Trusted Platform Module (TPM) is a standard hardware component that’s included in most enterprise computers to more securely store and process cryptographic data.
You can use ChromeOS Flex on any certified device, regardless of whether it includes a supported TPM chipset. For a full list of certified devices and specific details about how to use TPM, if supported, see Certified models list.
ChromeOS Flex supports only certain TPM 1.2 and TPM 2.0 chipsets. Google continuously adds support for a wider variety of TPM chipsets on devices.
Why you might need TPM
If you want to use hardware-backed certificates, you need to install ChromeOS Flex on devices with a supported TPM chipset. Hardware-backed certificates bind to unique user or device pairings, ensuring that certificates can’t be moved to unauthorized devices or hijacked by unauthorized users.
You can use hardware-backed certificates for:
- EAP-TLS and other WPA2 Enterprise wireless authentication
- Managed or secured VPN configurations
- Any time you use Import and bind in the Manage certificates section of Chrome’s settings
Some ChromeOS Flex functionalities—such as encryption of user, device, and some system data—optionally use TPM on devices that have an active and supported TPM chipset. For devices that don’t have supported TPM hardware, features continue to function as expected, and are handled by software instead of hardware. For information about how ChromeOS Flex uses TPM, see the Chromium design documentation.
Manage TPM
Before you install ChromeOS Flex on devices, you might need to use the BIOS or UEFI settings menu to make sure that the TPM is cleared, visible, and active.
Clear and activate TPM
- Boot the device to the BIOS or UEFI settings menu. If you’re unsure which key to use, see Boot keys below.
- Find the TPM settings. You’ll find them in Security, Device Configuration, or Advanced Settings.
Note: The option name differs, depending on the OEM. For example, on HP devices, you’ll see Embedded security device.- If you do not see any TPM settings, try setting an administrator password.
- Save, exit, and try again.
- Clear the TPM so that it is no longer owned and has no data from previous use.
- Click the option to clear or reset TPM. If the option is visible but unavailable, your TPM is already clear. Go to step 4.
Note: The option name differs, depending on the OEM. For example, on HP devices, click Reset to factory defaults. - Save changes.
- Exit the BIOS or UEFI settings.
- Restart the device and boot to the BIOS or UEFI settings menu.
- Complete any on-screen prompts that you see to confirm that you want to clear the TPM.
- Click the option to clear or reset TPM. If the option is visible but unavailable, your TPM is already clear. Go to step 4.
- Turn on TPM.
- In the BIOS or UEFI settings menu, find the TPM settings. Same as step 2 above.
- Make sure the TPM settings are set to visible, active, ;or enabled.
- Check to make sure that settings that might affect TPM status are correctly configured.
- Save changes.
- Exit the BIOS or UEFI settings.
Now that you have cleared the TPM and TPM status is Active, you can proceed with installing ChromeOS Flex on the device. Be sure to check the certified models list for specific ChromeOS Flex installation notes or other BIOS tweaks.
Check TPM information—Admin console
-
Sign in to your GoogleAdminconsole.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Menu
DevicesChromeDevices.See AlsoEnable TPM 2.0 on your PC - To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Find and click the device you want to view TPM information for.
- View whether ChromeOS Flex supports and owns the device’s TPM. If TPM owned and TPM allowlisted are set to True, ChromeOS Flex is actively using it.
DevicesCheck TPM status and state—BIOS or UEFI
TPM status lets you know whether TPM is turned on and available to other software or hardware components on the ChromeOS Flex device. The default TPM status varies, depending on OEM and deployment. TPM status is usually configured using the BIOS or UEFI settings menu and generally results in one of three conditions:
| Status | Description |
|---|---|
| Active | On, available The TPM is turned on and available for software and hardware components to use on the device. |
| Enabled | The TPM is turned on but not available for software and hardware components to use on the device. Enabled status is only available on a limited number of ChromeOS Flex devices. |
| Inactive | Off, hidden, disabled The TPM is turned off and is completely invisible to other software and hardware components on the device. Inactive status is equivalent to a device with no TPM. |
TPM state lets you know the relationship that the TPM chipset currently has to an existing device or user for its cryptographic functions. If a supported TPM chipset is available, the ChromeOS Flex device takes ownership during initial setup. If no TPM is available, ChromeOS Flex uses software backup methods.
| Status | Description |
|---|---|
| Owned | The TPM had an initial interaction that established a controlling owner. The TPM is then available for use as a cryptographic storage or authentication device, as intended. A TPM owner is not an individual user or device. Instead the TPM owner is a disposable, invented identity that’s used to initiate the TPM's relationship with the OS during initial setup. You can only change the owner by using BIOS or UEFI settings to clear the TPM. |
| Unowned | The TPM was never used or has been cleared. It has no cryptographic information stored. |
Deactivate TPM
If you don't want a ChromeOS Flex device to use your device’s TPM chip, you should deactivate the TPM.
- Boot the device to the BIOS or UEFI settings menu. If you’re unsure which key to use, see Boot keys below.
- Find the TPM settings. You’ll find them in Security, Device Configuration, or Advanced Settings.
Note: The option name differs, depending on the OEM. For example, on HP devices, you’ll see Embedded security device. - Deactivate the TPM.
- Save changes.
- Exit the BIOS or UEFI settings.
Boot keys
| Manufacturer | Boot key |
|---|---|
| Acer | F2 |
| Apple | Hold Option (next to the ⌘ key) |
| Asus | Del |
| Dell | F12 |
| Gateway | F1 |
| HP | F9 |
| Intel | F2 |
| Lenovo | F12 |
| Microsoft Surface | Boot from USB—Hold volume-down button Boot to UEFI menu—Hold volume-up button |
| Toshiba | F2 or F12 |
| Other | Try pressing Esc, any of F1-F12 keys, or Enter |
- Boot keys might be different on some models.
- The certified models list shows the boot key for all certified models. See the Certified models list.
- Some models display their boot key info on screen at the beginning of startup. For example, on some Lenovo models you’ll see To interrupt normal startup, press Enter.
- If you can’t find the boot key for a certain model, try searching online for documentation from the manufacturer or third parties. In your search term, include your device’s specific name and model number and boot key or BIOS key.
Known TPM errors
| Error | Resolution |
|---|---|
| Oops! The initialization of the installation-time attributes has timed out. Please contact your support representative. |
|
| Enrollment Screen stuck on Please wait. |
|
| Stuck on spinning Please wait upon login. |
|
Related topics
- Trusted Computing Group documentation
- Certified models list
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
