I have installed 26.04beta on my brand new ASUS NUC (model:NUC13ANK) with the latest BIOS update, which supports TPM2 (according to the ASUS website [https://www.asus.com/supportonly/nuc13anki7/helpdesk_manual]), and ensured TPM is enabled.
As per the form, I installed this snap, ran the code as directed, and reported the error. No problems.
Additionally - During the 26.04b install I could not enable TPM FDE and got the error
“Use hardware-backed encryption
not encrypting device storage as checking TPM gave:
error with secure boot policy (PCR7) measurements:
generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported”.
(I also tried 25.10 and got the same error)
I logged a case with ASUS support and they kindly gave me with response.
On the NUC13ANK, the hardware-backed full disk encryption option is greyed out because Ubuntu’s TPM-backed FDE is very strict and experimental. The option is disabled if any requirement is not met. The most common causes are:
- TPM/PTT not enabled or not cleared in BIOS.
- Secure Boot not in Standard mode (must have factory/default keys loaded; not Custom/Setup mode).
- Third-party drivers selected during install (TPM-FDE requires the generic kernel only).
- Firmware/security features interfering (e.g. Intel TXT/BootGuard-related restrictions).
- Disk/controller issues (drive not fully wiped, or storage set to Intel RST/RAID instead of AHCI).
- Unsupported installer/version (feature only exists in newer Ubuntu releases and may still be limited by firmware).
What usually fixes it
- Enable TPM/PTT, then clear/reset TPM.
- Set Secure Boot = Enabled, Standard, restore default keys.
- Install offline, do not select third-party software/drivers.
- Completely wipe the SSD before installing.
- Ensure UEFI + AHCI mode and update the NUC BIOS.
If it still remains greyed out, the platform/firmware combo likely isn’t supported yet—use standard LUKS encryption instead
I have tried the fixes suggested by the ASUS support team (except “Ensure UEFI + AHCI mode and update the NUC BIOS” as this is not an option in my BIOS, and my BIOS is already on the latest)
I am quite happy to use my system for testing any and all things to get 26.04LTS working with TPM on my system. This is not a Prod system (yet), so until this is supported I will dedicate some time to help the devs get this working.
If my offer is of use, please let me know and I will do what I can.
QEMU/KVM testing is probably not that useful, but I maybe found a bug in the installer when trying to enable TPM-FDE.
The installer gives a warning that “Hardware-backed encryption could not be enabled”, but you can still click continue/next to proceed with the installation. But eventually the install fails anyway.
I’m also curious why I get this “SYS_PREP_APPLICATIONS_PRESENT” warning. The VM has secure-boot enabled and emulated TPM 2.0
I tried installing build 20260108 to test TPM again. Just a reminder that this is a bare metal install on my ASUS NUC (model:NUC13ANK) with the latest BIOS (39) , which supports TPM2. The BIOS has defaults set, TPM is enabled, and the 2TB HDD is blank. I created the Ubuntu 20260108 install USB from a restored ISO using “Disks” on a 24.04.3 system.
Interestingly - this time - the install allowed me to select the TPM install (the 20251219 build I last tried stopped at this point), whilst giving the error…
Use hardware-backed encryption
not encrypting device storage as checking TPM gave:
error with secure boot policy (PCR7) measurements:
secure boot should be enabled in order to generate secure boot profiles
On the next screen (which I forgot to capture) I got a similar message - and that screen didn’t allow me to proceed.
I am keen to help resolve this issue, but all I can do is test, not develop a fix. As already mentioned, I am very happy to commit some time to help clear this up for the release of 26.04.
If anyone from the community has any ideas, recommendations, or fixes, please let me know.
For completeness, here are the screenshots from my BIOS settings, and my install. I am still trying to install 26.04LTS build dated 2026-01-05, as that is the latest available version I can find. I was prompted to download an updated installer, which I did, and then used.
If you see anthing you want me to change and try, please let me know.
The errors I get are
Use hardware-backed encryption
not encrypting device storage as checking TPM gave:
error with secure boot policy (PCR7) measurements:
secure boot should be enabled in order to generate secure boot profiles
… and then on the next screen, I get this message. At this stage, I cannot proceed further with the TPM install, and have to back out and do a standard install - with or without FDE.
Hardware-backed encryption could not be enabled
Invalid SecureBoot Mode
Try the solutions below, contact IT support, or choose a different encryption method.
Solution 1: Enable secure boot manually
Description for
CoreBootFixAction: REBOOT_TO_FW_SETTINGS
Restart
Technical details
INVALID_SECURE_BOOT_MODE
error with secure boot policy (PCR7) measurements: secure boot should be enabled in order to generate secure boot profiles
I tried again today on my ASUS NUC (model:NUC13ANK) trying to install Ubuntu 26.04 build 2026-02-03. Same failure. screens attached. Once again it defaulted to no encryption, but allowed me to manually select TPM.
The errors I get are
Use hardware-backed encryption
not encrypting device storage as checking TPM gave:
error with secure boot policy (PCR7) measurements:
secure boot should be enabled in order to generate secure boot profiles
… and then on the next screen, I get this message. At this stage, I cannot proceed further with the TPM install, and have to back out and do a standard install - with or without FDE.
Hardware-backed encryption could not be enabled
Invalid SecureBoot Mode
Try the solutions below, contact IT support, or choose a different encryption method.
Solution 1: Enable secure boot manually
Description for
CoreBootFixAction: REBOOT_TO_FW_SETTINGS
Restart
Technical details
INVALID_SECURE_BOOT_MODE
error with secure boot policy (PCR7) measurements: secure boot should be enabled in order to generate secure boot profiles
I have also logged this with ASUS support. At their request I have sent them a video of the BIOS settings and Ubuntu install (to failure). Their response was
Please be advised that your inquiry has been passed to the relevant team for further review. We’ll keep you updated.
$ sudo test-ubuntu-tpmfde-compat /var/lib/snapd/hostfs/boot/efi/EFI/ubuntu/shimx64.efi /var/lib/snapd/hostfs/boot/efi/EFI/ubuntu/grubx64.efi /var/lib/snapd/hostfs/boot/vmlinuz
[sudo: authenticate] Password:
Testing this platform for compatibility with EFI based TPM protected FDE
EFI based TPM protected FDE test support results:
- Best PCR algorithm: TPM_ALG_SHA256
- Secure boot CAs used for verification:
1: subject=CN=Microsoft Corporation UEFI CA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US, SKID=0x13adbf4309bd82709c8cd54f316ed522988a1bd4, pubkeyAlg=RSA, issuer=CN=Microsoft Corporation Third Party Marketplace Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US, AKID=0x45665243e17e5811bfd64e9e2355083b3a226aa8, sigAlg=SHA256-RSA
- Flags: no-platform-config-profile-support,no-drivers-and-apps-config-profile-support,no-boot-manager-config-profile-support
- Warnings:
- error with platform config (PCR1) measurements: generating profiles for PCR 1 is not supported yet, see https://github.com/canonical/secboot/issues/322
- error with drivers and apps config (PCR3) measurements: generating profiles for PCR 3 is not supported yet, see https://github.com/canonical/secboot/issues/341
- error with boot manager config (PCR5) measurements: generating profiles for PCR 5 is not supported yet, see https://github.com/canonical/secboot/issues/323
Selected TCG PCRs: [0x00000002 0x00000004 0x00000007]
I have uploaded my firmware settings earlier in this thread. As at today 11-Feb-2026, I have another update and recommendation from ASUS to try, so I will document and test that and report back.
I noticed another old known issue:
In TPM FDE mode on Ubuntu 26.04 Snapshot 3, if you install MS Edge or Google Chrome, after every OS reboot, you must manually unlock the Keychain by entering the user account password.
Please forgive me if it is the wrong place to report the Steam issue, but maybe the cause of the issue is not Steam itself, but Gnome 50 Beta compatibility?
I tested some games, tried Steam Stable and beta, and also tried Proton experimental.
In all tests and games, I have the same issue:
In full-screen mode, Proton can’t hide the Ubuntu Dock and top panel.
I downloaded the 2026-02-08 build and reimaged my boot disk.
I followed the suggestions from ASUS support.
Enabling Hardware-Backed Encryption on NUC13 (Ubuntu)
1. Required BIOS settings
- TPM/PTT: Enabled and cleared/reset
- Secure Boot: Enabled → Standard mode with factory keys
- Boot mode: UEFI only (automatic when Secure Boot is enabled)
- Storage mode: AHCI (disable RAID/VMD if present)
2. On this NUC model, UEFI and AHCI are often fixed defaults, so they may not appear as selectable options in BIOS. Current firmware already enforces these modes; no confirmed future BIOS update is planned to expose extra toggles, but we feeback this to our developers for consideration.
3. If installer still fails Restore Secure Boot factory keys Clear TPM again Wipe disk completely before install Try latest Ubuntu installer image Install with standard LUKS encryption instead (fallback method)
Key point: If all required settings are correct and it still fails, it is usually an Ubuntu installer compatibility limitation—not a hardware or BIOS fault.
I started to install build 26.04 (2026-02-08) and selected “Use hardware-backed encryption”
On the following screen I got the error.
Hardware-backed encryption could not be enabled
This is an issue with this computer’s firmware.
Contact IT Support, or choose a different encryption method.
Technical details
PCR_UNUSABLE
error with secure boot policy (PCR7) measurements: generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported
So - not fixed yet. I did successfully install this edition with LUKS. So that’s not a problem.
I am disappointed to see that ASUS support are getting ready to blame the Ubuntu installer, rather than accept they need to fix anything.
I have the same issue PCR_UNUSABLE on a Lenovo LOQ 15IAX9E. The computer came with Windows and BitLocker and my idea is to clear everything and just leave linux. So I had four options given by the installer: clear TPM, reboot and clear, etc, and manually clear TPM directly on firmware. The first three that were automatic did not work. For the last one, I entered SETUP and manually cleared the Intel PTT.
Now, the PCR_UNUSABLE appears on installer. If I try to login on windows again, it begins to load and go to installer screen, which I don’t proceed since I don’t want Windows… then I come back, and the four options appear again. When I try to reboot and clear again, now the error is different, it is: INVALID_ARGUMENT, something like “supplied TPM lockout hierarchy authorization value is inconsistent with the value of the TPM_PT_PERMANENT lockoutAuthSet attribute”.
I tried to collect some data:
ubuntu@ubuntu:~$ sudo apt install msr-tools
Installing:
msr-tools
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0
Download size: 9998 B
Space needed: 49.2 kB / 7898 MB available
Get:1 http://archive.ubuntu.com/ubuntu resolute/main amd64 msr-tools amd64 1.3+git20220805.7d78c80-1 [9998 B]
Fetched 9998 B in 1s (15.1 kB/s)
Selecting previously unselected package msr-tools.
(Reading database ... 198513 files and directories currently installed.)
Preparing to unpack .../msr-tools_1.3+git20220805.7d78c80-1_amd64.deb ...
Unpacking msr-tools (1.3+git20220805.7d78c80-1) ...
Setting up msr-tools (1.3+git20220805.7d78c80-1) ...
Processing triggers for man-db (2.13.1-1) ...
ubuntu@ubuntu:~$ sudo modprobe msr
ubuntu@ubuntu:~$ sudo rdmsr -0 0x13a
000000130000007f
So, the computer seems to support TPM 2.0, and it has standard mode on SecureBoot, all UEFI/BIOS options seem compatible, but I don’t know how to make it work.
I’m facing a similar problem on 26.04 when trying to enable TMP_FDE. I’ve been working with the motherboard manufacturer ASRock Industrial to get the BIOS to configure all the necessary security needed for this feature to be enabled, but the latest problem I’m not sure is on them. The error is
PCR_UNUSABLE: error with secure boot policy (PCR7) measurements: generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported
I see others are also seeing this, do you suggest I talk to the motherboard manufacturer, or do we think this is a bug with 26.04? Thank you.
