TPM on 26.04 Testing

I have installed 26.04beta on my brand new ASUS NUC (model:NUC13ANK) with the latest BIOS update, which supports TPM2 (according to the ASUS website [https://www.asus.com/supportonly/nuc13anki7/helpdesk_manual]), and ensured TPM is enabled.

As per the form, I installed this snap, ran the code as directed, and reported the error. No problems.

Additionally - During the 26.04b install I could not enable TPM FDE and got the error
“Use hardware-backed encryption
not encrypting device storage as checking TPM gave:
error with secure boot policy (PCR7) measurements:
generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported”.
(I also tried 25.10 and got the same error)

I logged a case with ASUS support and they kindly gave me with response.

On the NUC13ANK, the hardware-backed full disk encryption option is greyed out because Ubuntu’s TPM-backed FDE is very strict and experimental. The option is disabled if any requirement is not met. The most common causes are:
- TPM/PTT not enabled or not cleared in BIOS.
- Secure Boot not in Standard mode (must have factory/default keys loaded; not Custom/Setup mode).
- Third-party drivers selected during install (TPM-FDE requires the generic kernel only).
- Firmware/security features interfering (e.g. Intel TXT/BootGuard-related restrictions).
- Disk/controller issues (drive not fully wiped, or storage set to Intel RST/RAID instead of AHCI).
- Unsupported installer/version (feature only exists in newer Ubuntu releases and may still be limited by firmware).

What usually fixes it
- Enable TPM/PTT, then clear/reset TPM.
- Set Secure Boot = Enabled, Standard, restore default keys.
- Install offline, do not select third-party software/drivers.
- Completely wipe the SSD before installing.
- Ensure UEFI + AHCI mode and update the NUC BIOS.

If it still remains greyed out, the platform/firmware combo likely isn’t supported yet—use standard LUKS encryption instead

I have tried the fixes suggested by the ASUS support team (except “Ensure UEFI + AHCI mode and update the NUC BIOS” as this is not an option in my BIOS, and my BIOS is already on the latest)

I am quite happy to use my system for testing any and all things to get 26.04LTS working with TPM on my system. This is not a Prod system (yet), so until this is supported I will dedicate some time to help the devs get this working.

If my offer is of use, please let me know and I will do what I can.

Hi and welcome to Ubuntu Discourse

Since 26.04 is still in development your post was moved to Pre-Release Discussion which is the better place for it.

Appreciate the efforts to assist the community with testing and reporting results

Thanks Mate
I apprecite your commitement to making sense of all of this

QEMU/KVM testing is probably not that useful, but I maybe found a bug in the installer when trying to enable TPM-FDE.

The installer gives a warning that “Hardware-backed encryption could not be enabled”, but you can still click continue/next to proceed with the installation. But eventually the install fails anyway.

I’m also curious why I get this “SYS_PREP_APPLICATIONS_PRESENT” warning. The VM has secure-boot enabled and emulated TPM 2.0

Screenshot from Screencast from 2026-01-15 10-42-44.webm1299×970 147 KB

Screenshot from Screencast from 2026-01-15 10-42-44.webm - 11299×970 124 KB

Screenshot from Screencast from 2026-01-15 10-42-44.webm - 21299×970 142 KB

Screenshot from Screencast from 2026-01-15 10-42-44.webm - 31299×970 143 KB

I tried installing build 20260108 to test TPM again. Just a reminder that this is a bare metal install on my ASUS NUC (model:NUC13ANK) with the latest BIOS (39) , which supports TPM2. The BIOS has defaults set, TPM is enabled, and the 2TB HDD is blank. I created the Ubuntu 20260108 install USB from a restored ISO using “Disks” on a 24.04.3 system.

Interestingly - this time - the install allowed me to select the TPM install (the 20251219 build I last tried stopped at this point), whilst giving the error…

Use hardware-backed encryption
not encrypting device storage as checking TPM gave:
error with secure boot policy (PCR7) measurements:
secure boot should be enabled in order to generate secure boot profiles

ubuntu1920×1440 143 KB

On the next screen (which I forgot to capture) I got a similar message - and that screen didn’t allow me to proceed.

I am keen to help resolve this issue, but all I can do is test, not develop a fix. As already mentioned, I am very happy to commit some time to help clear this up for the release of 26.04.

If anyone from the community has any ideas, recommendations, or fixes, please let me know.