Battlefield 6 Secure Boot and TPM: How to enable for launch

Players who booted up Battlefield 6 only to be blocked by the blunt “SecureBoot is not enabled” message discovered an awkward new reality: EA’s PC build now refuses to launch unless Windows presents a modern platform trust stack — specifically UEFI Secure Boot enabled and the platform TPM (Trusted Platform Module) active. This is not a casual recommendation; it’s an enforced precondition tied to EA’s Javelin kernel anti‑cheat, and it requires firmware changes on many PCs that still run legacy BIOS/MBR setups. The good news is that for most modern systems the work is straightforward. The bad news is the fixes can be technical, risky if done poorly, and they exclude several classes of users (older motherboards, some Linux/Proton setups, corporate-managed machines). This article explains exactly what EA requires, walks through validated steps to enable Secure Boot safely, highlights common failure modes and fixes, and examines the trade‑offs — security gains versus real user friction.

Background / Overview​

EA has made Secure Boot part of the enforced platform check for Battlefield 6 so its Javelin anti‑cheat can rely on a hardware-backed chain of trust. EA’s public guidance explains that Secure Boot, combined with TPM-based measurements and Javelin, helps detect kernel cheats, rootkits, spoofed hardware IDs, VMs/emulation and other advanced tampering techniques. This is not unique to EA — other publishers and anti‑cheat vendors are moving the same direction — but Battlefield 6’s enforcement during tests and early launches put the requirement into sharp relief for players who had not prepared their PCs.
From a Windows/firmware standpoint there are three things that must be true for Secure Boot to function and for the game’s anti‑cheat to accept your system:

• The system firmware must support and be set to UEFI (not legacy BIOS/CSM).
• The system disk must use the GUID Partition Table (GPT) rather than MBR.
• Secure Boot must be enabled in firmware and show as On inside Windows; the platform should present a TPM 2.0 device (discrete or firmware TPM / fTPM / Intel PTT).

Before attempting changes, back up important data, export any BitLocker recovery keys, and read the step list below: firmware and disk layout changes can render a machine unbootable if done incorrectly.

---

What Secure Boot and TPM do — why EA enforces them​

Secure Boot in plain terms​

Secure Boot is part of the UEFI firmware specification that prevents unsigned or tampered bootloaders and early‑boot components from running. If code that should be cryptographically signed attempts to run before Windows loads, Secure Boot blocks it — which helps defend against bootkits and rootkits that want to subvert anti‑cheat before the OS or drivers can inspect the system. Microsoft documents the Secure Boot keys and the UEFI tools used to inspect and modify state. You can also verify Secure Boot from Windows via PowerShell cmdlets such as Confirm‑SecureBootUEFI or by checking System Information (msinfo32).

TPM 2.0 and measured boot​

A TPM 2.0 device (discrete chip or firmware implementation like Intel PTT or AMD fTPM) provides a hardware root of trust: key storage, measured‑boot PCRs and the ability to produce attestation statements. For anti‑cheat, TPMs let servers and anti‑cheat agents verify that a machine booted in an expected state and hasn’t been tampered with between reboots. EA’s guidance notes TPM as a dependent security feature that works with Secure Boot and Javelin to combat kernel‑level cheats and spoofing.

The practical trade‑off​

This combination raises the bar for cheat authors, but it also raises friction for legitimate players. Many systems sold in the past decade already support these features, but some common setups — MBR boot disks, legacy BIOS, Linux-first machines, some corporate-managed devices — will be blocked unless reconfigured. Community and support writeups have documented repeated user problems and step sequences to fix them; those practical guides are the basis of the safe workflows described below.

---

Quick preflight checklist — what to check right now​

Open Windows and confirm these four facts before doing anything in firmware:

• Run System Information (Win+R → msinfo32). Confirm:
• BIOS Mode = UEFI
• Secure Boot State = On (or Off if you need to enable it).
• Run TPM management (Win+R → tpm.msc). Confirm:
• TPM present and Specification Version = 2.0.
• Open Disk Management → right‑click your system disk → Properties → Volumes. Confirm:
• Partition style = GUID (GPT).
• If BitLocker is enabled, ensure you have the recovery key and suspend protection before making firmware or partition changes.

If the essentials are already true, you should be able to launch Battlefield 6 once the anti‑cheat accepts the state. If anything is missing, follow the validated step sequence below.

---

Step‑by‑step: enable Secure Boot safely (validated sequence)​

These steps combine EA’s published guidance with Microsoft’s documented tools and tested community workflows. Read them fully before starting.

1. Back up and prepare (don’t skip)​

• Create a full system image or at least a file backup of Documents, Desktop, and important saves.
• If BitLocker is enabled, suspend BitLocker (Windows Security → Device encryption or Manage‑BitLocker) and export recovery keys to a secure location (Microsoft account, file, or printed copy). Changes to firmware, TPM, or the partition table commonly trigger BitLocker recovery.

2. Verify current state inside Windows​

• msinfo32 to check BIOS Mode and Secure Boot State.
• tpm.msc to confirm TPM present and version 2.0.
• Disk Management to check Partition style (GPT vs MBR). If the partition style is GPT and BIOS Mode is already UEFI, you may only need to toggle Secure Boot in firmware.

3. Convert MBR → GPT if necessary (use Microsoft’s mbr2gpt)​

If the system disk is MBR, Secure Boot requires UEFI/GPT. Microsoft provides the mbr2gpt tool for non‑destructive conversion when preconditions are met.

• Open an elevated Command Prompt (Run as administrator).
• Validate the disk first (replace X with the disk number shown in Disk Management — usually Disk 0):
• mbr2gpt.exe /validate /disk:X /allowFullOS
• If validation succeeds, convert:
• mbr2gpt.exe /convert /disk:X /allowFullOS

Important notes:

• mbr2gpt enforces strict preconditions: partition counts, space for GPT headers, a healthy BCD, etc. If validation fails, address the listed issues or choose a clean install. Always back up first.

4. Reboot into UEFI/BIOS firmware​

• Use Advanced Startup: Windows key → Change Advanced Startup Options → Restart now → Troubleshoot → Advanced Options → UEFI Firmware Settings; or press the vendor key (Del, F2, F10, F12, Esc) during POST.
• In firmware, under Security or Advanced settings, locate TPM options and enable the platform TPM (names vary: Intel PTT, AMD fTPM, Security Device Support, TPM‑SPI). Save and exit.

5. Switch Boot Mode to UEFI and enable Secure Boot​

• In the Boot or Security tab set Boot Mode = UEFI and disable CSM/Legacy support.
• Enable Secure Boot. If the option is greyed out, you may need to restore factory Secure Boot keys or set OS Type to Windows UEFI mode.
• Save and restart. Boot Windows and confirm msinfo32 now shows BIOS Mode: UEFI and Secure Boot State: On. Optionally use PowerShell: run Confirm‑SecureBootUEFI to return True.

6. Re‑enable BitLocker and confirm​

• If you suspended BitLocker, re‑enable it after confirming the system boots and the anti‑cheat accepts Secure Boot. Test the game launcher.

---

Common pitfalls and targeted fixes​

• Secure Boot says “Enabled” in BIOS but game still complains: some firmware exposes a state separate from mode. Try toggling Secure Boot to Custom, save & restart, then back to Standard/Default, save and restart. Community reports show this can make Secure Boot active and fix the error.
• BitLocker recovery on boot after changes: this is normal if BitLocker wasn’t suspended; you must have the recovery key to unlock. Suspend BitLocker before firmware or partition changes.
• Secure Boot option greyed out: often means firmware is still in Legacy/CSM mode or the disk is MBR. Convert disk to GPT with mbr2gpt and set firmware to UEFI. Some OEMs require restoring factory keys first.
• mbr2gpt validation fails: read its output carefully — it lists partition layout problems (too many primary partitions, missing system partition, insufficient space). Fix by consolidating partitions, remove extra recovery partitions if safe, or choose a clean install. Keep backups.
• Drivers blocked by Secure Boot: Secure Boot enforces signature checks for kernel drivers. Old unsigned drivers (specialized RAID/HBA drivers, some AV kernel agents) may be blocked. Update drivers to signed WHQL versions from vendors.
• Dual‑boot Linux breakage: enabling Secure Boot can block unsigned GRUB or Linux kernels. Solutions include using signed shim loaders, enrolling vendor keys, or temporarily disabling Secure Boot — but disabling Secure Boot will block Battlefield 6. Plan carefully if you dual‑boot.

---

Troubleshooting checklist — if Battlefield still says “Secure Boot is not enabled”​

• Fully power off the PC (shutdown, not sleep) and power on. Some firmware changes need a manual power cycle to take effect.
• Re-run msinfo32 and tpm.msc to confirm states.
• Use PowerShell: run Confirm‑SecureBootUEFI (administrator PowerShell) — should return True.
• Verify system disk is GPT in Disk Management.
• Update motherboard/UFI firmware and GPU drivers — many early conflicts were fixed by vendor firmware updates.
• Temporarily uninstall other kernel anti‑cheats (Riot Vanguard, older drivers) to rule out driver collisions. Reinstall after verifying.

If these fail, consider restoring default Secure Boot keys in firmware, checking vendor support pages for model‑specific steps, or performing a clean UEFI/GPT installation of Windows (after backing up data).

---

Special cases and who’s likely to be excluded​

• Steam Deck and many Linux/Proton setups: Proton and SteamOS don’t present a Windows UEFI/TPM attestation that Javelin expects, so these handheld / Linux setups may be blocked until a publisher‑level accommodation is implemented.
• Older desktops and specialty laptops: motherboards without UEFI Secure Boot or without TPM 2.0 may be unrecoverable without hardware changes (discrete TPM module or new motherboard).
• Corporate‑managed devices: management policies may disable TPM or block firmware changes; contact IT before altering firmware on managed hardware.
• Virtual machines: many VM platforms do not expose vTPM or Secure Boot in an equivalent way; the game is likely unsupported in VMs.

---

Security and privacy considerations — the trade‑offs​

Strengths

• Enforcing Secure Boot + TPM materially raises the bar for kernel‑level cheats and boot‑time rootkits. This can reduce cheating in competitive online modes and protect the game’s integrity. EA reports large numbers of blocked tampering attempts during tests; those vendor stats are useful but should be treated as vendor‑provided telemetry.

Risks and concerns

• Kernel‑level anti‑cheat drivers operate at the highest privilege and must be well‑engineered; poorly implemented drivers can create stability or security issues. Historical incidents with kernel drivers from other anti‑cheat vendors make this a legitimate concern.
• Attestation/telemetry designs need transparency. TPM‑backed attestation reveals platform state; publishers must limit data collection and be transparent about what is sent and how it’s used. Community pressure is necessary to prevent mission creep.
• Exclusion of valid players (older hardware, Linux users, developers using unsigned tooling) is a real and lasting friction point.

Publishers and vendors must balance anti‑cheat effectiveness with clear documentation, robust support flows, and reasonable accommodations for non‑standard environments. The industry is moving toward hardware attestation for multiplayer integrity — that’s the trend — but the governance and privacy boundaries require scrutiny.

---

Practical recommendations — a short action list​

• Back up everything and export BitLocker recovery keys before changing firmware or partition layout.
• Run msinfo32, tpm.msc, and Disk Management to find precisely what you must change.
• Use mbr2gpt only after validating; if you are uncomfortable, make a disk image or perform a clean UEFI/GPT reinstall.
• Update your motherboard UEFI/BIOS and GPU drivers before and after changes. Many anti‑cheat compatibility problems are fixed by vendor updates.
• If you rely on Linux, multi‑boot, or Steam Deck, expect limited support until publishers provide accommodations; don’t disable or remove Secure Boot in production systems you need for other workflows.

---

Final verdict — what this means for PC gamers​

EA’s decision to make Secure Boot a blocking requirement for Battlefield 6 is emblematic of a larger shift: major publishers are increasingly relying on hardware‑backed platform trust to make kernel‑level anti‑cheat meaningful. For many modern Windows PCs this is a one‑time configuration change — toggling a few settings, running Microsoft’s validated mbr2gpt conversion when needed, and updating firmware and drivers. For a nontrivial minority — owners of legacy motherboards, Linux-first users, corporate devices, and some specialized setups — it’s a significant hurdle that may mean temporary exclusion or hardware upgrades.
The security upside is real: tighter defense against sophisticated cheats and the systemic benefits of more reliable multiplayer integrity. The user‑experience downside is also real: friction, support load, and the risk of accidental data loss if steps are attempted carelessly. The responsible path forward requires clear publisher documentation, robust recovery guidance (backups and BitLocker key handling), firmware updates from OEMs, and attention to privacy and telemetry governance so attestation is used narrowly and transparently.
If Battlefield 6 blocks you with “SecureBoot is not enabled,” start with the preflight checks in this article, follow the validated steps above (backup, mbr2gpt validate, enable TPM, set UEFI, enable Secure Boot), and if you run into trouble use the motherboard OEM support channels or EA’s support guide for Secure Boot. For many players the fix is straightforward; for others, it’s an unwelcome reminder that platform security choices increasingly influence what software you can run.

---

(If you plan to attempt the changes: read the steps carefully, gather backups and recovery keys, and proceed deliberately. Firmware and disk operations are routine when done correctly, but they demand attention and preparation.)

---

Source: Destructoid https://www.destructoid.com/what-is-battlefield-6-secureboot-secure-boot-error-explained/