Check TPM, Secure Boot, and Device Encryption Readiness in Windows 10/11

Check TPM, Secure Boot, and Device Encryption Readiness in Windows 10/11​

Difficulty: Beginner | Time Required: 10 minutes
Keeping your Windows PC secure starts with knowing whether key hardware-based security features are available and enabled. TPM, Secure Boot, and Device Encryption help protect your sign-in credentials, block tampered boot software, and safeguard your files if your device is lost or stolen.
This beginner-friendly guide shows you how to quickly check your PC’s readiness for these features in Windows 10 and Windows 11. These checks are also useful if you are troubleshooting Windows 11 compatibility, BitLocker/Device Encryption availability, or Windows Security warnings.

Windows 10 note: Microsoft ended standard support for Windows 10 on October 14, 2025. The checks below still apply to Windows 10 PCs, but for ongoing security updates you should use a supported edition/program or consider moving to Windows 11 if your hardware supports it.

---

Prerequisites​

Before you begin:

1. Sign in with an account that can open Windows settings.
2. Use an administrator account if you want to check Device Encryption support using System Information.
3. Save any open work if you plan to enter firmware/BIOS settings later.

Warning: This tutorial focuses on checking readiness. Changing TPM, Secure Boot, or UEFI/BIOS settings incorrectly can affect startup. If you are unsure, check your PC manufacturer’s support site before making firmware changes.

---

What These Features Do​

Before checking your PC, here is a quick explanation:

• TPM (Trusted Platform Module): A security chip or firmware-based feature used for encryption keys, Windows Hello, BitLocker, and Windows 11 requirements. Windows 11 requires TPM 2.0.
• Secure Boot: A UEFI security feature that helps prevent unsigned or malicious boot software from loading before Windows.
• Device Encryption: A simplified BitLocker-based encryption feature that can automatically protect your Windows drive on supported devices, including many Windows Home systems.

---

Step 1: Check Your TPM Status Using TPM Management​

The fastest way to check TPM status is with the built-in TPM Management tool.

1. Press Windows + R on your keyboard.
2. Type:
   tpm.msc
3. Click OK or press Enter.
4. In the TPM Management on Local Computer window, look for Status.

What to Look For​

If TPM is ready, you should see:
The TPM is ready for use.
Then check the lower-right area under TPM Manufacturer Information.

1. Find Specification Version.
2. Confirm it says:
   2.0

What the Results Mean​

• TPM is ready for use + Specification Version 2.0: Your TPM meets the Windows 11 TPM requirement.
• Compatible TPM cannot be found: TPM may be missing, disabled in UEFI/BIOS, or not supported.
• Specification Version 1.2: TPM exists, but it does not meet the Windows 11 TPM 2.0 requirement.

Tip: Some PCs list TPM under different firmware names, such as Intel PTT, Intel Platform Trust Technology, AMD fTPM, or Security Device Support.

---

Step 2: Check TPM in Windows Security​

You can also check TPM from the Windows Security app.

Windows 11​

1. Open Start.
2. Type Windows Security.
3. Open Windows Security.
4. Select Device security.
5. Look for Security processor.
6. Click Security processor details.

Windows 10​

1. Open Settings.
2. Go to Update & Security.
3. Select Windows Security.
4. Click Device security.
5. Look for Security processor.
6. Open Security processor details if available.

What to Check​

Look for the Specification version. For Windows 11 readiness, it should be 2.0.

Note: If you do not see a Security processor section, TPM may be disabled in firmware or unavailable on the device.

---

Step 3: Check Secure Boot Status​

Secure Boot status is easiest to check using System Information.

1. Press Windows + R.
2. Type:
   msinfo32
3. Click OK.
4. In the left pane, select System Summary.
5. In the right pane, look for:
   Secure Boot State

What the Results Mean​

• On: Secure Boot is enabled.
• Off: Secure Boot is supported but currently disabled.
• Unsupported: Your current firmware mode or hardware configuration may not support Secure Boot.

Also check:
BIOS Mode
For Secure Boot, this should usually be:
UEFI
If it says Legacy, Secure Boot may not be available until the system is converted/configured for UEFI boot.

Warning: Switching from Legacy/CSM boot to UEFI may require disk partition changes and can prevent Windows from booting if done incorrectly. Back up your data first and consult your manufacturer’s instructions.

---

Step 4: Check Device Encryption Availability in Settings​

Device Encryption is available only on supported devices and Windows configurations.

Windows 11​

1. Open Settings.
2. Select Privacy & security.
3. Click Device encryption.
4. Check whether the option is available and whether it is On or Off.

Windows 10​

1. Open Settings.
2. Select Update & Security.
3. Look for Device encryption in the left menu.
4. Check whether Device Encryption is available and enabled.

What the Results Mean​

• Device encryption appears and is On: Your device is protected.
• Device encryption appears and is Off: Your device supports it, but it is not currently enabled.
• Device encryption does not appear: Your device may not meet requirements, you may be using a standard user account, or encryption may be managed another way.

Tip: On Windows Pro, Enterprise, and Education editions, you may also see full BitLocker Drive Encryption options in Control Panel.

---

Step 5: Check Device Encryption Support with System Information​

If Device Encryption does not appear in Settings, System Information can often explain why.

1. Open Start.
2. Type System Information.
3. Right-click System Information.
4. Select Run as administrator.
5. In System Summary, look for one of these entries:
   Device Encryption Support
   or
   Automatic Device Encryption Support
6. Read the value shown next to it.

Common Messages​

You may see:

• Meets prerequisites: Device Encryption is supported.
• TPM is not usable: TPM is missing, disabled, or not working correctly.
• WinRE is not configured: Windows Recovery Environment is not properly configured.
• PCR7 binding is not supported: Secure Boot may be disabled, or certain boot-connected devices/peripherals may interfere.

Note: If you are using a local account, Device Encryption may not enable automatically. Microsoft accounts and work/school accounts are commonly used to back up the recovery key.

---

Tips and Troubleshooting​

If TPM Is Missing​

1. Restart into UEFI/BIOS settings.
2. Look for options such as:
   • TPM
   • Intel PTT
   • AMD fTPM
   • Security Device
   • Trusted Computing
3. Enable the setting if available.
4. Save changes and restart.

If Secure Boot Is Off​

Secure Boot is usually found in UEFI/BIOS under sections like:

• Boot
• Security
• Authentication
• UEFI Firmware Settings

If your system is using Legacy/CSM, Secure Boot may not be available until UEFI boot is enabled.

If Device Encryption Is Missing​

Check the following:

1. Make sure you are signed in as an administrator.
2. Confirm TPM is available and working.
3. Confirm Secure Boot is enabled.
4. Run System Information as administrator and read the Device Encryption Support reason.
5. Check whether your Windows edition uses BitLocker instead.

---

Conclusion​

Checking TPM, Secure Boot, and Device Encryption readiness takes only a few minutes and gives you a clear picture of your PC’s security foundation. These features help protect Windows during startup, secure encryption keys, and reduce the risk of data exposure if your device is lost, stolen, or tampered with.
If everything checks out, your PC is in good shape for modern Windows security features. If something is missing or disabled, the results above will help you decide whether to adjust firmware settings, enable encryption, or contact your device manufacturer for model-specific guidance.
Key Takeaways:

• TPM 2.0 is required for Windows 11 and supports features like BitLocker and Windows Hello.
• Secure Boot helps block malicious software from loading before Windows starts.
• Device Encryption protects your files automatically on supported Windows 10/11 devices.
• Use tpm.msc, msinfo32, Windows Security, and Settings to check readiness quickly.
• Be careful when changing UEFI/BIOS settings, and back up important data first.

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.

 

[datawizard0103]

Also check Core Isolation > Memory Integrity in Windows Security. A PC can have TPM 2.0 and Secure Boot enabled but still show security warnings if Memory Integrity is off because of an outdated driver. Go to Windows Security > Device security > Core isolation and make sure it is turned on. If not Windows usually tells you which driver is blocking it.

 

[ChatGPT]

Good addition, datawizard0103 — Core Isolation > Memory Integrity is definitely worth checking alongside TPM, Secure Boot, and Device Encryption.
A system can pass the TPM 2.0 and Secure Boot checks but still show a warning in Windows Security if Memory Integrity is disabled, often because of an incompatible or outdated driver.

Add This Check: Core Isolation / Memory Integrity​

1. Open Start.
2. Search for Windows Security.
3. Open Windows Security.
4. Go to Device security.
5. Under Core isolation, click Core isolation details.
6. Check Memory integrity.
7. If it is Off, try turning it On.

If Memory Integrity Will Not Turn On​

Windows usually lists the driver or drivers blocking it.

1. Note the driver name shown by Windows Security.
2. Check whether the driver belongs to hardware such as audio, storage, RGB software, printers, VPN software, or older security tools.
3. Update the related software or driver from the device manufacturer’s website.
4. Restart the PC.
5. Try enabling Memory integrity again.

Important: Do not randomly delete drivers unless you are sure what device or software they belong to. Removing the wrong driver can break hardware features or prevent software from working correctly.

Good Tutorial Note​

This would fit well as an extra section after the Secure Boot or Device Encryption checks:
Step 6: Check Core Isolation and Memory Integrity
It is not the same as TPM or Secure Boot, but it is part of Windows’ modern hardware-backed security stack and can explain why Windows Security still shows warnings even when the other checks look good.