I have an ASUS PRIM 9550M-A motherboard with an AMD Ryzen 5 4600G CPU and 8G of memory.BIOS, I have enabled Advanced > AMD fTMP Configuration > Enable Firmware TPM. However, this does not seem to work. Did I set the right thing for TPM? Is there some other setting I need as well?

If you do not really need TPM, switch off TPM and set CSM (Compatibility Support Mode)
Should work.
OK... I know that "should" often tends to be a horrible mistake, so no guatantee...;-)

Well, this system will serve as a Virtual Machine host for a Windows 11 guest, so I think it does need TPM, but so far it's not working.

Has anyone out there successfully done this? If so, what motherboard/processor did you use? I bought this ASUS PRIM 9550M-A specifically for this purpose, but no go so far.

Why do you think that TPM 2.0 doesn't work?

Post output of: dmesg | grep -i tpm

Switching to CSM is a very bad idea because this prevents boot from NVMe SSD.

Run UEFI mode but disable secure boot in UEFI. Windows 11 requires an UEFI with secure boot present but it doesn't require secure boot enabled. Secure boot enabled prevents unrestricted Linux (or other OS than Windows) boot.

1 members found this post helpful.

I think it's not working because, as mentioned, this machine is the host for a Windows virtual machine guest and Window update says,"This PC doesn't currently meet Windows 11 system requirements." However, when I run tmp.msc it shows the "TPM Management on local computer" screen and shows the TPM Manufacturer information (Manufacturer Name IBM Manufacturer Version 8217.4131.22.13871. Everything else looks fine on this screen. Yet Windows Update doesn't agree.

If you think this dmesg message indicates TPM is in fact enabled in BIOS, then the problem must be with the VirtualBox program and not the hardware and I'll need to take this issue up with them.

I have a ASUS TUF mobo, CSM enabled and NVME SSD. Starts perfectly.
In fact all systems I thusfar installed (with Debian) behave the same.
Even dual boot with Windows 11 (and 10) works with CSM enabled.
Did I misunderstand your remark?

1 members found this post helpful.

Your dmesg output indicates that TPM 2.0 is enabled in UEFI, but your kernel lacks TPM 2.0 support.
If kernel supports TPM 2.0, output of dmesg | grep -i tpm shows an additional line like this:
[ 4.510309] tpm_crb MSFT0101:00: Disabling hwrng

@remmilou:
OK, you can boot Linux from a toaster or anything else. Boot from NVMe SSD with CSM enabled isn't the straight path.
CSM and secure boot are mutually exclusive. Windows 11 may currently boot with CSM, but Windows 11 System Requirements are clear:

I've got it working!

The solution was simply this: I waited a day after setting the TPM option in the BIOS! After the wait, when I went back into Windows "Check for Updates", I did not have the message, "This PC doesn't currently meet Windows 11 system requirements". Instead, I had the button to download and install Windows 11. Somewhere in my searching for solutions on the Internet I came across a post where someone said that Windows Update needed some time to "sync up" with with "PC Health Check". Apparently the "Check for Updates" function does not do this in live time. I wish I could find that link for reference. Anyway, I checked again 30+ hours after enabling the TPM settings and voila! I was good to go. I doubt if 30 hours is required for Windows Update, but that's the soonest I checked.

Or - don't wait a day, go into Windows Update and click Check for Updates!

Well, I certainly hope you're wrong about that. I just bought this MB and CPU expressly for the purpose of UEFI and TPM in order to upgrade my Linux host and its Windows VM guest. I asked to tech at the computer store for a MB/CPU that would support this Brave New Work harware for this reason. I've so far bought 4 such MB/CPUs to upgrade other computers and servers in the office. I'm hoping the fact that it worked on this hardware means the CPU can support TMP. That's not entirely proof since as part of trying to solve this problem I tweaked the Windows VM registry settings to ignore certain of these features -- if that even worked. I'll know for sure in a week when I go to update the next 3 computers, and I won't do any tweaks. I'll post back if there's a problem.

Now, you are likely referring to the Linux kernel, not the Virtual Machine guest. In which case I don't think I care. I have no desire for Linux to utilize such "fingers in the dike" of Microsoft swiss-cheese security.

Hey, thanks. I did know that CSM and secure boot are mutually exclusive. But I was not aware of the other points.
I Googled a bit, but cannot get clear why boot from NVMe SSD with CSM enabled isn't the straight path.. Can you explain that? Or do you have a link with a clear view on that. I'm 66 years old, but not too old to learn...
And the other thing: my son's Windows 11 laptop starts and runs perfectly without secure boot. It is secure boot CAPABLE, though it does not use it. Am I nissing something here? From what I read from the Debian (my distro) pages it's mainly a Windows thing.

I'm no expert on this (and even older than you), but here's what I know, or think I know. Windows 11 is supported on specific processors that are TPM (Trusted Platform Module) capable. If you have Windows 10, and the processor does not do TPM you will get a message in Windows Update that says, "This PC doesn't currently meet the minimum system requirements to run Windows 11." From the "Check for Updates" dialog you can download the "Get PC Health Check" program to see why your computer doesn't meet the requirements. TPM is a requirement. I don't think secure boot is required. At least I don't have that set for the Windows 11 (nee 10) computer in this thread. I would guess that your son's laptop has TPM. I don't think you can run Windows 11 without it, although I've read about some registry tweaks that get around that. But that's not the only requirement. I just ran "PC Health Check" on my Lenovo laptop and it says it has TPM 2.0, but the processor is not supported. Go figure.

On another system I'm trying to upgrade the "PC Health Check" says the system must support Secure boot, which requires booting UEFI instead of the older CSM/BMR boot. I don't think being secure boot capable means that you have to enable secure boot. I haven't experimented enough to know, but the one system I've upgraded does not do secure boot. I think there might be a registry tweak to bypass that, which I'm going to look for right now!

Our office just bought new computers in 2020 for our upgrade to Windows 10. As it turns out, none of those processors are supported for Windows 11 and therefore cannot be upgraded. So, we have to buy all new computers to upgrade.

@mfoley: Thnx!

• TPM 2.0 is required for Windows 11 installation without registry hacks.
• UEFI with secure boot feature is required for Windows 11 installation without registry hacks. It is not required to enable secure boot (and highly recommended to leave it disabled) but UEFI boot is required because CSM boot generally prevents to enable secure boot.
• With a very few exceptions, NVMe SSDs require GPT partitioning. UEFI boot is the straight path to boot from a device with GPT partitioning because GPT enables creation of an "EFI partition" for one or more bootloaders e.g. GRUB or Windows bootloader. Linux can boot from a device with GPT partitioning via CSM or legacy BIOS in old computers without UEFI. A "BIOS boot partition" is created instead of an "EFI partition". GRUB can use this partition but Windows bootloader can not use it. Therefore Windows can not boot from a device with GPT partitioning without UEFI boot.

Microsoft causes with the very strong hardware requirements for Windows 11 a large increase of e-waste.