diff --git a/doc/release-notes/rl-2505.section.md b/doc/release-notes/rl-2505.section.md
index fb46f6ac04d6..8ae1797aaf1a 100644
--- a/doc/release-notes/rl-2505.section.md
+++ b/doc/release-notes/rl-2505.section.md
@@ -232,6 +232,8 @@
 
 - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest.
 
+- `tpm2-pkcs11` now is compiled without abrmd (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with abrmd support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`.
+
 - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead.
 
 - `webpack-cli` was updated to major version 6, which has breaking changes from the previous version 5.1.4. See the [upstream release notes](https://github.com/webpack/webpack-cli/releases/tag/webpack-cli%406.0.0) for details on these changes.
diff --git a/nixos/modules/security/tpm2.nix b/nixos/modules/security/tpm2.nix
index f60adb24cdbe..bb947cb32a56 100644
--- a/nixos/modules/security/tpm2.nix
+++ b/nixos/modules/security/tpm2.nix
@@ -75,8 +75,8 @@ in
       package = lib.mkOption {
         description = "tpm2-pkcs11 package to use";
         type = lib.types.package;
-        default = pkgs.tpm2-pkcs11;
-        defaultText = lib.literalExpression "pkgs.tpm2-pkcs11";
+        default = if cfg.abrmd.enable then pkgs.tpm2-pkcs11.abrmd else pkgs.tpm2-pkcs11;
+        defaultText = lib.literalExpression "if config.security.tpm2.abrmd.enable then pkgs.tpm2-pkcs11.abrmd else pkgs.tpm2-pkcs11";
       };
     };
 
diff --git a/pkgs/by-name/tp/tpm2-pkcs11/package.nix b/pkgs/by-name/tp/tpm2-pkcs11/package.nix
index ac79ea43d0cf..17d53d293bbf 100644
--- a/pkgs/by-name/tp/tpm2-pkcs11/package.nix
+++ b/pkgs/by-name/tp/tpm2-pkcs11/package.nix
@@ -222,18 +222,26 @@ chosenStdenv.mkDerivation (finalAttrs: {
         $out/lib/libtpm2_pkcs11.so.0.0.0
     '';
 
-  passthru = {
+  passthru = rec {
+    esapi = tpm2-pkcs11-esapi;
+    fapi = tpm2-pkcs11-fapi;
+    abrmd = tpm2-pkcs11.override {
+      abrmdSupport = true;
+    };
+    esapi-abrmd = tpm2-pkcs11-esapi.override {
+      abrmdSupport = true;
+    };
+    fapi-abrmd = tpm2-pkcs11-fapi.override {
+      abrmdSupport = true;
+    };
     tests = {
-      inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi;
-      tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
-        abrmdSupport = true;
-      };
-      tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override {
-        abrmdSupport = true;
-      };
-      tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override {
-        abrmdSupport = true;
-      };
+      inherit
+        esapi
+        fapi
+        abrmd
+        esapi-abrmd
+        fapi-abrmd
+        ;
     };
   };