One of the benefits Microsoft keeps talking about in Windows 11 is security. Thanks to TPM 2.0 and Secure Boot, Microsoft claims that you can benefit from “security backed by a hardware root-of-trust.” This is also part of the reason for Microsoft’s controversial Windows 11 minimum hardware requirements.
Unfortunately, the minimum hardware requirements also leaves PCs with Intel 7th generation or AMD Ryzen 1000 series or older processors in the dust and unable to run Windows 11. But that doesn’t mean you can’t have good security on Windows 10.
Your PC already likely has TPM and Secure Boot, which both can protect you from hackers and other security threats. That’s why we put together this guide on how you can enable the features on Windows 10 to help keep your PC secure.
A note on TPM and Secure Boot
Before jumping into our how-to, we’ll explain a bit more about TPM and Secure Boot. TPM is short for the Trusted Platform Module. Secure Boot, meanwhile, ensures your PC boots only trusted operating systems.
TPM is basically a chip on your computer’s motherboard that stores security information on your PC to help make it tamper-resistant. TPM stores cryptographic keys, biometric data, and can enable system integrity by measuring and recording the boot code when you turn on your PC. TPM has been around since the Windows 7 era and has evolved a bit with different versions. TPM 2.0 is what is required by Windows 11, but other PCs might have TPM 1.2, which handles some of the same security measures we just described.
As for Secure Boot, it’s a feature that helps make sure that your device will only boot using software trusted by your laptop maker. It makes it so that your PC won’t boot from USB devices loaded with untrusted operating systems. This is a feature that’s often turned off in cases where people are booting multiple operating systems, but it’s best to keep turned on if you’re only using Windows.
Secure Boot
First off, we’re starting with Secure Boot. You can check to see if your PC has secure boot enabled by going to the Start Menu and typing msinfo32, and then pressing enter. The System information page will open, so click on System Summary on the left. From there, look to the middle right side of the screen. If Secure Boot State reads Off, then Secure Boot is available, but disabled.
To enable Secure Boot, you’ll need to head into the PC UEFI settings. Keep in mind that modern PCs have UEFI settings instead of BIOS, but we’re referring to UEFI here to keep things simple. Your steps also might vary by PC manufacturer, so be sure to check online with your PC maker’s website for support instructions. Check our steps below for instructions on getting to the BIOS or UEFI from Windows 10.
- In Windows 10 settings, visit Update and Security, followed by Recovery then Advanced Startup.
- Click Restart now.
- When the PC reboots, go to Troubleshoot then choose Advanced Options followed by UEFI Firmware Settings.
- You’ll now be taken to your PC’s UEFI settings. You’ll have to find the Secure Boot setting. Usually, it’s found under Security or Boot or Authentication.
- Enable Secure Boot and save and apply the settings using the listed key combination.
- Restart your PC.
With the setting changed, you can head back to Windows 10 and double-check that Secure Boot is now on. Follow our steps in the introduction of this section to double-check. If Secure Boot still isn’t enabled, then you might want to visit your PC manufacturer’s support pages for help.
TPM
Now, for the second part. You can check to see if your PC has TPM by searching for Windows Security in the Start Menu. In the results, click the Windows Security App. In the sidebar of the app that opens, click Device Security. You can then look for Security Processor in the list. If you see a green checkmark over Security Processor then you’re good to go. If not, follow our steps below.
- Reboot your PC
- Get into the UEFI settings via the steps we described in the Secure Boot section above.
- Look under the Security Section
- Look for TPM Security or TPM Device, and make sure it’s turned on or enabled. If it’s disabled, re-enable it.
- Save and apply the settings using the listed key combination
- Exit and restart your PC
We previously talked about TPM 2.0 and all the requirements in our separate post. So, if you’re still confused, give it a read. We dug into the many ways you can enable TPM 2.0 on your device. Also, keep in mind that Windows sometimes might give you false positives on TPM. TPM 1.2 exists on some older PCs, but Microsoft requires TPM 2.0. If you enabled TPM and you still can’t get Windows 11, then this is why.
Windows Security Center
Alongside both TPM and Secure Boot, you might want to check out Windows Security Center in Windows 10, too. This center offers some in-built security protections. It’s free, and there’s no need to pay extra or subscribe to it.
Some researchers have even found that Windows Security Center offers some very good protection against malware, spyware, and other security threats. It’s not as good as some third-party options, but it is strong enough for the most basic threats.
Windows Security Center can be accessed in Windows 10 by searching for it in the Start Menu. When open, you can check under Virus and Threat Protection to see any threats or start a scan. Microsoft always updates the security intelligence in Windows Security Center, to ensure you’re protected against the latest threats. You’ll also be able to turn on real-time protection to ensure that downloaded malware won’t run, and cloud-delivered protection to ensure that you get faster protections. You even can turn on controlled folder access to make sure that if your PC is hijacked by ransomware, critical folders won’t be available for the ransomware itself.
Still safe, even if you can’t get Windows 11
If you can’t upgrade to Windows 11, then there’s no need to worry. Though Windows 11 is designed for the most secure Windows yet, Windows 10 is still a very safe operating system to keep using. Microsoft will support it through the year 2025. And, even with secure boot, and basic TPM 1.2, your PC is still considered safe, as long as you have an antivirus or Windows Defender enabled.