Actually, I have a follow up question.

If I understand the documentation correctly, I should always be able to 
generate the EK via tpm2_createek. That should (can?) never change.

So, upon initial deployment, first check and store EK.

tpm2_createek -G rsa -u ek.pub -c key.ctx

tpm2_getekcertificate -X -o ECcert.bin -u ek.pub \
https://tpm.manufacturer.com/ekcertserver/


Right?


Best regards,
Steffen

On 09.01.20 19:43, Niklas Andersson wrote:
> Dell should keep tab on all Endorsement Certificates that their 
> computers comes with and give you that list.
>
> You then check for a valid Endorsement cert as part of enrollment.
>
> - Niklas
>