Loading system token on chrome start-up has been implemented for  bug 655266 .
However, CL https://chromium-review.googlesource.com/c/512662/ has changed the behavior to only load the system token when the TPM is ready[1] on chrome start-up.

In the edge case of device enrollment, this means that:
- before enrollment, TPM is not ready, so the system token will not be loaded
- after enrollment, nothing re-triggers loading of system token on sign-in screen. Only affiliated user sign-in on chrome restart (including sign-out) will trigger it.

Currently this is not an issue, because the system token can contain no client certificates on a freshly enrolled device, as these can only be added in user sessions. In the future, we would also like to load the system token after device enrollment for:
- consistency
- future usecases

[1] ready means: TPM is available && TPM is owned && TPM is not being owned ()
 

Loading system token on chrome start-up has been implemented for   bug 655266  .
However, CL https://chromium-review.googlesource.com/c/512662/ has changed the behavior to only load the system token when the TPM is ready[1] on chrome start-up.

In the edge case of device enrollment, this means that:
- before enrollment, TPM is not ready, so the system token will not be loaded
- after enrollment, nothing re-triggers loading of system token on sign-in screen. Only affiliated user sign-in on chrome restart (including sign-out) will trigger it.

Currently this is not an issue, because the system token can contain no client certificates on a freshly enrolled device, as these can only be added in user sessions. In the future, we would also like to load the system token after device enrollment for:
- consistency
- future usecases

[1] ready means: TPM is available && TPM is owned && TPM is not being owned (see TpmInit::IsTpmReady in src/platform2/cryptohome/tpm_init.cc)
 

Loading system token on chrome start-up has been implemented for    bug 655266   .
However, CL https://chromium-review.googlesource.com/c/512662/ has changed the behavior to only load the system token when the TPM is ready[1] on chrome start-up.

In the edge case of device enrollment, this means that:
- before enrollment, TPM is not ready, so the system token will not be loaded
- after enrollment, nothing re-triggers loading of system token on sign-in screen. Only affiliated user sign-in OR chrome restart (including sign-out) will trigger it.

Currently this is not an issue, because the system token can contain no client certificates on a freshly enrolled device, as these can only be added in user sessions. In the future, we would also like to load the system token after device enrollment for:
- consistency
- future usecases

[1] ready means: TPM is available && TPM is owned && TPM is not being owned (see TpmInit::IsTpmReady in src/platform2/cryptohome/tpm_init.cc)