Use TPM with ChromeOS Flex

Trusted Platform Module (TPM) is a standard hardware component that’s included in most enterprise computers to more securely store and process cryptographic data.

You can use TPM on a limited number of ChromeOS Flex certified devices. 

ChromeOS Flex supports only certain TPM 1.2 and TPM 2.0 chipsets. Google continuously adds support for a wider variety of TPM chipsets on devices.

Why you might need TPM

If you want to use hardware-backed certificates, you need to install ChromeOS Flex on devices with a supported TPM chipset. Hardware-backed certificates bind to unique user or device pairings, ensuring that certificates can’t be moved to unauthorized devices or hijacked by unauthorized users.

You can use hardware-backed certificates for:

  • EAP-TLS and other WPA2 Enterprise wireless authentication
  • Managed or secured VPN configurations
  • Any time you use Import and bind in the Manage certificates section of Chrome’s settings

Some ChromeOS Flex functionalities—such as encryption of user, device, and some system data—optionally use TPM on devices that have an active and supported TPM chipset. For devices that don’t have supported TPM hardware, features continue to function as expected, and are handled by software instead of hardware. For information about how ChromeOS Flex uses TPM, see the Chromium design documentation.

Manage TPM

Before you install ChromeOS Flex on devices, you might need to use the BIOS or UEFI settings menu to make sure that the TPM is cleared, visible, and active.

Clear and activate TPM

  1. Boot the device to the BIOS or UEFI settings menu. If you’re unsure which key to use, see Boot keys below.
  2. Find the TPM settings. You’ll find them in Security, Device Configuration, or Advanced Settings.
    Note: The option name differs, depending on the OEM. For example, on HP devices, you’ll see Embedded security device.
    1. If you do not see any TPM settings, try setting an administrator password.
    2. Save, exit, and try again.
  3. Clear the TPM so that it is no longer owned and has no data from previous use.
    1. Click the option to clear or reset TPM. If the option is visible but unavailable, your TPM is already clear. Go to step 4.
      Note: The option name differs, depending on the OEM. For example, on HP devices, click Reset to factory defaults.
    2. Save changes.
    3. Exit the BIOS or UEFI settings.
    4. Restart the device and boot to the BIOS or UEFI settings menu.
    5. Complete any on-screen prompts that you see to confirm that you want to clear the TPM.
  4. Turn on TPM.
    1. In the BIOS or UEFI settings menu, find the TPM settings. Same as step 2 above.
    2. Make sure the TPM settings are set to visible, active, ;or enabled.
  5. Check to make sure that settings that might affect TPM status are correctly configured.
  6. Save changes.
  7. Exit the BIOS or UEFI settings.

Now that you have cleared the TPM and TPM status is Active, you can proceed with installing ChromeOS Flex on the device. Be sure to check the certified models list for specific ChromeOS Flex installation notes or other BIOS tweaks.

Clear TPM using powerwash

You can clear a device's TPM using powerwash as long as you turn on the correct BIOS settings. This is useful when a device is powerwashed as part of a support or device reallocation process.

Note: Powerwashing a device clears the device enrollment, so you need to re-enroll the device afterwards. To reset most devices, we recommend using Clear User Profiles instead of a full Factory Reset.

To clear the TPM using powerwash, refer to your manufacturers’ guidance on setting up your TPM’s Physical Presence Interface. This enables the OS to cooperate with the BIOS and pass control of TPM actions to the installed OS. For more details, see this article.

Check TPM information—Admin console

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to  Menu and then Devices > Chrome > Devices.

    Requires having the Chrome administrator privilege.

  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Find and click the device you want to view TPM information for.
  5. View whether ChromeOS Flex supports and owns the device’s TPM. If TPM owned and TPM allowlisted are set to True, ChromeOS Flex is actively using it.

Check TPM status and state—BIOS or UEFI

Deactivate TPM

If you don't want a ChromeOS Flex device to use your device’s TPM chip, you should deactivate the TPM.

  1. Boot the device to the BIOS or UEFI settings menu. If you’re unsure which key to use, see Boot keys below.
  2. Find the TPM settings. You’ll find them in Security, Device Configuration, or Advanced Settings.
    Note: The option name differs, depending on the OEM. For example, on HP devices, you’ll see Embedded security device.
  3. Deactivate the TPM.
  4. Save changes.
  5. Exit the BIOS or UEFI settings.

Boot keys

Manufacturer Boot key
Acer F2
Apple Hold Option (next to the key)
Asus Del
Dell F12
Gateway F1
HP F9
Intel F2
Lenovo F12
Microsoft Surface Boot from USB—Hold volume-down button
Boot to UEFI menu—Hold volume-up button
Toshiba F2 or F12
Other Try pressing Esc, any of F1-F12 keys, or Enter
  • Boot keys might be different on some models.
  • The certified models list shows the boot key for all certified models. See the Certified models list.
  • Some models display their boot key info on screen at the beginning of startup. For example, on some Lenovo models you’ll see To interrupt normal startup, press Enter.
  • If you can’t find the boot key for a certain model, try searching online for documentation from the manufacturer or third parties. In your search term, include your device’s specific name and model number and boot key or BIOS key.

Known TPM errors

Error Resolution
Oops! The initialization of the installation-time attributes has timed out. Please contact your support representative.
  1. Check the certified models list for TPM steps.
  2. If there are none—On the device, look for TPM, Trusted Computing Group (TCG), or Embedded security settings.
  3. Clear the TPM.
  4. Deactivate the TPM.
  5. Reinstall ChromeOS Flex on the device.
  6. Re-enroll the device.
Enrollment Screen stuck on Please wait.
  1. Clear the TPM.
  2. Leave the TPM in Active status.
  3. Turn off the TPM, TCG, or Embedded security device.
Stuck on spinning Please wait upon login.
  1. Deactivate the TPM.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
15515318139456370974
true
Search Help Center
true
true
true
Search
Clear search
Close search
Main menu
false
false
false
false