When managing an IT infrastructure, relying on consumer GUI tools like Microsoft's PC Health Check app to verify Windows 11 compatibility isn't scalable. As sysadmins, we need automated, fast tools that provide clear text output to integrate into broader deployment scripts.

The two most critical (and often blocking) requirements for upgrading from Windows 10 to Windows 11 concern hardware security: the presence of TPM 2.0 (Trusted Platform Module) and the enablement of Secure Boot at the UEFI level.

I wrote a quick PowerShell script that queries the operating system directly to extract this information without needing to reboot the machine or enter the BIOS/UEFI.

The Script

You can run this code block by opening PowerShell with Administrator privileges. The script checks the TPM status and Secure Boot configuration, returning immediate color-coded feedback.

<#
.SYNOPSIS
    Verifies system readiness for the Windows 11 upgrade (Focus on TPM and Secure Boot).
.DESCRIPTION
    The script checks if the TPM module is present, ready, and version 2.0.
    It also verifies whether Secure Boot is enabled in the UEFI firmware.
#>

Write-Host "=========================================" -ForegroundColor Cyan
Write-Host "  Windows 11 Requirements Check          " -ForegroundColor Cyan
Write-Host "=========================================`n" -ForegroundColor Cyan

# 1. Check TPM
Write-Host "[*] Checking TPM module..."
try {
    $tpm = Get-Tpm
    if ($tpm.TpmPresent) {
        # The TpmReady property indicates if it is ready for use
        if ($tpm.TpmReady) {
            Write-Host "    [OK] TPM detected and ready for use." -ForegroundColor Green
        } else {
            Write-Host "    [WARNING] TPM present but not initialized." -ForegroundColor Yellow
        }
    } else {
        Write-Host "    [ERROR] No TPM module detected on the motherboard." -ForegroundColor Red
    }
} catch {
    Write-Host "    [ERROR] Cannot query TPM. Ensure you are running as Administrator." -ForegroundColor Red
}

# 2. Check Secure Boot
Write-Host "`n[*] Checking Secure Boot..."
try {
    $secureBoot = Confirm-SecureBootUEFI
    if ($secureBoot) {
        Write-Host "    [OK] Secure Boot enabled in UEFI firmware." -ForegroundColor Green
    } else {
        Write-Host "    [ERROR] Secure Boot is disabled. You need to enable it in BIOS/UEFI." -ForegroundColor Red
    }
} catch {
    Write-Host "    [ERROR] Cmdlet not supported or system in Legacy BIOS mode (non-UEFI)." -ForegroundColor Red
}

Write-Host "`n=========================================" -ForegroundColor Cyan
Write-Host "Check complete." -ForegroundColor Cyan

How does it work under the hood?

Get-Tpm: This is a native Windows cmdlet that returns an object containing the details of the Trusted Platform Module. We check TpmPresent and TpmReady to ensure not only that the chip exists, but that it has been properly activated at the OS level.

Confirm-SecureBootUEFI: This cmdlet directly queries the firmware variables. If it returns True, Secure Boot is active. If the script falls into the catch block, it is highly likely that the system drive is MBR-partitioned and booting in Legacy BIOS mode (which prevents the installation of Windows 11).

Conclusion and Future Developments

This script is a great starting point for a security baseline. In Enterprise environments, these checks can be integrated into a larger PowerShell module, perhaps executed via GPO or RMM, to generate a CSV report of all machines in the corporate fleet that are ready (or not) for the new OS rollout.

You can find this and other automation scripts on my GitHub.