locked
TPM (Infineon SLB9670) RRS feed

  • Question

  • Hello!

    currently i am developing with an Raspberry Pi 3 and want to set up TPM. My OS is Windows 10 Enterprise and WDK, SDK, ADK are all installed. I am using a default Windows 10 IoT Core Image download from Dashboard

    I followed the instruction on : https://docs.microsoft.com/en-us/windows/iot-core/secure-your-device/securebootandbitlocker

    All steps on Generate Lockdown Packages are success.

    On Test Lockdown Packages i followed the instruction and did follow: 

    Connect to the device (using Powershell). Paste in follow commands: 

    applyupdate -stage c:\OemInstall\OEM.Custom.Cmd.cab

    applyupdate -stage c:\OemInstall\OEM.Security.BitLocker.cab

    applyupdate -stage c:\OemInstall\OEM.Security.SecureBoot.cab
    applyupdate -stage c:\OemInstall\OEM.Security.DeviceGuard.cab

    applyupdate -commit

    After applyupdate -commit the OS boots like instructions, but the default Application is stopped and the following steps arent successful

    Test the security features

    SecureBoot : try bcdedit /debug on , you will get an error stating that the value is protected by secure boot policy.

    BitLocker : To validate that bitlocker encryption has been completed, run

    sectask.exe -waitenableforcompletion 1

    If it returns 0, that means all drives on the system have been bitlockered successfully. Any other return code is failure.



    Has anybody the same issues?

    Thanks!
    Friday, April 5, 2019 1:13 PM

Answers

  • Hello John,

    I think this problem is another topic about the original post. You can separate to a new thread.

    Thanks.

    Best Regards,

    Michael


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Uwewe Sunday, April 21, 2019 10:32 AM
    Thursday, April 18, 2019 8:27 AM

All replies

  • Hello John Phuong,

    Can you make sure the discrete TPM Infineon SLB9670 was installed successfully? Were you following this document to install the module?

    Best Regards,

    Michael


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Monday, April 8, 2019 2:03 AM
  • Hello,

    yes I setup the the TPM first and all steps were successfully, so the TPM Infineon was recognized. Only the last step of "Test Lockdown packages" (applyupdate -commit) isnt successful. The default IoT Core boots and on Windows Device Portal the IOTCoreDefaultApplication is stopped-

    Thanks for helping me!

    Monday, April 8, 2019 11:11 AM
  • Hello John,

    I can reproduce this issue. I have posted this problem via Feedback Hub app(https://aka.ms/AA4q94u).

    If there is update, i will let you know.

    Best Regards,

    Michael


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, April 9, 2019 3:01 AM
  • ok thanks Michael!
    Tuesday, April 9, 2019 12:33 PM
  • Hello John,

    When you enable locked down on the device, the device only allows execution of signed applications and drivers.You can uncomment the following config item in the settings.xml.

                <Retail>
                    <Cert>Keys\oem-UMCI.cer</Cert>
                    <!-- Enable this to allow all apps from the Microsoft App Store -->
                    <Cert>db\MicrosoftMarketPlacePCA2011.cer</Cert>   		            <!-- Microsoft MarketPlace PCA 2011 --> 
                    <!-- Microsoft certificates -->
                    <Cert>db\db_MSFTproductionWindowsSigningCA2011.cer</Cert>           <!-- Microsoft Windows Production PCA 2011 -->
                </Retail>

    I have tested on build 17763. It works fine.

    Best Regards,

    Michael


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, April 12, 2019 6:39 AM
  • Hello Michael,

    you are right. It now works. The only problem i got now is the verfication of Bitlocker and Secure Boot.

    Because when i test the command listed below, i didnt get an error for SecureBoot, but a message, that the operation is successful, and for Bitlocker i didnt get an message.

    • SecureBoot : try bcdedit /debug on , you will get an error stating that the value is protected by secure boot policy.

    • BitLocker : To validate that bitlocker encryption has been completed, run

      sectask.exe -waitenableforcompletion 1

    First I thought that i dont uncommend the command in oemcustomizaiton.cmd below, but i did.

    REM - Enable the below if you need secure boot/bitlocker
    REM Enable Secureboot
    if exist c:\IoTSec\setup.secureboot.cmd  (
    call c:\IoTSec\setup.secureboot.cmd
    )

    REM Enable Bitlocker
    if exist c:\IoTSec\setup.bitlocker.cmd  (
    call c:\IoTSec\setup.bitlocker.cmd
    )

    Do you have an solution for that?

    Monday, April 15, 2019 3:38 PM
  • Hello John,

    I think this problem is another topic about the original post. You can separate to a new thread.

    Thanks.

    Best Regards,

    Michael


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Uwewe Sunday, April 21, 2019 10:32 AM
    Thursday, April 18, 2019 8:27 AM