Microsoft, today, removed another Windows 11 24H2 compatibility block which means the feature update is now available for download to those who were affected.
Speaking of Windows 11 24H2, the company today also shared a new TPM verification tool called the "attestation readiness verifier tool" which will help to check for and identify various compatibility, security, and reliability issues at the hardware and firmware level.
Neowin has covered attestation-related bugs in the past and Microsoft has also previously worked on a "TPM troubleshooter" option inside the Security app.
With this new tool, Microsoft says that users will be able to better understand the level of TPM attestation readiness using newly presented information in the Event Viewer.
If you are not familiar, the (Windows) Event Viewer helps Windows keep logs of the various "events" carried out by the apps and drivers. Microsoft recommends it as a useful utility to help troubleshoot issues.
Microsoft explains:
Attestation readiness verifier indicates three possible health states. You'll find them in the Event Viewer Log at every boot and hibernate–resume, as follows:
- Attestable: All checks passed. Attestation is expected to report an accurate state.
- Possibly attestable: A platform configuration register (PCR) issue was detected during boot. PCRs are updated by components like UEFI firmware and securely stored in the TPM. Correctness of PCRs affects the health of security features like BitLocker and attestation. Note: Try restarting your machine first. If it doesn't help, you might need to work with your device or UEFI vendor.
- Not attestable: A critical check has failed. The device booted in an unhealthy state.
A detailed guide about it has also been published by Microsoft on the announcement blog post which you can read here.
This announcement comes hot on the heels of Microsoft adding "enhanced" hardware-backed attestation for Windows 11 on Intune. The Microsoft 365 roadmap entry under ID 387499 describes the new feature:
Microsoft Intune: Hardware backed attestation - enhanced for Windows 11
This will enhance the Windows compliance policy - device health by adding five additional hardware attestation settings specific to Windows 11 using advanced platform security features like Memory Integrity and Access Protection, firmware protection, virtualization-based security, and Early Launch Antimalware protection.
For those wondering, TPM attestation is sort of similar to how UEFI Secure Boot works. The difference is that Secure Boot's function is to check for secure bootloaders while TPM attestation ensures TPM authenticity by attesting that the corresponding RSA (Rivest, Shamir, Adleman) keys are trusted by the CA (certificate authority).
0 Comments - Add comment