Windows 11 in addition the demand for a TPM 2.0 device is also dependant on the secure boot feature in the UEFI BIOS. Secure boot is separate from the TPM in the BIOS. Secure boot is simply a mechanism to load windows securely so that signed components are loaded to prevent malware from entering.
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.
Before the PC is deployed, the OEM stores the Secure Boot databases on the PC. This includes the signature database (db), revoked signatures database (dbx), and Key Enrollment Key database (KEK). These databases are stored on the firmware nonvolatile RAM (NV-RAM) at manufacturing time.
The screenshot shows that the secure boot mode is custom, there is also an option for standard if desired.
Some malware attempts to attack older machines but secure boot is able to block the ransomware from attacking.
Typically with the B350, X470 and X570 the secure boot in the BIOS has a feature to install the default keys. These are not necessary as Windows itself will populate the UEFI as needed. BIOS updates will reset the secure boot and TPM etc but Windows 11 is able to handle this situation. BIOS updates are important and Windows 11 is designed to handle it.