jimscreechy
Established Member
I thought I'd make a quick (or not so quick) post to highlight some challenges I had with a Windows11 install given many will probably be going through the same process shortly if not having done so already.
Quick outlay -I'm building a new PC and for the most part it has gone well, its an Asus Z590-P Wifi and Asus BIOS tends to be very generic so hopefully you Asus users will find this helpfull. Other board users may have to make the necessary adaptations.
I did originally do a Windows10 install without issue but I though 'hey, I'll update within Win10 that will be easier'. That didn't go to plan as the update checker said outstanding issues (secure boot) needed attention.
NP I made the changes (not completely obvious given my knowledge of TPM Boot and OS requirements) and it took me a few attempts to get right, especially since some of the defaults (which I didn't check) were not how I expected. Its not a long list but it is particular, so 'One strike and your out' for the most part.
1. In BIOS/Advanced/Advanced PCH-FW Configuration. If you don't have a TPM Module installed select Enable Firmware TPM. The default is actually TPM Discreet device and your motherboard will NOT come with this installed by default, so this as a default setting is a little weird. The discreet TPM requires a separate purchase.
Sorry about the pics which didn't come out great, but I've zoomed in on the option to highlight it a little better.
2. IN the BIOS go to the setting BIOS/Advanced/Trusted Computing
You should now have the 'TPM Device Found' and the option The Security Device support 'Enabled' should be set.
If you don't see this yet fear not. You may need to make the following changes before this setting is populated.
3. In Bios go to the BIOS\Boot\CSM (compatibility support module). These settings are pretty important so get them right. I'll show my settings bellow.
Ensure Launch CSM is Enabled.
Ensure 'Boot device control' is set to 'UEFI only'. If you have 'UEFI and legacy OPROM' you won't be able to do an update from windows 10 if it was installed using Legacy boot, even if you have since changed the option to UEFI and Legacy OPROM.
If you are installing Windows 11 from a scratch it needs to see UEFI Only as well. You may be able to set this back to 'UEFI or legacy OPROM' after the install (I don't know I've not tried) but certainly Windows 11 needs to see 'UEFI Only' or you won't be able to install.
The rest of the Legacy and UEFI settings depend on how you want to boot, but I'm not going into detail since booting from other devices is probably a topic for another day. Here I am dealing specifically with NVMe, HDD & SSD's. If you're not booting from network devices set them to 'Legacy Only'
Set 'Boot from Storage devices' to 'UEFI Only' Yep it gets specific, so this is required to boot from drives.
If you want to boot from RAID, expansion cards, or a PCI-e to NVMe M.2 adaptor, you will need to set the next option 'Boot from PCI-E/PCI Expansions Devices' to UEFI Only. I'm not, so I've left mine as Legacy only even though I do have a RAID card present.
For those booting from arrays they have configured on the motherboard I'm just not sure, though I think 'Storage devices' configured as 'UEFI Only' have you covered. Remember, these settings are only for devices (including storage devices Disk or otherwise) you actually want to BOOT from.
4. Go to Bios\Boot\Secure Boot
Set the OS Type to 'Windows UEFI mode' (who knew you had to set it in so many places!
Set the 'Secure Boot mode' to 'Standard'. Only use Custom if you want to import some keys from somewhere else or some other device that is secured you need to configure Keys for.
Once you have set this option the 'Key Management Option' will be greyed out. In fact, if it IS set to 'Custom' which again is the default, don't even go in there if you don't have to or don't know what your doing, and definitely don't clear any keys.
Of course make sure the 'Boot Option #' is set to 'Windows Boot Manager (device name) in the relevant device in the main Boot menu (sorry I didn't take a screen shot since most of you are familiar with the boot option devices).
I think that's about it for the BIOS, Just remember to save and exit or F10 or your settings won't be saved.
On the OS side there are some *notes. Given what I've encountered, I think the most common road-block to update from Win10 will be the UEFI setting for 'Legacy and UEFI OPROM' setting. Since this is how my BIOS was set when I installed Windows 10, and it absolutely would not either update nor install a clean version Windows 11 with this option selected... nor would my compatibility checker give me a clean bill of health for update.
Once you have changed this to 'UEFI Only' you will no longer be able to boot your install of Windows 10 So its a good sign your heading in the right direction if not solved the issue completely... all else being well.
However, once you've done this you will need a reinstall of Windows10 then an upgrade to Win11 or do a clean install of Windows 11 from scratch. This will of course mean a drive reformat and a loss of all data, so if you're a bit hesitant, make sure you take a snapshot or image your disk. At any rate both worked without issue in my case and Windows11 went on without problem. The easy way of course is to just remove the TPM entries from appraiserres.dll on the install media, then you don't have to jump through any of these hoops, but this is more a focus on doing it the Microsoft way.
Hope this helps.
Quick outlay -I'm building a new PC and for the most part it has gone well, its an Asus Z590-P Wifi and Asus BIOS tends to be very generic so hopefully you Asus users will find this helpfull. Other board users may have to make the necessary adaptations.
I did originally do a Windows10 install without issue but I though 'hey, I'll update within Win10 that will be easier'. That didn't go to plan as the update checker said outstanding issues (secure boot) needed attention.
NP I made the changes (not completely obvious given my knowledge of TPM Boot and OS requirements) and it took me a few attempts to get right, especially since some of the defaults (which I didn't check) were not how I expected. Its not a long list but it is particular, so 'One strike and your out' for the most part.
1. In BIOS/Advanced/Advanced PCH-FW Configuration. If you don't have a TPM Module installed select Enable Firmware TPM. The default is actually TPM Discreet device and your motherboard will NOT come with this installed by default, so this as a default setting is a little weird. The discreet TPM requires a separate purchase.
Sorry about the pics which didn't come out great, but I've zoomed in on the option to highlight it a little better.
2. IN the BIOS go to the setting BIOS/Advanced/Trusted Computing
You should now have the 'TPM Device Found' and the option The Security Device support 'Enabled' should be set.
If you don't see this yet fear not. You may need to make the following changes before this setting is populated.
3. In Bios go to the BIOS\Boot\CSM (compatibility support module). These settings are pretty important so get them right. I'll show my settings bellow.
Ensure Launch CSM is Enabled.
Ensure 'Boot device control' is set to 'UEFI only'. If you have 'UEFI and legacy OPROM' you won't be able to do an update from windows 10 if it was installed using Legacy boot, even if you have since changed the option to UEFI and Legacy OPROM.
If you are installing Windows 11 from a scratch it needs to see UEFI Only as well. You may be able to set this back to 'UEFI or legacy OPROM' after the install (I don't know I've not tried) but certainly Windows 11 needs to see 'UEFI Only' or you won't be able to install.
The rest of the Legacy and UEFI settings depend on how you want to boot, but I'm not going into detail since booting from other devices is probably a topic for another day. Here I am dealing specifically with NVMe, HDD & SSD's. If you're not booting from network devices set them to 'Legacy Only'
Set 'Boot from Storage devices' to 'UEFI Only' Yep it gets specific, so this is required to boot from drives.
If you want to boot from RAID, expansion cards, or a PCI-e to NVMe M.2 adaptor, you will need to set the next option 'Boot from PCI-E/PCI Expansions Devices' to UEFI Only. I'm not, so I've left mine as Legacy only even though I do have a RAID card present.
For those booting from arrays they have configured on the motherboard I'm just not sure, though I think 'Storage devices' configured as 'UEFI Only' have you covered. Remember, these settings are only for devices (including storage devices Disk or otherwise) you actually want to BOOT from.
4. Go to Bios\Boot\Secure Boot
Set the OS Type to 'Windows UEFI mode' (who knew you had to set it in so many places!
Set the 'Secure Boot mode' to 'Standard'. Only use Custom if you want to import some keys from somewhere else or some other device that is secured you need to configure Keys for.
Once you have set this option the 'Key Management Option' will be greyed out. In fact, if it IS set to 'Custom' which again is the default, don't even go in there if you don't have to or don't know what your doing, and definitely don't clear any keys.
Of course make sure the 'Boot Option #' is set to 'Windows Boot Manager (device name) in the relevant device in the main Boot menu (sorry I didn't take a screen shot since most of you are familiar with the boot option devices).
I think that's about it for the BIOS, Just remember to save and exit or F10 or your settings won't be saved.
On the OS side there are some *notes. Given what I've encountered, I think the most common road-block to update from Win10 will be the UEFI setting for 'Legacy and UEFI OPROM' setting. Since this is how my BIOS was set when I installed Windows 10, and it absolutely would not either update nor install a clean version Windows 11 with this option selected... nor would my compatibility checker give me a clean bill of health for update.
Once you have changed this to 'UEFI Only' you will no longer be able to boot your install of Windows 10 So its a good sign your heading in the right direction if not solved the issue completely... all else being well.
However, once you've done this you will need a reinstall of Windows10 then an upgrade to Win11 or do a clean install of Windows 11 from scratch. This will of course mean a drive reformat and a loss of all data, so if you're a bit hesitant, make sure you take a snapshot or image your disk. At any rate both worked without issue in my case and Windows11 went on without problem. The easy way of course is to just remove the TPM entries from appraiserres.dll on the install media, then you don't have to jump through any of these hoops, but this is more a focus on doing it the Microsoft way.
Hope this helps.
Last edited:
