Since Windows 10, it's possible to better protect your computer by using UEFI boot, Secure Boot (supported by UEFI), as well as using a Trusted Platform Module (TPM).

Since Windows 11, a secure platform module 2.0 (TPM 2.0) is required to be able to officially install it.
Understand by this, that officially, Windows 11 requires UEFI firmware, secure boot, as well as the TPM 2.0 module to be able to function correctly and for all its functionalities to be available.
Additionally, you might not be eligible for Windows 11 updates if you don't have these options.

In short, here is how to enable the use of this TPM 2.0 module.

1. Trusted Platform Module (TPM) requires UEFI firmware
2. Check for the presence of the Trusted Platform Module (TPM)
3. Enable use of the Trusted Platform Module (TPM) on your motherboard

1. Trusted Platform Module (TPM) requires UEFI firmware

As noted on the "TPM recommendations" page on the Microsoft site, Trusted Platform Module (TPM) 2.0 requires UEFI firmware.
Indeed, the "BIOS LEGACY" and CSM (Compatibility Support Module) modes are not supported by the TPM 2.0.
In addition, Microsoft indicates that it's therefore recommended to disable the CSM and therefore to enable only UEFI.
Optionally, you can also enable Secure Boot.

2. Check for the presence of the Trusted Platform Module (TPM)

If you need a TPM module, it's important that you have a recent motherboard.
Indeed, most motherboards don't have one. If your computer is a few years old, chances are it doesn't.

In the case of "Asus" brand motherboards, you can check its compatibility on the page : [Motherboard] Which ASUS model supports Windows 11 and how to setup TPM 2.0 in BIOS?.
In our case, we have an "ASUS WS X299 SAGE/10G" motherboard which is therefore recent and which therefore supports the use of a TPM 2.0 module (as indicated on the page cited above).
Moreover, it's integrated in this motherboard.

3. Enable use of the Trusted Platform Module (TPM) on your motherboard

Enter the BIOS of the Asus motherboard by pressing the "DEL" key on your keyboard.
Then, go to the advanced mode by clicking on : Advanced Mode (F7).

In the "Advanced" tab that appears, scroll down a bit with the mouse wheel.

Thus, the last option "PCH-FW Configuration" will appear.
Come in here.

Then, go to : PTT Configuration.

By default, the "PTT" option is disabled.

However, as you can see here, this "PTT" option is available, but disabled by default.

Plain Text

PTT Capability / State : 1 / 0
PTT : Disable

Select "Enable" to enable this "PTT" option.

As you can see, the Intel PTT (Intel Platform Trust Technology) is a TPM 2.0 hardware implementation built into Intel ME (Management Engine).
The Trusted Platform Module (TPM) firmware key is stored in a location on the Intel ME.
In other words, a storage location present in your processor.
The TPM can be used in particular for the encryption of a disk with Windows BitLocker.

The "PTP aware OS" option is used to indicate whether the desired operating system is compatible or not with PTP.
PTP corresponding to the specification "TCG PC Client Platform TPM Profile (PTP)" and "TCG" stands for "Trusted Computing Group".

As noted at the start of this tutorial, using a Trusted Platform Module (TPM) requires UEFI firmware and disabling the CSM option when available.
To do this, go to the "Boot" tab, then to : CSM (Compatibility Support Module).

If you have a BIOS different from ours, refer to our tutorial "Configure your computer's BIOS to boot in UEFI mode (firmware)" where you will find other BIOS interfaces.

For the moment, in our case, this CSM module is enabled.
This currently allows this computer to boot in LEGACY BIOS mode on some devices (hard disk, CD/DVD drive, ...) if we wish.

To disable this CSM module, select "Launch CSM : Disabled".

Ignore the displayed message.

As you can see, once the CSM module is disabled, the other options disappear.

To enable Secure Boot, which is optional, but recommended, go to the "Boot" tab, then to : Secure Boot.

In this "Secure Boot" menu, you will find an "OS Type" option.

As you can see, for Secure Boot, you have the choice between :

• Windows UEFI mode : for the different versions of Windows that support Secure Boot. What is supported from Windows 8.
• Other OS : for non-Microsoft operating systems that support Secure Boot via UEFI.

Finally, go to the "Boot" tab and select the hard drive or SSD where your operating system (Windows, Linux, ...) is installed.

Go to the "Exit" tab and choose : Save Changes & Reset.

Validate by clicking on OK.