Actually, I have a follow up question.

If I understand the documentation correctly, I should always be able to generate the EK via tpm2_createek. That should (can?) never change.

So, upon initial deployment, first check and store EK.

tpm2_createek -G rsa -u ek.pub -c key.ctx

tpm2_getekcertificate -X -o ECcert.bin -u ek.pub \
https://tpm.manufacturer.com/ekcertserver/
Right?


Best regards,
Steffen


    
On 09.01.20 19:43, Niklas Andersson
      wrote:

    

    

      
Dell should keep tab on all Endorsement
        Certificates that their computers comes with and give you that
        list. 
        


        

        
You then check for a valid Endorsement cert as
          part of enrollment. 

        


        

        
- Niklas