windows-itpro-docs icon indicating copy to clipboard operation
windows-itpro-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Clarify kind of hardware TPMs that Windows Hello will accept for attestation

Open complexspaces opened this issue 3 years ago • 3 comments

Currently, it is very ambiguous (and not aligned) which kind of TPM's that the Windows Hello Attestation API will accept as "valid."

Based on some preliminary testing, it is not clear at all what Windows Hello (the functionality of which used to be grouped under Microsoft's Passport technology) is using to check if a TPM supports attestation and often seems to be in disagreement with Windows' itself elsewhere. This seems like either a bug, or an oversight somewhere. Below are the support testing results:

TPM Kind Windows' Device Security Center Reports Support Windows Hello Reports Support
Hyper-V Virtual TPM Yes Yes
VMWare Virtual TPM Yes No
AMD Ryzen CPU fTPM Yes No
INTC Laptop TPM Yes Yes

If this is not a bug and undocumented, intended behavior, I believe it should please be documented so users of the API can be aware of the limitations.

complexspaces avatar Dec 06 '21 15:12 complexspaces

Adding a quick follow up: Another set of documentation states that "Windows uses any compatible TPM in the same way." This furthers the idea that the current behavior is a bug or the "compatibility" is not laid out clearly enough for a TPM 2.0 device.

complexspaces avatar Dec 06 '21 23:12 complexspaces

The 1Password team would love to have these updated and/or clarified, so we could use such information to improve our Windows Hello support in 1Password 8. In the event that the issue re: Ryzen and VMware TPM is in fact not a bug, we could better inform customers about the limitations.

Mike-AgileBits avatar Dec 06 '21 23:12 Mike-AgileBits

Does this mean that all Ryzen CPU series without Pluton support cannot be used with attestation here even if they have fTPM?

That means for devices like the Lenovo ThinkPad Z13 and Z16, when Pluton is configured as the TPM 2.0 for a Windows 11 system, Pluton helps protect Windows Hello credentials by keeping them further isolated from attackers.

https://blogs.windows.com/windowsexperience/2022/01/04/ces-2022-chip-to-cloud-security-pluton-powered-windows-11-pcs-are-coming/

Mike-AgileBits avatar Jan 04 '22 16:01 Mike-AgileBits

Closing the issue. After talking to the feature PMs, there are no immediate plans to add this level of details to the documentation. It will be considered in the future.

paolomatarazzo avatar Sep 12 '22 12:09 paolomatarazzo