into the Device Security systems settings (type it in the Search box). You're looking to see if you have the Security Processor and Secure Boot enabled at least. You might also need to enable SVM in BIOS: that's Secure Virtual Mode which allows apps to create secure virtual machines. It can create problems with other apps so I leave it disabled unless it's needed.

Thanks! do you think I should set UEFI+Legacy to UEFI before Enabling Secure Boot and TPM 2.0? Otherwise, I don't want to take a risk by changing UEFI+Legacy. And actually, I installed Windows 11 about 3-4 months ago, so it's not that new

 

[drea.drechsler]

Thanks! do you think I should set UEFI+Legacy to UEFI before Enabling Secure Boot and TPM 2.0? Otherwise, I don't want to take a risk by changing UEFI+Legacy. And actually, I installed Windows 11 about 3-4 months ago, so it's not that new

If it's working fine....with Secure Boot and the fTPM enabled....in UEFI+Legacy just leave it. I like experimenting, that's why I flipped mine to UEFI only mode.

BTW, you should be able to flip to Legacy or CSM (compatibility support mode) and Windows will still start. You may have problems with logon credentials then, especially your PIN if you set one up. In such a case it will ask for your Microsoft Account to logon, that's why it's a good idea to have one set up so you can default back to that. But why to use CSM....I'm not sure. Compatibility with some older softwares/utilities maybe. But that's pretty rare by now and probably more likely to be risky than helpful.

 

[Atakan Kirpi]

If it's working fine....with Secure Boot and the fTPM enabled....in UEFI+Legacy just leave it. I like experimenting, that's why I flipped mine to UEFI only mode.

BTW, you should be able to flip to Legacy or CSM (compatibility support mode) and Windows will still start. You may have problems with logon credentials then, especially your PIN if you set one up. In such a case it will ask for your Microsoft Account to logon, that's why it's a good idea to have one set up so you can default back to that. But why to use CSM....I'm not sure. Compatibility with some older softwares/utilities maybe. But that's pretty rare by now and probably more likely to be risky than helpful.

Thanks for everything I'm gonna enable them when I gather my courage. I don't know why but I'm still afraid to turn them on

 

[drea.drechsler]

Thanks for everything I'm gonna enable them when I gather my courage. I don't know why but I'm still afraid to turn them on

Not saying you'll need it but the best way to get the courage is have a backup and recovery plan if you should have to install Windows again.

Enable File History and backup everything in your personal/user document folders...basically all the library folders. Store it either on another disk or an external USB drive. Everything kept on another disk is also safe when reinstalling Windows since it only touches the system disk unless you steer it elsewhere.

Keep your Steam games on a disk separate from your system disk then you don't even have to download them again.

Once you're comfortable with a strategy for quick recovery it's fairly easy to "get the courage" to work on system issues. In fact, Windows installs go so easy with a backup plan that it's often much better to not bother trying to fix things...just clean install after updating file history and it's fixed.