ESET Online Help

Select the category
Select the topic

Trusted Platform Module (TPM)

The TPM is a form of hardware security that stores cryptographic information about the connected workstation.

Minimum requirements to use a TPM with ESET Endpoint Encryption (EEE)

EEE Full Disk Encryption supports TPM (Trusted Platform Module) in the following environments:

Windows 10 / 8.1

Boots using UEFI

Has a TPM version 2.0

Using a managed client version 4.8.17 or later

Using a DESlock Enterprise Server 2.9.0 / EEE Server 3.0 or later

How can I tell if my computer is supported?

If you have activated a workstation with EEE Server, view Workstation Details.

In the Workstation Details tab, you will see information similar to the following image displaying a computer ready to use FDE with a TPM.

Boot Mode may display Legacy BIOS; this mode does not support TPM.

TPM Status may also display one of the following:

Trusted Platform Module (TPM) status is not available.
This message indicates your computer either has an earlier, unsupported version of TPM or no TPM at all. You will not be able to use FDE with a TPM.

The Trusted Platform Module (TPM) is unavailable.
This message indicates your computer has a supported TPM, but it requires some additional reconfiguration to work with ESET Endpoint Encryption: Take ownership of the TPM (Trusted Platform Module).


TPM Version displays the manufacturer and version of the TPM module; TPM version only displays if there is a TPM 2.0 module.


What do the different TPM FDE modes do?

Username and Password

This mode operates in the same way as before, only now it uses the TPM for storage of the encryption key. Encrypt a hard drive using a managed version of ESET Endpoint Encryption.

Use this mode if you require multiple, distinct pre-boot users, either with or without TPM.

It is the only mode that supports Single Sign-On. Using Single Sign-On in ESET Endpoint Encryption


PIN Code

This mode provides a single method of authentication—a numeric PIN. There is one PIN for all users of the computer.

If you only require a user to be able to start the computer, as long as they know the PIN, you can select Pin Code mode.

Anyone that knows the PIN will be able to start the computer. However, they will also have the ability to change the PIN.


No Extra Authentication

This mode starts the computer without any pre-boot interaction; all security is handled at the Windows login and requires the user to have a Windows Password.

If your only requirements are that the computer is encrypted, for example, if the hard drive is stolen or removed, you could use No Extra Authentication mode.

This mode moves the burden of security from the pre-boot loader phase to Windows logon. As such, it is good practice to ensure you have a strong password policy as well as a minimum level of Windows network security established.