diff --git a/hosts/configuration_desktop.nix b/hosts/configuration_desktop.nix
index d2e7d2d..14b364e 100644
--- a/hosts/configuration_desktop.nix
+++ b/hosts/configuration_desktop.nix
@@ -20,7 +20,7 @@
 
   users.users.${user} = {                   # System User
     isNormalUser = true;
-    extraGroups = [ "wheel" "video" "audio" "camera" "networkmanager" "lp" "kvm" "libvirtd" "adb" "dialout" ];
+    extraGroups = [ "wheel" "video" "audio" "camera" "networkmanager" "lp" "kvm" "libvirtd" "adb" "dialout" "tss" ];
     shell = pkgs.zsh;                       # Default shell
     uid = 2000;
 #    initialPassword = "password95";
@@ -31,7 +31,6 @@
       "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
     ];
   };
-  #security.sudo.wheelNeedsPassword = true; # User does not need to give password when using sudo.
 
   time.timeZone = "Europe/Berlin";        # Time zone and internationalisation
   i18n = {
@@ -47,10 +46,17 @@
     keyMap = "us";	                    # or us/azerty/etc
   };
 
-  security.rtkit.enable = true;
-  security.pki.certificateFiles = [
+  security = {
+    rtkit.enable = true;
+    pki.certificateFiles = [
       ./rootCA.pem
-  ];
+    ];
+    tpm2 = {
+        enable = true;
+        pkcs11.enable = true;
+        tctiEnvironment.enable = true;
+      };
+  };
 
   sound = {                                 # ALSA sound enable
     enable = true;