Can You Disable TPM and Secure Boot After Installing Windows 11? What Happens…

After months of beta testing and bug squashing, the public build of Windows 11 has been released for the general public. It is currently being offered as a free upgrade to all Windows 10 users with capable hardware, meaning a sizable chunk is being left out of the update cycle. Most of it is down to Windows 11’s long list of requirements, which includes TPM 2.0

Today, however, we are not talking about how you could disable TPM and other requirements to get Windows 11; you can already check that out by clicking on this link. Here, we will talk about what happens when you try to disable TPM and Secure Boot after installing Windows 11 on your PC. Now, without further ado, let us get to it!

Related: How to Install and Use WSA Toolbox on Windows 11 to run Android apps 

What do TPM and Secure Boot mean?

As you may know, Windows 11 requires your PC to have a Trusted Module Platform or TPM 2.0. Without it, your computer is deemed unfit to run the latest version of Windows. And although it is annoying to make the update unavailable to a large sector, we cannot blame Microsoft for making TPM 2.0 one of the main prerequisites for running Windows 11.

TPM, which acts as an added layer of protection, makes sure no potential malware gets to access sensitive information, including your login details, encryption keys, and more. TPM comes in three forms. It can be soldered to your motherboard. It can be a physical chip that you stick to your motherboard. And finally, it can be a soft, firmware implementation of the TPM architecture integrated into your processor. All three implementations have the same end product.

While TPM is more of a hardware component, Secure Boot is cooked into the UEFI firmware itself. So, as long as you have UEFI up and running, Secure Boot would continue to prevent unauthorized hardware from interfering while booting your system. Secure Boot can use TPM but it does not require it. So, even if you do not have TPM, you can use Secure Boot on Windows 11. 

Can you disable TPM and Secure Boot on Windows 11?

Yes, you can disable TPM and Secure Boot after installing Windows 11. You will have to go into UEFI and turn Secure Boot and TPM off.

As of now, a few Windows 11 features require you to have them turned on at all times. You will lose out on these features and face bugs in case you decide to disable TPM and Secure Boot. Here are some known apps, games, and Windows 11 features that depend on Secure Boot and TPM. 

  • Windows Hello Sign-in Features
  • Ability to run certain VMs
  • Windows Subsystem For Android and consequentially all Android Apps
  • Future games and secure apps with anti-cheat or tamper utilities: Such apps and utilities are expected to take full advantage of this hard requirement as seen by Valorant’s Vanguard lately.
  • Bitlocker
  • Other encryption tools, security software, admin utilities, and remote management systems.  
  • Some games (Valorant, for example)

What happens after you disable TPM and Secure Boot on Windows 11?

Generally, disabling TPM and Secure Boot on Windows 11 will not do you any harm in day-to-day tasks. However, if you had Bitlocker enabled, you will have to enter your recovery keys every time your computer boots up. Additionally, Windows Hello —  biometrics-based authentication feature for Windows 11 — will stop working when you disable TPM and Secure Boot on Windows 11.

Here is a complete list of drawbacks that you face when disabling TPM and Secure Boot on Windows 11. 

1. No Windows Hello Sign in

If you were using this before disabling TPM and Secure Boot, then you won’t be able to log in to your PC. You will need to disable Windows Hello Sign in first and then disable TPM and Secure Boot on your PC. 

2. Incompatibility with upcoming and competitive games

Games that are highly competitive and employ dedicated software to prevent cheating are expected to take full advantage of the strict TPM and Secure Boot requirements. You will lose the ability to play such games on your PC until you enable Secure Boot and TPM. Case in point, the issues faced by the Valorant game’s players.

3. Bitlocker

If you disable TPM and Secure Boot with Bitlocker enabled on a drive, then you will need to manually decrypt the same using your key after each boot. 

4. Ineligible for Windows Subsystem for Android

WSA is another VM that can be installed directly within Windows to run Android apps much like Linux’s WSL which was introduced a few years ago. Not only does WSA have hard requirements for TPM 2.0 and Secure Boot, but it also needs a higher clock processor, at least 8GB of RAM, and an SSD on your system to run properly. If you were looking to enjoy Android apps on your Windows 11 system, then you should avoid disabling TPM 2.0 and Secure Boot on your system.

5. Windows Updates issues

While there is very little concrete information on the same, Microsoft’s release notes make it seem that having TPM disabled will cause you to lose out on Feature and Cumulative updates. Subsequently having Secure Boot disabled will cause you to lose out on regular security updates and definitions. If you wish to keep your system updated to the latest version for maximum security and privacy then it is recommended that you do not disable TPM and Secure Boot on your system.

This is not a complete list of drawbacks when disabling TPM and Secure Boot. Windows 11 is fairly new and we have no word on what apps will be taking advantage of these security features. As time passes and we get to 2022, we could see a whole batch of new apps and games with a hard requirement for TPM and Secure Boot. 

Will automatic updates get disabled after you turn off TPM and Secure Boot?

Microsoft made a big deal about TPM and Secure Boot before the release of Windows 11, making it impossible for Windows 10 users to upgrade to the latest OS the official way. So, it makes sense to have some consequence of disabling TPM and Secure Boot after installing Windows 11. That comes in the form of Windows Updates. 

If you turn off TPM after Windows 11, you will stop receiving automatic Windows Updates. However, given how unpredictable Windows 11 updates are, it might not be the worst idea to turn off TPM and consequent auto-updates. Just make sure you are on a relatively bug-free version before disabling TPM. 


RELATED

Posted by
Sushan

A mediocre engineer hoping to do something extraordinary with his pen (well, keyboard). Loves Pink Floyd, lives football, and is always up for a cup of Americano.

6 Comments

  1. I think both TPM and Secure Boot seem to be a no brainer in protecting a device. They do so without causing any issues unless you’re booting with Linux OS on the same drive. Then Secure Boot might cause some issues. Unless you find a specific reason, I would not disable either without understanding to risks of doing so.

    1. Well I’m not typing all that again. My comment vanished.

  2. I see serious privacy issues with having TPM enabled. Does it seem like we’re being told that in order to take part in secure future computing activities, people are expected to give up all expectations of privacy? Am I the only person that sees this as a problem?

    1. That’s exactly what it is. The only benefit is to stop cheating gamers – when implemented, other than that, you are basically being assigned a number and are being directly tracked. As they say, nothing in life is FREE!

  3. It doesn’t disable updates. I have 7 computers. Only one of them has TPM. I forced Windows 11 onto the others, and they get updates.

  4. TPM actually causes issues with amd systems currently. Until a patch is launched (may timeframe from what amd said) then its best to disable it.

Comments are closed.