Turn TPM ON?

I'm thinking I should probably turn TPM on if only to take full advantage of the enhanced security. My system should be fully capable but when I first built it, the default EUFI settings kept TPM off. I'm attaching some pictures showing the bios/eufi settings. I'm hoping someone can provide some coaching on how to change these settings to safely enable TPM. Thanks!

Hi

TPM 2.0 Device Found: Required for Windows 11 and modern security features.

Security Device Support: Enabled
This enables TPM functionality. Required for BitLocker and secure boot.

Active PCR Banks: SHA256
SHA256 is active, which is the current standard for secure hashing. Good configuration.

Available PCR Banks: SHA256
Only SHA256 is available, indicating legacy SHA1 is not enabled. This is good.

SHA256 PCR Bank: Enabled
Ensures proper functionality for secure boot chains, BitLocker, and attestation.

Pending Operation: None
No pending TPM reset or configuration change. This is a normal and stable state.

Platform Hierarchy: Enabled
This is required for managing TPM platform-specific authorizations. Leave enabled.

Storage Hierarchy: Enabled
Enables TPM to securely store keys and encrypt data. Required for most uses.

Endorsement Hierarchy: Enabled
Essential for device identity and endorsement key usage. Should remain enabled.

Physical Presence Spec Version: 1.3
Latest spec version; defines how user approval is handled during TPM changes. This should be good.

Disable Block SID: Disabled
This allows automatic domain join in some environments. Default and recommended unless your org policy requires otherwise. (SID stands for Security Identifier, used by Windows to identify users, groups, and machines.)

• Disable Block SID: Disabled = Block SID is on, auto TPM SID-based ownership is blocked.
• This is the default and secure setting — don't change it unless your IT/security policy requires you to.

All I can tell you about the Secure Boot (namely custom) is what it says at the bottom. Are you able to set OS Type to: Windows UEFI Mode?
And Set Secure Boot Mode to: Standard? Because this is what I found:

• Secure Boot: Custom and not fully active is only really for unsigned Linux or manual key management
• Risk: Reduced boot-time integrity checks
  
  
• If you're using Windows or a Secure Boot-compatible Linux distro (e.g., Ubuntu, Fedora):
  1. Set OS Type to: Windows UEFI Mode
  2. Set Secure Boot Mode to: Standard
  3. Make sure Secure Boot State changes from "User" to "Enabled" or "Active"
  4. Save and exit BIOS
• This will load the Microsoft keyset and enforce Secure Boot as designed — preventing rootkits or unauthorized UEFI bootloaders from running.

Thank you for this very complete and clear explanation! I did as you suggested in steps 1 and 2 of your reply. I attached a summary of those two changes made.

The apparent issue remaining is that Secure Boot State (your step 3 above) still remains as "User." It did not change to "Enabled" or "Active."
Can you advise on this?
I also attached a scrn shot of TPM Management after boot following the changes made although I'm not sure if this tells us anything.

Let me know what you think and thanks!

Hi

I haven’t bought a new motherboard (for myself) since 2014
I actually had to spend a couple of hours googling the entries visible on your motherboard. For self interest also. Mainly because I’ve been interested in TPM2 lately although have not been able to buy a module for my motherboard that works and I’ve bought four already (I gave up)

There wasn’t a great deal of wiggle room to know what the options were in all of the drop down boxes. In hindsight I should have also probably looked at your MB manual but I had a hospital appointment.

I was more trying to explain the meaning of each entry (for myself also)
It’s after midnight here and to search entails coffee & cigarettes. But not at this time of night.

Tweakit said:

The apparent issue remaining is that Secure Boot State (your step 3 above) still remains as "User." It did not change to "Enabled" or "Active."

Click to expand...

To be honest I am not sure that this is a deal breaker.
I’ll look into more when I get up

Did you also enable PTT?
In setting go to Advanced > PCH-FW Configuration > PTT
Set it to enabled

Thanks for the help Sinto!

KevTech said:

Did you also enable PTT?
In setting go to Advanced > PCH-FW Configuration > PTT
Set it to enabled

Click to expand...

In my BIOS it wasn’t called PTT. I went to “PCH-FW Configuration” and was given the option to set the TPM Device Selection. This was already set to “Enable Firmware TPM.” I kept that setting. I think this is the preferred setting for Intel processors. I don’t have anything plugged into the TPM Header on the mobo.

I think I’m probably okay here but would like to get some confirmation especially since my bios was not set properly set for TPM when I upgraded to Windows 11 (see two pics in opening post).

Does the TPM Management Console below demonstrate that TPM is operational on my system or is there more to it?

Tweakit said:

Thanks for the help Sinto!

Click to expand...

Hey no problem, I don’t want to ruin your confidence, but I’m still learning also. All good.


“The TPM is ready for use.” That should confirm that:

• The hardware TPM is detected and functioning
• The TPM is initialized and hasn’t encountered any errors
• It’s currently provisioned to support encryption, secure boot, credential storage, and other trusted computing functions
• Specification Version: 2.0 (the latest for full Windows 11 support)

• Options available: Ability to clear the TPM and reset ownership, which only appears when the TPM is truly active

Do you plan on encrypting your OS or drives?

HI @Tweakit

I assume the motherboard you refer to is the one listed in your system details in your profile at this forum?

You may find in helpful to download and refer to the bios manual for your motherboard linked below. My motherboard a ProArt Z790 and is covered by the same bios manual as yours. The manual is available for download in multiple languages.


Re Secure Boot settings, here for example is a snippet from the said manual that explains what the Custon setting is. With my Asus board I use the Custom Secure Boot setting and have TPM enabled at the default settings, I've never tampered with these TPM settings.

antspants said:

“The TPM is ready for use.” That should confirm that:
• The hardware TPM is detected and functioning
• The TPM is initialized and hasn’t encountered any errors
• It’s currently provisioned to support encryption, secure boot, credential storage, and other trusted computing functions
• Specification Version: 2.0 (the latest for full Windows 11 support)

• Options available: Ability to clear the TPM and reset ownership, which only appears when the TPM is truly active

Click to expand...

Perfect. This is what I wanted to know.

antspants said:

Do you plan on encrypting your OS or drives?

Click to expand...

No plans for that but my plans have been known to change!! I was interested in turning TPM on just to keep life a little safer. Not sure why the default setting didn't have it enabled to begin with.

Marcus Vinicus said:

I assume the motherboard you refer to is the one listed in your system details in your profile at this forum?

You may find in helpful to download and refer to the bios manual for your motherboard linked below. My motherboard a ProArt Z790 and is covered by the same bios manual as yours. The manual is available for download in multiple languages.

PRIME B760M-A AX D4｜Motherboards｜ASUS USA

Intel® B760 (LGA 1700) mATX motherboard, PCIe 4.0, two M.2 slots, Realtek 2.5Gb Ethernet, Wi-Fi 6, DisplayPort, Dual HDMI®, SATA 6 Gbps, rear USB 3.2 Gen 2, front USB 3.2 Gen 1 Type-C®, Aura Sync

www.asus.com

Re Secure Boot settings, here for example is a snippet from the said manual that explains what the Custon setting is. With my Asus board I use the Custom Secure Boot setting and have TPM enabled at the default settings, I've never tampered with these TPM settings.

Click to expand...

Yes, that is my mobo! Turns out a little earlier today I found my way to the Asus site and downloaded it. You are very correct that it is both helpful and relevant. Thanks for suggesting that.

A lot can be learned from @Brink tutorials in here. In no particular order, there are quite a few related to encryption/Bitlocker.

• Turn On or Off Device Encryption in Windows 11
• Turn On BitLocker for Operating System Drive in Windows 11
• Turn On BitLocker for Fixed Data Drive in Windows 11
• Turn On BitLocker for Removable Data Drive in Windows 11
• Turn Off BitLocker for Drive in Windows 11
• Check BitLocker Drive Encryption Status of Drive in Windows 11
• Add Suspend BitLocker protection to Context Menu in Windows 11
• Lock BitLocker Drive in Windows 11
• Change BitLocker Password for Drive in Windows 11
• Suspend or Resume BitLocker Protection for Drive in Windows 11

Possibly more.

I ran a test and learned from it today. Thought I'd mention it in case others watching this thread might be interested. As you may be able to see from the conversation so far, the only Bios settings I changed from the default settings are seen below.

These settings are found in the bios under Advanced tab, Boot Menu, Secure Boot heading.
As it turns out, TPM was ON, both before and after the above changes were made. I didn’t realize it at the time because I didn’t know how to determine if TPM was on or not (run TPM.msc). What the above changes accomplished was to turn on "Secure Boot" (run msinfo32 and look for Secure Boot State). It went from OFF to ON with the above change. TPM and Secure Boot are different security features in Windows. I’m not sure why the Asus default bios settings keep Secure Boot off. If anyone knows, I'm curious what the logic is on that. After all, the mobo is modern and pretty much made for windows 11.
Thanks for the help!