Attestation readiness verifier tool for TPM reliability on Windows 11 24H2

The attestation readiness verifier tool is here to help you enhance Trusted Platform Module (TPM) reliability! It simulates verification of Measured Boot logs and proactively identifies security and reliability issues. Try it today to help ensure system compatibility, improve security compliance, and effectively diagnose reliability issues on Windows 11, version 24H2.

TPM evolution​

TPM is at the heart of the implementation of many Microsoft security capabilities such as BitLocker encryption, Windows Hello, and attestation. You've been able to use TPM across a wide range of systems from Windows PCs to Microsoft Azure hosts and virtual machines. Its validation tools are incorporated into quality assurance workflows for Windows and Azure (e.g., the Windows Hardware Lab Kit test suite).

The quality of the TPM stack continues to improve based on insights from quantitative and qualitative trends, including your feedback. Thanks for sharing yours through Feedback Hub (to access Feedback Hub, press the Windows key + F), Partner Center for Windows Hardware, or your OS diagnostic data!

Attestation readiness verifier for TPM​

Today, we invite you to try a new lightweight tool, the attestation readiness verifier for TPM on Windows 11, version 24H2. Use it to easily check for potential issues at the hardware and firmware layer. Here's what it can help you accomplish:

• Enable system compatibility with various Windows features.
• Proactively identify security and reliability issues.
• Gain visibility into each system boot and hibernate-resume operation by using Measured Boot.
• Help ensure that systems boot in the expected configuration.

Note: This tool is built to simulate the verification and interpretation of Measured Boot logs by our security services. It does not check every variation of policies that could be deployed on security services performing TPM-based attestation.

What attestation readiness verifier does​

As it collects relevant security information to show the security health state of devices at your organization, attestation readiness verifier performs the following critical checks:

• TPM is present and responsive to commands.
• TPM version is 2.0.
• Valid boot logs exist.
• TPM platform configuration registers match.
• Necessary certificates (e.g., endorsement key certificate) are present and retrievable.

Attestation readiness verifier also helps collect some relevant security feature information, such as:

• Secure Boot status
• Virtualization-based Security (VBS) status
• System Guard status
• Hypervisor-protected code integrity (HVCI) status

Attestation readiness verifier indicates three possible health states. You'll find them in the Event Viewer Log at every boot and hibernate–resume, as follows:

• Attestable: All checks passed. Attestation is expected to report an accurate state.
• Possibly attestable: A platform configuration register (PCR) issue was detected during boot. PCRs are updated by components like UEFI firmware and securely stored in the TPM. Correctness of PCRs affects the health of security features like BitLocker and attestation. Note: Try restarting your machine first. If it doesn't help, you might need to work with your device or UEFI vendor.
• Not attestable: A critical check has failed. The device booted in an unhealthy state.

How to use attestation readiness verifier​

Access the attestation readiness verifier from the Event Viewer application.

1. In the Event Viewer application, navigate to Windows Logs, then System.
   
   
   
   
   Screenshot of the Event Viewer menu highlighting the System tab under Windows Logs.
   
2. In the Actions pane on the right, select Filter Current Log.
3. In the “Filter Current Log” dialog box, under Filter tab, set the Event sources to TPM-WMI events. Select OK.
   
   
   
   
   Screenshot of the Filter Current Log dialog box with the Filter by Event sources set to TPM-WMI.
   
4. Finally, see Event ID 1041 for the boot health information.
   
   
   
   
   Screenshot of the Event Viewer showing attestable state as Event ID 1041.

Attestation readiness verifier in action​

Try applying this tool to your workflows as an indicator of local system security health. If you're an IT admin managing large fleets of devices in an enterprise, help ensure security compliance readiness. If you're an original equipment manufacturer (OEM) or BIOS developer, use it to help validate compliance with the ever-increasing set of Windows security capabilities. Attestation readiness verifier helps keep users and data safe across your organization.

Learn from the experiences of early Microsoft adopters of attestation readiness verifier in the sections below!

Windows security diagnosis with BitLocker​

BitLocker exemplifies how you can diagnose Windows security issues that intersect with the TPM faster. BitLocker relies on the integrity of the boot process and uses the TPM platform configuration registers. These registers store unique boot measurements to prove that a device booted in the necessary configuration.

The new tool helps diagnose the root cause of reliability issues that prevent BitLocker enablement. BitLocker requires a present and responsive TPM 2.0, valid boot logs, and matching platform configuration register values. When these preconditions are met, attestation readiness verifier reports an attestable state.

Take advantage of quick and easy insights into complex checks with this tool.

Microsoft Entra Conditional Access​

You use Microsoft Entra Conditional Access to manage how users at your organization access resources based on predefined policies. Intune integrated with Microsoft Entra Conditional Access uses Device Health Attestation to validate device health compliance policies. But what happens if devices have legitimate firmware that isn't behaving correctly? A security evaluation of the Measured Boot logs can result in a false positive. That would exclude some users from Conditional Access.

Now, attestation readiness verifier simulates local device attestation compliance prior to applying conditional policies. Healthy systems help ensure that devices boot in the expected state.

You, too, can use attestation readiness verifier to conduct inventory of devices that are attestable. Experience a smoother compliance process and maintain Conditional Access.

Azure host attestation​

Azure host attestation service uses the TPM to help ensure the security and compliance of Azure host nodes. This helps you to allow only trusted hosts to be active and used in the production fleet.

Attestation readiness verifier is now an additional check incorporated into multiple Azure host attestation quality workflows. It validates the rollout of new OS releases and firmware integration to catch BIOS issues on new hardware SKUs.

Enhance your TPM reliability today​

When you diagnose, prevent, or remediate issues, attestation readiness verifier for TPM reliability is here to help. Try this added functionality for better visibility into the local security health status of your Windows 11, version 24H2 devices. Learn more about TPM 2.0 – a necessity for a secure and future-proof Windows 11.

At Microsoft, we truly believe that security is a team sport. By collaborating with OEMs, app developers, and other partners in the ecosystem, we continue to help make Windows more secure by design and more secure by default. The Windows Security Book is available to help you learn more about what makes it easy to stay secure with Windows 11.

To learn more about Microsoft Security solutions, visit our website, bookmark the Security blog to keep up with our expert coverage on security matters, and follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.