First: How to TPM-protect a user's Key File:
To use TPM with SecureDoc – you need to enable the option entitled: "Automatically TPM-protect Password-protected Key Files if TPM suitable/available" in the SecureDoc Profile sent to or installed on the device.
Once user logs in using SecureDoc Control Center on the device, the key file will automatically be converted to have TPM protection enabled.
NOTE: Prior to version 7.5 of SES, this same option was entitled: "Use TPM chip if available”.
Among other clarity improvements in the SES User Interface, this option was renamed in SES V7.5 to more fully describe the results customers could expect when using this option.
How to handle access to the device if the TPM has been reset
If TPM has been reset, the user must perform password recovery at SecureDoc's Pre-Boot Logon (Challenge Response, typically, though Self-Help Recovery will work if enabled).
This will permit the user to boot into Windows, after which the user should log into the SecureDoc Control Center on the device so that the key file will again be automatically converted to have TPM protection enabled.
If intending to reset the TPM, the following process will keep things easy for the end users:
Any computer can permit individual users to log in with either normal (Password-only) or Password + TPM-protected key files, so the Administrator may wish to issue normal (non-TPM-protected) key files for users before resetting the TPM chips in the computer(s), thus saving the user the need to perform Password Recovery indicated earlier.
Once the TPM chip has been reset, the user should be asked to log in with his/her normal (password-protected) key file, then log into SecureDoc Control Center so his/her Key File can be converted to TPM-protected.