One of the forseen consequence is that some systems which previously reported as compatible with TPM/FDE in ubuntu releases are not anymore with this new release. However, with some simple mitigations or by directing user actions, we can help them to ensure that the TPM system state is set in a more favorable conditions to become compatible with TPM-backed FDE Ubuntu integration.
And this is exactly where you can contribute very easily: even if you don’t intend to setup TPM/FDE right away on your system, you can install a snap and run a command line tool to report our detection results. We are collecting all those variations in a survey form to help us inform what to tackle next, and how many people are able to and can’t install TPM/FDE on their systems right now. This binary will not make any modifications on your current installation, so this is an easy and quick way to contribute and ensure that we have an even more awesome TPM-backed FDE release on Ubuntu 26.04 LTS!
We are interested in both positive and negative reports, you can fill in multiple hardware configurations you own.
So, don’t miss it! Head over to the survey form to get detailed instructions!
I ran the test on my two Kubuntu 25.04 machines, both with AMD CPUs. Not supported in either case. I reported both results.
I was pondering re-installing to 25.10 to benefit from TPM2-backed FDE, but now I know it won’t work. I guess I’ll just upgrade to 25.10, it certainly will be less work for me.
Thanks for the efforts.
I already set up TPM2-backed FDE on both machines using clevis, but I’m forced to reset the TPM setup on every kernel update. I have a similar TPM-backed FDE problem on an USFF Lenovo ThinkCentre (8th gen Intel) I’m using as a home server with openSUSE MicroOS, so that’s not only Ubuntu.
Hi. I filled out the form, but the command output was simply “not supported”:…
error with system security: unsupported platform:
checking host security is not yet implemented for AMD
So I added more logs and outputs, because my HP ZBook Ultra G1a laptop supports TPM 2.0 and TPM-backed FDE already was working in 24.04.3 LTS.
Can we expect it to work again in Ubuntu 26.04 LTS also for AMD?
I reset my laptop’s security settings and cleared the TPM, enabled MS UEFI CA Key, and installed Ubuntu 25.10 in EFI mode. Secure Boot is enabled by default.
I installed the OS with default settings.
Unfortunately, I can’t gather information:
At our company, 80% of the laptops are HP EliteBooks, with annual updates of the latest models, and all of these models are certified for Ubuntu.
Currently, I only have models with Intel processors on hand for testing, but those same laptop models with AMD processors will be available soon. Please help me gather information.
TPM unlock support in Ubuntu 26.04 will be key to getting approval from management for the purchase of Ubuntu Pro and Managed Landscape.
We need the ability to automatically unlock an encrypted device after a reboot (this is very important for remote devices) and save the Encryption Recovery Key in Landscape, similar to how it’s implemented with BitLocker keys saved in Intune.
I apologize in advance for the incorrect pronunciation of terminology. I recently switched from Windows to Linux and want to switch Ubuntu management from Intune to Landscape, as Intune doesn’t provide the required functionality.
P.S. the current test device is HP EliteBook 8 G1i 16 inch Notebook AI PC
BIOS/UEFI firmware version - 01.02.05 Rev.A Dec 11, 2025
CPU - Intel Core Ultra 7 265H
RAM - 32 GB
SSD - 512 GB
VGA (embedded) - Intel Arc 140T GPU
We have identical older models like:
HP EliteBook 8 G1i 14 inch Notebook AI PC
HP EliteBook 8 G1a 14 inch Notebook AI PC
HP EliteBook 8 G1a 16 inch Notebook AI PC
HP EliteBook 860/840 G11/G10/G9
HP EliteBook 850/840 G8/G7/G6/G5
Also we will have some Dell and Lenovo Ubuntu certified Enterprise models.
Have 25.10 on a new HP with ryzen AI 7 and disabled TPM/SB, using passphrase full disk encryption. Hopeful that the TPM can be integrated with tools for limiting fingerprinting.
On the HP EliteBook series, there is no way to disable the Absolute via firmware settings.
Since it is enabled by default on Dell (but is possible to disable).
I think the only solution here is to start supporting Absolute, since there is no way to disable it on HP corporate laptops of the last 5 years (EliteBook, ProBook, and Zbook).
Based on my researches, the only way to disable Absolute module, which is useless for our company, is installing a Windows 11 OS, to be able to disable Absolute module via PowerShell commands or HP management tools.
Is it possible to have a similar tool in Ubuntu installer?
After disabling Absolute via the Windows WMI PowerShell command, I successfully installed Ubuntu 26.04 Snapshot 3 in TPM-FDE mode, and even the Clear TPM via firmware option in the settings GUI worked perfectly.
But here is the problem: the way to disable Absolyte on HP EliteBook, ProBook, and ZBook is hard and not always acceptable.
We need a live Windows or Windows PE to use WMI commands in PowerShell.
In old models like the HP EliteBook 860 G11 and older, we can use the “Disable” command.
But in the newer HP EliteBook 8 G1i 16 inch Notebook AI PC, there is only one option to use “Permanent Disable”. And it is unacceptable, since “Permanent Disable” is irreversible, to re-enable Absolute, we must replace the motherboard in service center.
Since all the mentioned HP corporate laptop models are Ubuntu certified, maybe Canonical can ask HP to add the Disable Absolute option in UEFI firmware settings, like it does DELlLand Lenovo?
Guys, what you’re doing is incredibly cool. As a major customer, we’ll try to contact HP and ask for help with the Absolut issue.
I have a HP EliteBook 8 G1a 14 inch Notebook AI PC with an AMD processor on hand, and I’d be happy to help with data collection and testing to ensure timely support for the 26.04 release.
We did a lot of work for the 26.04 LTS development cycle on enhancing the TPM-backed FDE compatibility with more hardware, and providing remediation actions that will appear in our Ubuntu desktop installer to allow you installing it on your system. You will see those explicitely written down under the new revision of our detection tool.
We need your feedback to ensure we are covering most of the available hardware out there!
Head over to the survey form to get detailed instructions on how to report your results. For those who already took the previous survey, please ensure that you have refreshed the detection tool to the snap to revision 4 (`0+git.b13cecf` if you want to check the exact reference).
Thanks in advance for your participation and your help to make ubuntu better!
Did you somehow manage to resolve the error:
“This platform is not suitable for FDE because of the following problem:
error with secure boot policy (PCR7) measurements: cannot determine if OS initial boot loader was verified by any X.509 certificate measured by any EV_EFI_VARIABLE_AUTHORITY event: cannot open image: open /boot/efi/EFI/ubuntu/shimx64.efi: no such file or directory”?
I’m getting the same message and I’m looking into how to fix it.
@didrocks This will sound like a weird question, but is there going to be any support for TPM-backed FDE in virtualized environments that have a data encryption requirement under policies? Just curious, because sometimes those TPMs are emulated and not physical passthrough.
Not sure if this was on the roadmap, but it’s a valid question for cases where a VM needs a TPM-backed encryption requirement (for those that need feature parity w/ Win11 for example for policy compliance)
It means that somehow your path for your EFI shim is different, try to locate it on your system and replace the path provided in the command line with the correct path with your efi files.
This is technically supported. We are running our tests in VMs too, with a virtualized TPM. Just note that all the testing so far has been done with libvirt.
I suggest if you have other requirements to boot any live system as a VM, download the snap and run the check and report the results. That will give you and us a hint if your configuration is currently supported or if we need to work on it!
Testing this platform for compatibility with EFI based TPM protected FDE
This platform is not suitable for FDE: error with system security: encountered an error when checking Intel BootGuard configuration: no hardware root-of-trust properly configured: the BootGuard ACM is not forced to execute - the CPU can execute arbitrary code from the legacy reset vector if BootGuard cannot be successfully loaded
Running Ubuntu 25.10 on Asus G16 with Ultra 9 185H. Laptop has 2 disks, one with Win, the other Ubuntu. I dual-boot via BIOS boot drive selection.
Is there anything I can do to get rid of the error message?
