How to Protect TPM Encryption Keys By Disabling Clear TPM Using HTMD Intune Policy Blog

Important Points

• TPM Delete Disable button antivirus policy configured below Windows Security Experience profile.
• this policy support consistent security enforcement throughout Managed Intune Windows Device.
• this policy control whether the user can reset TPM from Windows Security.
• Enabled Value 1 – Hides and disables the Clear TPM button to prevent accidental TPM reset.
• Disabled or Not Configured – Value 1 (Default) – Allows users to see and use the Clear TPM button on supported devices.
• Activate this policy helps protect encryption keyreducing user errors, and repair overall device security in a managed environment.
• By accident clean the TPM can block access to encrypted data.
• Helping IT admin protect dataavoid device lockout, and reduce help center calls.

How to Protect TPM Encryption Key by Disabling Clear TPM using Intune Policy! This policy controls whether users can remove Trusted Platforms Module (TPM) from the Windows Security application by enabling or disabling the Clear TPM button.

When activatedthe button is blocked to prevent the user from resetting the TPM and potentially losing the encryption key, Windows Data Helloor access to BitLocker protected drives; when disabled or unconfigured, the button remains available on supported devices.

This policy helps IT administrator by preventing accidental or unauthorized TPM resets, which can cause BitLocker recovery problemdata loss, or device lockout. By disabling the Clear TPM option through Intune, admins can protect encryption and critical keys device security configuration.

This also helps reduce helpdesk incident and ensuring consistent security enforcement throughout the region managed devices without requiring a user awareness or intervention. In this post you will get all the details about how to Protect TPM Encryption Key by Disabling Clear TPM using Intune Policies.

How to Protect TPM Encryption Keys by Disabling Clear TPM using Intune Policies

If a company encrypts all employees laptops using BitLocker and managing it with Intune. If the user clicks Remove TPM in Windows Security with errorthe laptop may request a BitLocker recovery key or even block access to data. To avoid this, IT admins enable this policy, which removes Clear TPM button so users can’t click on it.

• Entered into Microsoft Intune admin center.
• From the left navigation pane, select Endpoint security.
• Under Endpoint securitychoose Anti virus.
• Click + Create to start creating new policies.

Provide Required Basic Configuration Details

Very Create a profile window opens, provide the required basic configuration details. Set Platforms to Windows and select Windows Security experience as profile type. After making these selections, proceed to the next step to configure policy settings.

Basic Settings to Disable TPM Clear Button in Intune

That Basics The settings tab helps you provide important details for policy configuration. Enter a Name such as Disable TPM Clear Button to clearly identify the policy. In Information field, provide a brief explanation such as How to Disable TPM Delete Button using Intune Antivirus Policy to help administrators understand the purpose of the Policy.

Settings to Disable TPM Delete Button in Intune

Policy Disables TPM Delete Button in Intune offerings 3 configuration options: Enabled, Disabled, and Not configured. When set to Enabledthe Clear TPM button in Windows Security becomes unavailable to users, thereby preventing accidental TPM resets.

Choose With disabilities allows users to access and use the TPM Clear button on supported devices. If the policy Not configuredthe behavior is the same as Disabled, keeping the button available by default. These settings help IT admins control device security while balancing user access.

Enable TPM Button Disable Policy in Intune

When you choose Enabled option in the Disable TPM Button policy, the Remove TPM button in Windows Security becomes unavailable to the user. This setting helps IT administrator prevent accidental or unauthorized TPM reset, protect encryption keyWindows Hello credentials, and other important security data on managed devices.

Custom Property Settings of the Policy

Deactivation TPM Button Policy Intune has special property settings that determine its behavior. Property Name is linked to Clear TPM button control, with Property Values ​​formatted as integers (int). Here in the Scope tag arrangementwe choose the default settings.

The Policy also Supports Different Types of Access

This policy is also supportive multiple Access Typesincludes Add, Delete, Get, and Replace, allowing administrators flexibility in managing settings. That Default Value is set to 0, which corresponds to the Disabled status, which means Clear TPM button available by default unless this policy is explicitly enabled.

• In Task tab, select the device group to which you want to apply the policy.
• Here, we select the device group as HTML Test Computer.
• Click Next to continue.

Policy Value to Disable TPM Button in Intune

Deactivation TPM Button Policy in Intune uses specific values ​​to control the behavior of the TPM Delete button. The value 0 (Default), which corresponds to Disabled or Not Configured, enables the security processor solution to problem page to display the button that starts it TPM clearing process. A value of 1 (Enabled) removes this button from the page, preventing users from initiating the process to remove the TPM.

• That Review + Create tab in Intune allows administrators to verify all settings configured for a policy before deployment.
• This step helps prevent configuration error and ensure smooth implementation of policies.
• Choose Make button to create a policy

Device and User Check-in Status for the TPM Clear Button Disable Policy in Intune

Devices and users check-in status for the Disable Remove TPM Keys in Intune policy in the Windows Security Experience profile shows that the policy has been successfully applied to 1 device. There are no errors, conflicts, or devices marked as not applicable or in progress. This confirms that the policy is active and working correctly on the targeted device.

Client Side Verification to Disable TPM Delete Button

It includes details like Registration IDcurrent user/device, destination code (Into: 0x1), registration type (0x6), and scope (0x0). These logs confirm that the policy was successfully assigned and applied on the device, providing administrators with a record of the implementation and enforcement of the policy.

To get client-side verification, open Event Viewer and navigate to Application and Service Logs > Microsoft > window > Device Management > Enterprise Diagnostics Provider > Admin. Once there, you can search for specific policy results by using Current Log Filter features located in right panel. This helps to quickly get relevant results in the logs.

Need More Help or Have a Technical Question?

Join LinkedIn Page And Telegram Group to get step by step guides and latest news updates. Join us Meeting Page to participate in User group meetings. Also, Join WhatsApp Community to get the latest news about Microsoft Technologies. We were there reddit as well.

Author

Anoop C Nair has been a Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solutions Architect with over 22+ years of experience in the Workplace technology space. He is a leader of the Community of Bloggers, Speakers, and Local User Groups. The main focus is on Device Management technologies such as SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.