Configure TPM firmware update behavior
Configures availability and behavior of TPM firmware update functionality.
Individual settings can be specified in JSON properties:
allow-user-initiated-powerwash: If set to true, users will be able to trigger the powerwash flow to install a TPM firmware update.
allow-user-initiated-preserve-device-state: If set to true, users will be able to invoke the TPM firmware update flow that preserves device-wide state (including enterprise enrollment), but loses user data. This update flow is available starting from version 68.
auto-update-mode: Controls how automatic TPM firmware updates are enforced for vulnerable TPM firmware. All flows preserve local device state.
If set to 1 or left not set, TPM firmware updates are not enforced.
If set to 2, TPM firmware will be updated at the next reboot after user acknowledges the update.
If set to 3, TPM firmware will be updated at the next reboot.
If set to 4, TPM firmware will be updated after enrollment, before user sign-in.
This option is available starting from version 75.
If the policy is not set, TPM firmware update functionality will not be available.
See https://cloud.google.com/docs/chrome-enterprise/policies/?policy=TPMFirmwareUpdateSettings for more information about schema and formatting.
Example value:
{
"allow-user-initiated-powerwash": true,
"auto-update-mode": 1,
"allow-user-initiated-preserve-device-state": true
}
Supported on: At least Microsoft Windows 7 or Windows Server 2008 family
Configure TPM firmware update behavior (The single-line field is deprecated and will be removed in the future. Please start using the multi-line textbox below.)
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Google\ChromeOS |
| Value Name | TPMFirmwareUpdateSettings |
| Value Type | REG_SZ |
| Default Value |
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Google\ChromeOS |
| Value Name | TPMFirmwareUpdateSettings |
| Value Type | REG_MULTI_SZ |
| Default Value |
chromeos.admx
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set the screen magnifier type on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable the autoclick on the login screen
- Enable the caret highlight on the login screen
- Enable the cursor highlight on the login screen
- Enable the dictation on the login screen
- Enable the high contrast on the login screen
- Enable the large cursor on the login screen
- Enable the mono audio on the login screen
- Enable the select to speak on the login screen
- Enable the spoken feedback on the login screen
- Enable the sticky keys on the login screen
- Enable the virtual keyboard on the login screen
- Set default state of the large cursor on the login screen
- Set default state of the on-screen keyboard on the login screen
- Set the default screen magnifier type enabled on the login screen
- Set the default state of high contrast mode on the login screen
- Set the default state of spoken feedback on the login screen
- Set the screen magnifier type on the login screen
- Android settings
- Deprecated policies
- Device update settings
- Display
- Linux container
- Microsoft® Active Directory® management settings
- Network settings
- Other
- PluginVm
- Power management
- Battery charge mode
- Enable advanced battery charge mode
- Enable boot on AC (alternating current)
- Enable peak shift power management
- Set advanced battery charge mode day config
- Set battery charge custom start charging in percent
- Set battery charge custom stop charging in percent
- Set power peak shift battery threshold in percent
- Set power peak shift day config
- Remote attestation
- Sign-in settings
- Wilco DTC
- Allow autoupdate downloads via HTTP
- Allow bluetooth on device
- Allow creation of new user accounts
- Allow the device to request powerwash
- Allow users to redeem offers through Chrome OS Registration
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen.
- Automatically reboot after update
- Automatic reboot on device shutdown
- Auto update p2p enabled
- Auto update scatter factor
- Block developer mode
- Configure the automatic timezone detection method
- Configure the list of installed apps on the login screen
- Connection types allowed for updates
- Device-level network configuration
- Device printers configuration access policy.
- Device sign-in screen keyboard layouts
- Device sign-in screen locale
- Device wallpaper image
- Disable Auto Update
- Disabled enterprise device printers
- Duration of inactivity before the screen saver is shown on the sign-in screen in retail mode
- Duration of the idle log-out warning message
- Enable data roaming
- Enabled enterprise device printers
- Enable guest mode
- Enable metrics reporting
- Enable queries to Quirks Server for hardware profiles
- Enterprise printer configuration file for devices
- Force device reboot when user sign out
- List of AppPack extensions
- Load specified urls on demo login
- Login user white list
- Off hours intervals when the specified device policies are released
- Power management on the login screen
- Refresh rate for Device Policy
- Release channel
- Screen saver to be used on the sign-in screen in retail mode
- Set default display rotation, reapplied on every reboot
- Show usernames on login screen
- System wide flags to be applied on Google Chrome start-up
- Target Auto Update Version
- Timeout until idle user log-out is executed
- Timezone
- Use 24 hour clock by default
- Users may configure the Chrome OS release channel
- Whitelist of USB detachable devices
- Wipe user data on sign-out
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)
- Google
- Google Chrome OS - Default Settings (users can override)
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Content settings
- Deprecated policies
- Home page
- New Tab Page
- Password manager
- Printing
- Startup pages
- Allow download restrictions
- Block third party cookies
- Control shelf auto-hiding
- Control the shelf position
- Enable alternate error pages
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable lock when the device become idle or suspended
- Enable network prediction
- Enable or disable spell checking web service
- Enable Safe Browsing
- Enable search suggestions
- Enable Translate
- List of pinned apps to show in the launcher
- Printer configuration access policy.
- Select task scheduler configuration
- Set default download directory
- Set download directory
- Set the recommended locales for a managed session
- Show Home button on toolbar
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- Accessibility settings
- Google Chrome OS
- Accessibility settings
- Enable accessibility features shortcuts
- Enable accessibility features shortcuts on the login screen
- Enable high contrast mode
- Enable large cursor
- Enable on-screen keyboard
- Enable select to speak
- Enable spoken feedback
- Enable sticky keys
- Enable the autoclick accessibility feature
- Enable the caret highlight accessibility feature
- Enable the cursor highlight accessibility feature
- Enable the dictation accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the keyboard focus highlighting accessibility feature
- Enable the mono audio accessibility feature
- Media keys default to function keys
- Set screen magnifier type
- Show accessibility options in system tray menu
- Show accessibility options in system tray menu in the login screen
- Android settings
- Content settings
- Allow cookies on these sites
- Allow images on these sites
- Allow insecure content on these sites
- Allow JavaScript on these sites
- Allow key generation on these sites
- Allow notifications on these sites
- Allow popups on these sites
- Allow the Flash plugin on these sites
- Allow WebUSB on these sites
- Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
- Automatically select client certificates for these sites
- Block cookies on these sites
- Block images on these sites
- Block insecure content on these sites
- Block JavaScript on these sites
- Block key generation on these sites
- Block notifications on these sites
- Block popups on these sites
- Block the Flash plugin on these sites
- Block WebUSB on these sites
- Control use of insecure content exceptions
- Control use of the Web Bluetooth API
- Control use of the WebUSB API
- Default cookies setting
- Default Flash setting
- Default geolocation setting
- Default images setting
- Default JavaScript setting
- Default key generation setting
- Default legacy SameSite cookie behavior setting
- Default notification setting
- Default popups setting
- Limit cookies from matching URLs to the current session
- Revert to legacy SameSite behavior for cookies on these sites
- Default search provider
- Default search provider encodings
- Default search provider icon
- Default search provider instant URL
- Default search provider keyword
- Default search provider name
- Default search provider new tab page URL
- Default search provider search URL
- Default search provider suggest URL
- Enable the default search provider
- List of alternate URLs for the default search provider
- Parameter controlling search term placement for the default search provider
- Parameter providing search-by-image feature for the default search provider
- Parameters for image URL which uses POST
- Parameters for instant URL which uses POST
- Parameters for search URL which uses POST
- Parameters for suggest URL which uses POST
- Deprecated policies
- Action to take when the idle delay is reached
- Action to take when the idle delay is reached while running on AC power
- Action to take when the idle delay is reached while running on battery power
- Allow insecure algorithms in integrity checks on extension updates and installs
- Allow sites to simultaneously navigate and open pop-ups
- Allow users to show passwords in Password Manager (deprecated)
- Choose how to specify proxy server settings
- Clear site data on browser shutdown (deprecated)
- Configure the required domain name for remote access clients
- Configure the required domain name for remote access hosts
- Default mediastream setting
- Disable SPDY protocol
- Disable URL protocol schemes
- Enable DHE cipher suites in TLS
- Enable firewall traversal from remote access client
- Enable Incognito mode
- Enable Instant
- Enable JavaScript
- Enable network prediction
- Enable RC4 cipher suites in TLS
- Enterprise web store name (deprecated)
- Enterprise web store URL (deprecated)
- Force SafeSearch
- Force YouTube Safety Mode
- Idle delay when running on AC power
- Idle delay when running on battery power
- Idle warning delay when running on AC power
- Idle warning delay when running on battery power
- Minimum TLS version to fallback to
- Percentage by which to scale the idle delay in presentation mode (deprecated)
- Prevent app promotions from appearing on the new tab page
- Screen dim delay when running on AC power
- Screen dim delay when running on battery power
- Screen lock delay when running on AC power
- Screen lock delay when running on battery power
- Screen off delay when running on AC power
- Screen off delay when running on battery power
- Specify a list of disabled plugins
- Specify a list of enabled plugins
- Specify a list of plugins that the user can enable or disable
- Use a default referrer policy of no-referrer-when-downgrade.
- Extensions
- Google Assistant
- Google Cast
- Google Drive
- Home page
- HTTP authentication
- Authentication server whitelist
- Cross-origin HTTP Basic Auth prompts
- Disable CNAME lookup when negotiating Kerberos authentication
- Enable NTLMv2 authentication.
- Include non-standard port in Kerberos SPN
- Kerberos delegation server whitelist
- Supported authentication schemes
- Use KDC policy to delegate credentials.
- Linux container
- New Tab Page
- Parental supervision settings
- Password manager
- PluginVm
- Power management
- Action to take when the user closes the lid
- Allow screen wake locks
- Allow wake locks
- Enable smart dim model to extend the time until the screen is dimmed
- Percentage by which to scale the screen dim delay if the user becomes active after dimming
- Percentage by which to scale the screen dim delay in presentation mode
- Power management settings when the user becomes idle
- Screen brightness percent
- Screen lock delays
- Specify whether audio activity affects power management
- Specify whether video activity affects power management
- Wait for initial user activity
- Printing
- Default background graphics printing mode
- Default printing color mode
- Default printing duplex mode
- Disable printer types on the deny list
- Enabled external print servers
- Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API
- External print servers
- Restrict background graphics printing mode
- Restrict printing color mode
- Restrict printing duplex mode
- Send username and filename to native printers
- Set the time period in days for storing print jobs metadata
- Proxy server
- Quick unlock
- Remote access
- Allow gnubby authentication for remote access hosts
- Client certificate for connecting to RemoteAccessHostTokenValidationUrl
- Configure the required domain names for remote access clients
- Configure the required domain names for remote access hosts
- Configure the TalkGadget prefix for remote access hosts
- Enable curtaining of remote access hosts
- Enable firewall traversal from remote access host
- Enable or disable PIN-less authentication for remote access hosts
- Enable the use of relay servers by the remote access host
- Policy overrides for Debug builds of the remote access host
- Require that the name of the local user and the remote access host owner match
- Restrict the UDP port range used by the remote access host
- URL for validating remote access client authentication token
- URL where remote access clients should obtain their authentication token
- Remote attestation
- Safe Browsing settings
- Configure the change password URL.
- Configure the list of domains on which Safe Browsing will not trigger warnings.
- Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.
- Enable Safe Browsing Extended Reporting
- Password protection warning trigger
- Startup pages
- Abusive Experience Intervention Enforce
- Add a logout button to the system tray
- Ads setting for sites with intrusive ads
- Allow access to a list of URLs
- Allow background tabs freeze
- Allow certificates issued by local trust anchors without subjectAlternativeName extension
- Allow collection of WebRTC event logs from Google services
- Allow Dinosaur Easter Egg Game
- Allow download restrictions
- Allow fullscreen mode
- Allow Google Cast to connect to Cast devices on all IP addresses.
- Allow Instant Tethering to be used.
- Allow managed session on device
- Allow media autoplay
- Allow media autoplay on a whitelist of URL patterns
- Allow merging dictionary policies from different sources
- Allow merging list policies from different sources
- Allow or deny audio capture
- Allow or deny screen capture
- Allow or deny video capture
- Allow playing audio
- Allow proceeding from the SSL warning page
- Allow QUIC protocol
- Allow running plugins that are outdated
- Allows a page to perform synchronous XHR requests during page dismissal.
- Allows a page to show popups during its unloading
- Allow Sign-in To Additional Google Accounts
- Allow Smart Lock Signin to be used.
- Allow Smart Lock to be used
- Allow SMS Messages to be synced from phone to Chromebook.
- Allows users to play media when the device is locked
- Allow the user to manage VPN connections
- Allow user feedback
- Allow users to customize the background on the New Tab page
- Allow users to manage installed CA certificates.
- Allow users to manage installed client certificates.
- Allow users to opt in to Safe Browsing extended reporting
- Allow websites to query for available payment methods.
- Always runs plugins that require authorization (deprecated)
- Ask where to save each file before downloading
- Block access to a list of URLs
- Block third party cookies
- Captive portal authentication ignores proxy
- Configure ARC
- Configure list of force-installed Web Apps
- Configure the allowed input methods in a user session
- Configure the allowed languages in a user session
- Control SafeSites adult content filtering.
- Control shelf auto-hiding
- Control the shelf position
- Control the user behavior in a multiprofile session
- Control where Developer Tools can be used
- Default printer selection rules
- Define domains allowed to access G Suite
- Determines whether the built-in certificate verifier will be used to verify server certificates
- Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
- Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
- Disable Certificate Transparency enforcement for a list of URLs
- Disabled enterprise printers
- Disable Developer Tools
- Disable mounting of external storage
- Disable proceeding from the Safe Browsing warning page
- Disable saving browser history
- Disable support for 3D graphics APIs
- Disable synchronization of data with Google
- Disable taking screenshots
- Disable TLS False Start
- DNS interception checks enabled
- Enable alternate error pages
- Enable Ambient Authentication for profile types.
- Enable Android Backup Service
- Enable Android Google Location Service
- Enable ARC
- Enable a TLS 1.3 security feature for local trust anchors.
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
- Enable AutoFill
- Enable Bookmark Bar
- Enable chrome://devices
- Enable component updates in Google Chrome
- Enable CORS check mitigations in the new CORS implementation
- Enable deleting browser and download history
- Enabled enterprise printers
- Enable deprecated web platform features for a limited time
- Enable displaying Sync Consent during sign-in
- Enable ending processes in Task Manager
- Enable globally scoped HTTP auth cache
- Enable HTTP/0.9 support on non-default ports
- Enable lock when the device become idle or suspended
- Enable network prediction
- Enable online OCSP/CRL checks
- Enable or disable bookmark editing
- Enable or disable spell checking web service
- Enable PAC URL stripping (for https://)
- Enable printing
- Enable Safe Browsing
- Enable search suggestions
- Enable Signed HTTP Exchange (SXG) support
- Enable Site Isolation for every site
- Enable Site Isolation for specified origins
- Enables managed extensions to use the Enterprise Hardware Platform API
- Enable spellcheck
- Enables the concept of policy atomic groups
- Enable stricter treatment for mixed content
- Enable the Click to Call Feature
- Enable Translate
- Enable URL-keyed anonymized data collection
- Enable virtual keyboard
- Enable WPAD optimization
- Enterprise printer configuration file
- Extend Flash content setting to all content
- Force disable spellcheck languages
- Force enable spellcheck languages
- Force Google SafeSearch
- Force minimum YouTube Restricted Mode
- Hide the web store from the New Tab Page and app launcher
- Incognito mode availability
- Key Permissions
- Limit the length of a user session
- Limit the time for which a user authenticated via SAML can log in offline
- List of names that will bypass the HSTS policy check
- List of pinned apps to show in the launcher
- List of types that should be excluded from synchronization
- Make Unified Desktop available and turn on by default
- Managed Bookmarks
- Maximize the first browser window on first run
- Maximum fetch delay after a policy invalidation
- Maximum SSL version enabled
- Migration strategy for ecryptfs
- Minimum SSL version enabled
- Native Printing
- Notify a user that a browser relaunch or device restart is recommended or required
- Origins or hostname patterns for which restrictions on insecure origins should not apply
- Permit locking the screen
- Printer configuration access policy.
- Proxy settings
- Re-enable Web Components v0 API until M84.
- Refresh rate for user policy
- Require online OCSP/CRL checks for local trust anchors
- Restrict the range of local UDP ports used by WebRTC
- Select task scheduler configuration
- Set certificate availability for ARC-apps
- Set download directory
- Set the display name for device-local accounts
- Set the recommended locales for a managed session
- Set the Terms of Service for a device-local account
- Set the time of the first user relaunch notification
- Set the time period for update notifications
- Show Home button on toolbar
- Specify whether the plugin finder should be disabled (deprecated)
- Suppress launching of browser window
- Suppress the unsupported OS warning
- Switch the primary mouse button to the right button
- Switch the primary mouse button to the right button on the login screen
- Treat external storage devices as read-only
- URLs/domains automatically permitted direct Security Key attestation
- URLs for which local IPs are exposed in WebRTC ICE candidates
- URLs that will be granted access to audio capture devices without prompt
- URLs that will be granted access to video capture devices without prompt
- User-level network configuration
- User avatar image
- Use the legacy CORS implementation rather than new CORS
- Wallpaper image
- Whether SHA-1 signed certificates issued by local trust anchors are allowed
- Whitelist note-taking apps allowed on the Google Chrome OS lock screen
- Accessibility settings
- Google Chrome OS - Default Settings (users can override)