Configure TPM firmware update behavior

Setting the policy configures availability and behavior of TPM firmware updates.

Specify individual settings in JSON properties:

* allow-user-initiated-powerwash: If set to true, users can trigger the powerwash flow to install a TPM firmware update.

* allow-user-initiated-preserve-device-state (available starting in Google Chrome version 68): If set to true, users can invoke the TPM firmware update flow that preserves device-wide state, including enterprise enrollment, but loses user data.

* auto-update-mode (available starting in Google Chrome version 75): Controls how automatic TPM firmware updates are enforced for vulnerable TPM firmware. All flows preserve local device state. If set to:

* 1 or left not set, TPM firmware updates are not enforced.

* 2, TPM firmware updates at the next reboot after user acknowledges the update.

* 3, TPM firmware updates at the next reboot.

* 4, TPM firmware updates after enrollment, before user sign-in.

Leaving the policy unset renders TPM firmware update unavailable.
See for more information about schema and formatting.

Example value:

"allow-user-initiated-powerwash": true,
"allow-user-initiated-preserve-device-state": true,
"auto-update-mode": 1

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Configure TPM firmware update behavior (The single-line field is deprecated and will be removed in the future. Please start using the multi-line textbox below.)

Registry PathSoftware\Policies\Google\ChromeOS
Value NameTPMFirmwareUpdateSettings
Value TypeREG_SZ
Default Value

Registry PathSoftware\Policies\Google\ChromeOS
Value NameTPMFirmwareUpdateSettings
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)