Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,430 questions
Maybe this will help
Is there any API to get public part of Endorsement Key(EK) of TPM?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 62%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Rahul K
51
Reputation points
- How to get EK or public EK of TPM?
- We are able to get the public key hash using powershell command: get-tpmendorsementkeyinfo -hash "Sha256"
- Is there any API in C# or C++ to get public key hash of EK.
We are planning to use this EK to uniquely identify a device, as each device has a unique EK.
reference: Stackoverflow question about using TPM as a device fingerprint
Windows API - Win32
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,311 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,545 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,767 questions
{count} vote
-
Junjie Zhu - MSFT 15,366 Reputation points Microsoft Vendor2021-12-31T08:46:23.86+00:00 I searched the related API in Microsoft documentation, and it seems that there is no other API except get-TpmEndorSementKeyInfo.
-
Castorix31 81,831 Reputation points2021-12-31T09:02:24.833+00:00 Maybe you could send commands like TPM_GetPubKey with Tbsip_Submit_Command
(I have no TPM on my old PC, so I cannot test...)
Sign in to comment
2 answers
Sort by: Most helpful
-
Ken Tucker 5,846 Reputation points2021-12-30T22:32:34.157+00:00 -
Rahul K 51 Reputation points
2021-12-31T05:37:18.39+00:00 Ya, we already saw this project. But did not find anything that we can use for device fingerprint.
Sign in to comment -
-
Sander van de Velde 29,286 Reputation points MVP2022-01-02T22:53:41.703+00:00 Hello anonymous user-5396 ,
The TPM is supported for securing the IoT connection with the Azure Device provisioning service resource.
A programming sample in C# for this communication solution is seen here.
This is part of a bigger story of course (where the Azure IoT Edge runtime will complete the full enrollment circle).
Still, this could be your starting point for getting an endorsement key.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 40%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
aurel-LX 6 Reputation points2022-01-28T17:02:12.69+00:00 The sample does not explain how to retrieve the public part of the endorsement key.
This public part is needed to manually enroll the device in the Device Provisioning Service in Azure.
Using the command Get-TpmEndorsementKeyInfo -Hash "Sha256" on power shell returns the hash of the key, things that is not accepted in Azure as Endorsement Key. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 7.000000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Gino 1 Reputation point2022-03-16T19:56:15.453+00:00 Have you found a solution? I have the same problem.
-
Sander van de Velde 29,286 Reputation points MVP
2022-03-16T22:01:58.91+00:00 Hello @aurel-LX , anonymous user-5773 ,
in the past, I have used the TPM in combination with the Azure Device Provisioning Service.
I used this GitHub repo to get the endorsement key.
I think it needs some rework but this should still work.
-
Gino 1 Reputation point
2022-03-17T10:17:54.123+00:00 @Sander van de Velde thank you for your help!
Currently I am working on three tasks
- DPS with TPM (read the EK and use it in the dps process)
- DPS with X.509 (store the x.509 certificate in the tpm and read it for the dps process)
- DPS with symmetric key (store the symmetric key in the tpm and read it for the dps process)
Have you found some examples written in c++?
-
Sander van de Velde 29,286 Reputation points MVP
2022-03-17T17:23:24.48+00:00 Hello anonymous user-5773 ,
I checked the documentation and only see it for other languages there:
The Github library does only show this individual enrollment sample.
The valid alternative is making use of the DPS Rest API.
Sign in to comment -