Alrite, thanks again.

Thats a lot of information. 
I thought I could use the EK to identify the device, but if I understand correctly thats a SHOULD NOT in the spec you provided, for user owned systems.
Also it can be turned off, I guess.

Reading out the NV gives me the expected certificate, so thats nice

$ tpm2_nvread 0x1C00002 | openssl x509 -inform der -in - -noout -text | grep Issuer
        Issuer: C = CH, O = STMicroelectronics NV, CN = STM TPM EK Intermediate CA 05
                CA Issuers - URI:http://secure.globalsign.com/stmtpmekint05.crt

Is there a list of commonly used NV Indexes?

Thanks again for the help