Share via

TPM and Secure Boot, Is it worth a reinstall for Windows 10

Anonymous
2022-02-25T17:25:42+00:00

Hi, excuse my lack of knowledge, if this is a dumb question or if it’s been answered already, I searched but nothing came up.

Is there enough security benefit in running TPM and Secure Boot on Windows 10 to warrant all the pain involved in a clean install?

With the current state of the world and its political shenanigans, I’ve got a feeling we might be in for a spate of cyber unpleasantness (from all points of the political compass. I don’t really want to upgrade to windows 11 because there still seem to be a few issues with Cubase 11 and some of the plugins, which are unlikely to be resolved quickly(according to people who seem to know what they’re on about) So my choice seems to be a clean install and activating Secure Boot and either the Firmware or Discreet TPM . I did try to learn a bit about the workings of TPM but once you get past the idiots guide that stuff is way too advanced for an old fogey end user like me.

Thanks in advance

Sys Specs

AMD Ryzen 5 3600

Asus Prime X570 P mobo

Gigabyte gtx 1050 ti

SIIG 2 Port Firewire PCI-E Adapter

Focusrite Saffire Pro 14 firewire audio interface

16 gig ram

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. LightJack 05 2,575 Reputation points Volunteer Moderator
    2022-02-25T20:10:07+00:00

    Hi,

    your CPU has an integrated TPM. Select it by choosing "Firmware" as your TPM option.

    Secure Boot is a feature of UEFI Boot, which should be enabled by default. If it isn't, go into your MB BIOS and enable it by first removing any currently installed Secure Boot keys, then installing the default ones and finally enabling Secure Boot.

    NOTE: If you have device encryption enabled, messing with your TPM/Secure Boot may cause Bitlocker to flip out. In that case you need your Bitlocker recovery key.

    The option can be found under Settings>Updates & Security > Device encryption. (if its not there its not enabled and your device currently doesn't support it.)

    EDIT: If you enable TPM and SB, your PC may automatically enable Device encryption. Please check your settings after enabling it. If you dont want to use it (its not that useful on a desktop), you can disable it. It is supposed to protect your files if your device gets stolen.

    If you are currently booting in Legacy mode, you will need to convert your System to UEFI before you can enable Secure Boot. Otherwise it will reject your Installation since it doesn't support it.

    Regards,

    LightJack

    1 person found this answer helpful.
    0 comments
  2. DaveM121 872.6K Reputation points Independent Advisor
    2022-02-25T18:01:15+00:00

    Hi Gavin,

    I am Dave, I will help you with this.

    If your motherboard supports TPM 2.0, and UEFI Boot, then yes, your system would be more secure if you enabled TPM 2/0 and Secure Boot.

    There is a way to enable them without re-installing Windows, read the link below from Microsoft on how to convert your drive from an MBR partition style to GPT, you can then enable Secure Boot and TPM.

    Of you do use this method, please backup your personal files first.

    https://docs.microsoft.com/en-us/windows/deploy...

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2022-02-26T14:03:52+00:00

    Thank you everyone for your responses, it’s so cool that people in the community still take the time and trouble to help enthusiastic dullards like me. Unfortunately, I had a bit of a nightmare with it last night, mbr2gpt errors, hours of reading articles and watching videos but no joy. Even the simple things like creating bootable media are throwing error messages at me

    WARNING, ALL DATA ON DISK DRIVE N: WILL BE LOST!

    Proceed with Format [Y,N]?Y

    Formatting N:...

    ERROR: Failed to format "N:"; DiskPart errorlevel -2147212243.

    So I’m going to leave it alone for today or I’ll end up getting frustrated and angry which often leads to irreparable mistakes. I’ll try again tomorrow  :-)

    0 comments
  4. Anonymous
    2022-02-25T17:57:02+00:00

    Thanks , My X570 has a 14 pin TPM header and I installed an Asus TPM-SPI 14 in 1 Security TPM Module, and now I get a Firmware or Discreet option in the BIOS. From the info I've been able to understand swapping between Firmware and Discreet without a clean install is a brilliant idea. I'm reverting to my default mental settings 'If I don't really understand what it does, I ain't going to mess with it... Until I've talked to someone who knows their stuff'

    0 comments
  5. Anonymous
    2022-02-25T17:41:06+00:00

    Better security is always worth the trouble, but in your case, reinstalling Windows is not the solution.

    The TPM is in a chip on your motherboard that was installed at the manufacturer's factory. Your motherboard either has the chip or it doesn't.

    SecureBoot is a feature of the UEF firmware, which is also installed in a chip on your motherboard. The firmware comes from the computer manufacturer.

    Your computer's manufacturer can tell you if your computer has these and, if so, how to make use of them.

    0 comments