Can Secure boot be enabled without TPM 2.0?

Galane · Feb 12, 2026

Today I enabled secure boot on my desktop and did the thing to update the keys. It's a normal fully supported system, no bypasses to install.

My laptop is a Dell Latitude E6530. No TPM 2.0 firmware update from Dell (despite some other models of similar age got it) and the CPU is an older i7*. Will enabling secure boot work without TPM 2.0?

The laptop has a rather fresh install of 25H2 due to when I tried updating soon after that was released, it totally blew it up to where it wasn't recoverable. I had to use data recovery software to save my stuff then wipe the 2TB SSD and start over.

*Currently a quad core newer/faster than anything originally offered in it.

Scott · Feb 12, 2026

garlin · Feb 12, 2026

The UEFI standard for Secure Boot doesn't involve TPM.
But in order to install 24H2/25H2, your system is required to have TPM 2.0 support (unless you use a known HW bypass trick).

Steve C · Feb 12, 2026

garlin said:
The UEFI standard for Secure Boot doesn't involve TPM.
But in order to install 24H2/25H2, your system is required to have TPM 2.0 support (unless you use a known HW bypass trick).

Therefore TPM 2.0 support is not required to install Windows 11!

BrianInEngland · Feb 12, 2026

Steve C said:
Therefore TPM 2.0 support is not required to install Windows 11!

Windows 11 won't install without TPM enabled however Secure boot only needs to be supported not enabled (UEFI BIOS)

Steve C · Feb 12, 2026

BrianInEngland said:
Windows 11 won't install without TPM enabled however Secure boot only needs to be supported not enabled (UEFI BIOS)

Wrong - there are easy fixes such as install using setup.exe /product server

BrianInEngland · Feb 12, 2026

Steve C said:
Wrong - there are easy fixes such as install using setup.exe /product server

OK I meant a *standard* install without any tweaking!

Galane · Feb 12, 2026

I turned on Secure Boot in the laptop's BIOS setup and got it to install a 2023 key. So it shouldn't be popping up with any surprises later this year.

(Get-UEFISecureBootCerts db).signature shows two 2011 keys and the Windows UEFI CA 2023 key on the laptop, but variable currently undefined on my desktop *now*, but last night it listed keys.

(Get-UEFISecureBootCerts dbdefault).signature is giving me variable is currently undefined

Get-SecureBootUEFI kek returns one line for Name, Bytes, Attributes
KEK {161, 89, 192, 165, ...} NON VOLATILE...

Why the bleep doesn't Microsoft just make a Windows app that does this? Click button to install the updated keys and just make it work, then check to verify that it worked.

It's not making people feel good things about security when some of the tests say it's good, some says it's not, and some just don't work because *something* may be missing or isn't defined.

garlin · Feb 12, 2026

Galane said:
Why the bleep doesn't Microsoft just make a Windows app that does this? Click button to install the updated keys and just make it work, then check to verify that it worked.

They're doing a gradual rollout. Last year, they asked large enterprises to opt-in and beta test the process.
Now MS is slowly rolling out KEK updates to supported BIOS'es.

The actual update is done by a scheduled task. MS doesn't want you screwing around, and blaming them. Going slow is better than bricking your PC. While MS can improve their public messaging, most of the blame on OEM vendors not rolling out BIOS updates on time.

MS has promised to build certs visibility into an upcoming version of the Windows Security Center. In the meantime, we have PowerShell scripts for detailed reporting.

Buddywh · Feb 17, 2026

Galane said:
Today I enabled secure boot on my desktop and did the thing to update the keys. It's a normal fully supported system, no bypasses to install.

My laptop is a Dell Latitude E6530. No TPM 2.0 firmware update from Dell (despite some other models of similar age got it) and the CPU is an older i7*. Will enabling secure boot work without TPM 2.0?

The laptop has a rather fresh install of 25H2 due to when I tried updating soon after that was released, it totally blew it up to where it wasn't recoverable. I had to use data recovery software to save my stuff then wipe the 2TB SSD and start over.

*Currently a quad core newer/faster than anything originally offered in it.

I installed Windows 11 on my 2014-era AM3+ system with FX processor. I installed a TPM1.2 device in the socket that motherboard has. It's BIOS is a UEFI BIOS, and I enabled Secure Boot with it. I then installed 25H2; using RUFUS to ignore unsupportability limitations it installed and runs in Secure Boot mode. It (Windows Update) even updated the keys to the 2023 keys.

Furthermore, I also enabled BitLocker on the system drive and it is using the TPM for a Key Protector, so the OS is using it. I cannot say whether any games that require a TPM device will work with a TPM1.2 device because they definitely have limited functionality compared to TPM2.0.

So I can state rather conclusively from actual experience that yes, Windows 11, even the latest build of 25H2, doesn't absolutely REQUIRE a TPM 2.0 device and will even work rather well with at least SOME TPM1.2 devices in at least SOME use cases.

garlin · Feb 17, 2026

The BitLocker FAQ warns you may have to initialize a TPM 1.2 module, before using it.

TPM owner password

Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. The initialization process generates a TPM owner password, which is a password set on the TPM. You must be able to supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting the TPM lockout.

Buddywh · Feb 17, 2026

garlin said:
The BitLocker FAQ warns you may have to initialize a TPM 1.2 module, before using it.

I do recall reading that somewhere. But all I did was clear it in Windows using the Windows Security Processor system settings screen (on the Troubleshooting button). I'd also read you should do these actions through Windows, not the BIOS, so that it can take ownership properly. I took that to be the same as initializing it, I guess.

I think I did that before enabling BitLocker and encrypting system drive.

I don't recall a place, screen or prompt in BIOS or the OS to enter or create a TPM owner password: is that something later OS builds of Windows does when it takes ownership?

garlin · Feb 17, 2026

I presume what they're saying is if you're setting it up from the BIOS menu, create a password so nobody else can access the TPM settings. Otherwise Windows creates a random password, and gives you the option to later change it to something you specify.

Buddywh · Feb 17, 2026

garlin said:
I presume what they're saying is if you're setting it up from the BIOS menu, create a password so nobody else can access the TPM settings. Otherwise Windows creates a random password, and gives you the option to later change it to something you specify.

BTW... I also cleared it once from within Windows, after Bitlocker was running and drive fully encrypted. Since I was in an "unsupported" configuration I thought I should understand what happens before committing to it in any way.

As I was hoping, it failed to start and asked for the BL recovery key. After entering all 40 something characters, it started up and resumed using the TPM PCR's for validation of secure boot hashes before releasing the encryption key and starting up. That was logical so along with a test when disabling secure boot in BIOS (with the same response) I have at least some confidence things are actually working right!

At least until Microsoft changes things in the future.

Can Secure boot be enabled without TPM 2.0?

New member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Similar threads