Use TPM with ChromeOS Flex

Trusted Platform Module (TPM) is a standard hardware component that’s included in most enterprise computers to more securely store and process cryptographic data.

You can use TPM on a limited number of ChromeOS Flex certified devices. 

ChromeOS Flex supports only certain TPM 1.2 and TPM 2.0 chipsets. Google continuously adds support for a wider variety of TPM chipsets on devices.

Certified devices with TPM

In addition to legacy TPM 1.2 devices, we are adding support for more TPM 2.0 devices. This is a list of certified devices with enabled TPM 2.0 modules.

Model name
Supported since ChromeOS version
Dell Latitude 3520 124
Dell Latitude 7490 96
Dell Latitude 5420 129
HP Elite x360 830 13 inch G10 2-in-1 Notebook PC 119
HP Elitebook 640 G10 119
HP Elitebook 645 G10 119
HP Elitebook 840 G6 126
HP ProDesk 400 G5 Desktop Mini 126
HP t655 124
HP ZBook Firefly 14 G7 Mobile Workstation 129
Intel NUC11TNKv5 128
Lenovo ThinkPad X1 Carbon Gen 8 96
Lenovo ThinkPad X1 Carbon Gen 9 96
Lenovo ThinkPad X1 Carbon Gen 8 96

Why you might need TPM

If you want to use hardware-backed certificates, you need to install ChromeOS Flex on devices with a supported TPM chipset. Hardware-backed certificates bind to unique user or device pairings, ensuring that certificates can’t be moved to unauthorized devices or hijacked by unauthorized users.

You can use hardware-backed certificates for:

  • EAP-TLS and other WPA2 Enterprise wireless authentication
  • Managed or secured VPN configurations
  • Any time you use Import and bind in the Manage certificates section of Chrome’s settings

Some ChromeOS Flex functionalities—such as encryption of user, device, and some system data—optionally use TPM on devices that have an active and supported TPM chipset. For devices that don’t have supported TPM hardware, features continue to function as expected, and are handled by software instead of hardware. For information about how ChromeOS Flex uses TPM, see the Chromium design documentation.

Manage TPM

Before you install ChromeOS Flex on devices, you might need to use the BIOS or UEFI settings menu to make sure that the TPM is cleared, visible, and active.

Clear and activate TPM

  1. Boot the device to the BIOS or UEFI settings menu. If you’re unsure which key to use, see Boot keys below.
  2. Find the TPM settings. You’ll find them in Security, Device Configuration, or Advanced Settings.
    Note: The option name differs, depending on the OEM. For example, on HP devices, you’ll see Embedded security device.
    1. If you do not see any TPM settings, try setting an administrator password.
    2. Save, exit, and try again.
  3. Clear the TPM so that it is no longer owned and has no data from previous use.
    1. Click the option to clear or reset TPM. If the option is visible but unavailable, your TPM is already clear. Go to step 4.
      Note: The option name differs, depending on the OEM. For example, on HP devices, click Reset to factory defaults.
    2. Save changes.
    3. Exit the BIOS or UEFI settings.
    4. Restart the device and boot to the BIOS or UEFI settings menu.
    5. Complete any on-screen prompts that you see to confirm that you want to clear the TPM.
  4. Turn on TPM.
    1. In the BIOS or UEFI settings menu, find the TPM settings. Same as step 2 above.
    2. Make sure the TPM settings are set to visible, active, ;or enabled.
  5. Check to make sure that settings that might affect TPM status are correctly configured.
  6. Save changes.
  7. Exit the BIOS or UEFI settings.

Now that you have cleared the TPM and TPM status is Active, you can proceed with installing ChromeOS Flex on the device. Be sure to check the certified models list for specific ChromeOS Flex installation notes or other BIOS tweaks.

Clear TPM using powerwash

You can clear a device's TPM using powerwash as long as you turn on the correct BIOS settings. This is useful when a device is powerwashed as part of a support or device reallocation process.

Note: Powerwashing a device clears the device enrollment, so you need to re-enroll the device afterwards. To reset most devices, we recommend using Clear User Profiles instead of a full Factory Reset.

To clear the TPM using powerwash, refer to your manufacturers’ guidance on setting up your TPM’s Physical Presence Interface. This enables the OS to cooperate with the BIOS and pass control of TPM actions to the installed OS. For more details, see this article.

Check TPM information—Admin console

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to  Menu and then Devicesand thenChromeand thenDevices.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Find and click the device you want to view TPM information for.
  5. View whether ChromeOS Flex supports and owns the device’s TPM. If TPM owned and TPM allowlisted are set to True, ChromeOS Flex is actively using it.

Check TPM status and state—BIOS or UEFI

TPM status

TPM status lets you know whether TPM is turned on and available to other software or hardware components on the ChromeOS Flex device. The default TPM status varies, depending on OEM and deployment. TPM status is usually configured using the BIOS or UEFI settings menu and generally results in one of three conditions:

Status Description

Active

On, available

The TPM is turned on and available for software and hardware components to use on the device.

Enabled

The TPM is turned on but not available for software and hardware components to use on the device.

Enabled status is only available on a limited number of ChromeOS Flex devices.

Inactive

Off, hidden, disabled

The TPM is turned off and is completely invisible to other software and hardware components on the device.

Inactive status is equivalent to a device with no TPM.

TPM state

TPM state lets you know the relationship that the TPM chipset currently has to an existing device or user for its cryptographic functions. If a supported TPM chipset is available, the ChromeOS Flex device takes ownership during initial setup. If no TPM is available, ChromeOS Flex uses software backup methods.

Status Description

Owned

The TPM had an initial interaction that established a controlling owner. The TPM is then available for use as a cryptographic storage or authentication device, as intended.

A TPM owner is not an individual user or device. Instead the TPM owner is a disposable, invented identity that’s used to initiate the TPM's relationship with the OS during initial setup.

You can only change the owner by using BIOS or UEFI settings to clear the TPM.

Unowned

The TPM was never used or has been cleared. It has no cryptographic information stored.

Deactivate TPM

If you don't want a ChromeOS Flex device to use your device’s TPM chip, you should deactivate the TPM.

  1. Boot the device to the BIOS or UEFI settings menu. If you’re unsure which key to use, see Boot keys below.
  2. Find the TPM settings. You’ll find them in Security, Device Configuration, or Advanced Settings.
    Note: The option name differs, depending on the OEM. For example, on HP devices, you’ll see Embedded security device.
  3. Deactivate the TPM.
  4. Save changes.
  5. Exit the BIOS or UEFI settings.

Boot keys

Manufacturer Boot key
Acer F2
Apple Hold Option (next to the key)
Asus Del
Dell F12
Gateway F1
HP F9
Intel F2
Lenovo F12
Microsoft Surface Boot from USB—Hold volume-down button
Boot to UEFI menu—Hold volume-up button
Toshiba F2 or F12
Other Try pressing Esc, any of F1-F12 keys, or Enter
  • Boot keys might be different on some models.
  • The certified models list shows the boot key for all certified models. See the Certified models list.
  • Some models display their boot key info on screen at the beginning of startup. For example, on some Lenovo models you’ll see To interrupt normal startup, press Enter.
  • If you can’t find the boot key for a certain model, try searching online for documentation from the manufacturer or third parties. In your search term, include your device’s specific name and model number and boot key or BIOS key.

Known TPM errors

Error Resolution
Oops! The initialization of the installation-time attributes has timed out. Please contact your support representative.
  1. Check the certified models list for TPM steps.
  2. If there are none—On the device, look for TPM, Trusted Computing Group (TCG), or Embedded security settings.
  3. Clear the TPM.
  4. Deactivate the TPM.
  5. Reinstall ChromeOS Flex on the device.
  6. Re-enroll the device.
Enrollment Screen stuck on Please wait.
  1. Clear the TPM.
  2. Leave the TPM in Active status.
  3. Turn off the TPM, TCG, or Embedded security device.
Stuck on spinning Please wait upon login.
  1. Deactivate the TPM.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Search
Clear search
Close search
Google apps
Main menu
1537163720211675584
true
Search Help Center
true
true
true
false
false