Enhance Windows Device Trust security with Trusted Platform Module (TPM)


For Device Trust-secured Windows computers with TPM 1.2 or 2.0.

 

Device Registration Task 1.4.0 is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. offering. As such, it is not yet available from the Downloads page. To obtain it, you must configure a link as described in Obtain and install the Device Registration Task below.

This document describes how to leverage the security benefits of the Trusted Platform Module (TPM) by installing Okta Device Registration Task version 1.4.0 or higher on your domain-joined Windows computers. Use this document in conjunction with the main Okta Device Trust document for Windows, Enforce Okta Device Trust for managed Windows computers.

TPM is a microchip built into most Windows computers. It is designed to provide tamper-resistant security functions, primarily involving encryption keys. When used with the Okta Device Trust solution for Windows computers, TPM prevents malicious actors from copying the Private Key from Windows devices.

If TPM is present and enabled on the device, installing Okta Device Registration Task version 1.4.0 or higher generates a hardware-based key used by the Okta Device Trust solution for Windows computers. If a device lacks TPM, or if you install Registration Task version 1.4.0 or higher using the method that skips support for TPM (described below), the Registration Task generates a software-based key (pre-1.4.0 behavior).

Requirements

Procedures

Perform the procedure to obtain and install the Device Registration Task. Perform the other procedures if appropriate for your implementation.


Obtain and install the Device Registration Task

This procedure describes how to obtain Okta Device Registration Task version 1.4.0.

  1. Obtain Okta Device Registration Task version 1.4.0 or higher.

  2. At the time of this writing (August 2019), version 1.4.0 is in the Early Access (EA) phase. As such it is not yet available from the Downloads page. So to obtain it, you must configure a link as follows:

    https://<orgThe Okta container that represents a real-world organization.>.<okta/oktapreview>.com/static/devicetrust/OktaDeviceRegistrationTaskSetup-1.4.0.<msi/exe>

    Where:

    • <org> is the name of your org
    • <okta/oktapreview> denotes either your Okta Production or Preview environment.
    • <msi/exe> is the file type of the Registration Task, either .msi or .exe.

    For example, a link for downloading .msi Registration Task version 1.4.0 to example.oktapreview.com would look like this:

    https://example.oktapreview.com/static/devicetrust/OktaDeviceRegistrationTaskSetup-1.4.0.msi

  3. Install Okta Device Registration Task version 1.4.0 as described in section B.2 of Enforce Okta Device Trust for managed Windows computers.
  4. Note: Make sure to read the information about proxy servers and certificate handling in B.2 — Obtain and install the Device Registration Task of the document Enforce Okta Device Trust for managed Windows computers.

  5. If your Windows 10 computers are running v1803 Build 17134.254 or earlier, you must install Cumulative Update KB4346783. The update "Addresses an issue where Microsoft Edge or other UWP applications can't perform clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. authentication when the private key is stored on a TPM 2.0 device." (See the KB article here). Without the update, users with trusted Windows computers are not able to access device trust-secured UWP apps or Edge.


Install the Device Registration Task without the TPM security enhancement (optional)

You can install version 1.4.0 with or without enabling TPM security enhancements. Either way, version 1.4.0 provides the following fixes:

If you don't want to leverage the TPM security benefits enabled by Okta Device Registration Task version 1.4.0, you can include the argument SkipTPM=true in the installation command as shown below:

OktaDeviceRegistrationTaskSetup.exe /q2 OktaURL=<URL> SkipTPM=true


Check the status of the TPM (optional)

It may be useful to check the status of TPM. To do so, open the TPM Management console:

From a command prompt, enter TPM.msc

– or –

From the Start button search field, enter TPM


Known Issues

  • TPM security is not implemented when Okta Device Registration Task 1.4.0 is installed on Windows 7 computers – Version 1.4.0 works with Windows 7 computers but without TPM  security enhancements. A software-based key is generated instead of a hardware-based key. Additionally, version 1.4.0 provides other fixes unrelated to TPM security.
  • Update necessary for Windows 10 machines running v1803 Build 17134.254 or earlier – If your Windows 10 computers are running v1803 Build 17134.254 or earlier, you must install Cumulative Update KB4346783. The update "Addresses an issue where Microsoft Edge or other UWP applications can't perform client authentication when the private key is stored on a TPM 2.0 device." (See the KB article here). Without the update, users with trusted Windows computers are not able to access device trust-secured UWP apps or Edge.
  • You must manually delete the old certificate if you are reverting from Device Registration Task 1.4.0 to 1.3.1 – Otherwise, the following exception is thrown: Invalid provider type specified.

Additional information

Enforce Okta Device Trust for managed Windows computers

TPM recommendations

TPM Fundamentals

Trusted Platform Module Technology Overview

Cumulative Update KB4346783

Troubleshoot TPM

TPM Group Policy settings

Top