Enhance Windows Device Trust security with Trusted Platform Module (TPM)
For Device Trust-secured Windows computers with TPM 1.2 or 2.0.
Device Registration Task 1.4.1 is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. offering. As such, it is not yet available from the Downloads page. To obtain it, you must configure a link as described in Obtain and install the Device Registration Task below.
TPM is a microchip built into most Windows computers. It is designed to provide tamper-resistant security functions, primarily involving encryption keys. When used with the Okta Device Trust solution for Windows computers, TPM prevents malicious actors from copying the Private Key from Windows devices.
If TPM is present and enabled on the device, installing Okta Device Registration Task version 1.4.1 or higher generates a hardware-based key used by the Okta Device Trust solution for Windows computers. If a device lacks TPM, or if you install Registration Task version 1.4.1 or higher using the method that skips support for TPM (described below), the Registration Task generates a software-based key (pre-1.4.1 behavior).
- Okta Device Registration Task 1.4.1 or later
- Windows domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).-joined computers
- Windows 8 and 10, 32- and 64-bit
- Internet Explorer, Edge, and Chrome browsers
- TPM is enabled, activated, and owned. For definitions of these terms, see the Microsoft document TPM Fundamentals.
- Windows 10 computers running v1803 Build 17134.254 or earlier must have Cumulative Update KB4346783
- TPM security benefits will not take effect on Windows devices already enrolled in this Device Trust solution until the certificate is renewed
- For some Windows computers, it may be necessary to enable TPM in the BIOS (though it is typically enabled by default). If TPM is not enabled, the Okta Device Registration Task generates a software-based key instead of a hardware-based key.
Perform the procedure to obtain and install the Device Registration Task. Perform the other procedures if appropriate for your implementation.
This procedure describes how to obtain Okta Device Registration Task version 1.4.1.
- Obtain Okta Device Registration Task version 1.4.1 or higher.
- <org> is the name of your org
- <okta/oktapreview> denotes either your Okta Production or Preview environment.
- <msi/exe> is the file type of the Registration Task, either .msi or .exe.
- Install Okta Device Registration Task version 1.4.1 as described in section B.2 of Enforce Okta Device Trust for managed Windows computers.
If your Windows 10 computers are running v1803 Build 17134.254 or earlier, you must install Cumulative Update KB4346783. The update "Addresses an issue where Microsoft Edge or other UWP applications can't perform clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. authentication when the private key is stored on a TPM 2.0 device." (See the KB article here). Without the update, users with trusted Windows computers are not able to access device trust-secured UWP apps or Edge.
As of February 2020, version 1.4.1 is in the Early Access (EA) phase. As such it is not yet available from the Downloads page. So to obtain it, you must configure a link as follows:
For example, a link for downloading .msi Registration Task version 1.4.1 to example.oktapreview.com would look like this:
Note: Make sure to read the information about proxy servers and certificate handling in B.2 — Obtain and install the Device Registration Task of the document Enforce Okta Device Trust for managed Windows computers.
Install the Device Registration Task without the TPM security enhancement (optional)
You can install version 1.4.1 with or without enabling TPM security enhancements. Either way, version 1.4.1 provides the following fixes:
- Fixes an issue that caused Chrome browser settings to be removed when the Device Registration Task was uninstalled.
Fixes an issue where uninstalling the Device Registration Task removed the automatic certificate selection setting in Chrome. The setting is designed to prevent the browser from prompting end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. to select the certificate during the device trust flow.
If you don't want to leverage the TPM security benefits enabled by Okta Device Registration Task version 1.4.1, you can include the argument SkipTPM=true in the installation command as shown below:
Check the status of the TPM (optional)
It may be useful to check the status of TPM. To do so, open the TPM Management console:
From a command prompt, enter TPM.msc
– or –
From the Start button search field, enter TPM
- TPM security is not implemented when Okta Device Registration Task 1.4.1 is installed on Windows 7 computers – Version 1.4.1 works with Windows 7 computers but without TPM security enhancements. A software-based key is generated instead of a hardware-based key. Additionally, version 1.4.1 provides other fixes unrelated to TPM security.
- Update necessary for Windows 10 machines running v1803 Build 17134.254 or earlier – If your Windows 10 computers are running v1803 Build 17134.254 or earlier, you must install Cumulative Update KB4346783. The update "Addresses an issue where Microsoft Edge or other UWP applications can't perform client authentication when the private key is stored on a TPM 2.0 device." (See the KB article here). Without the update, users with trusted Windows computers are not able to access device trust-secured UWP apps or Edge.
- You must manually delete the old certificate if you are reverting from Device Registration Task 1.4.0 to 1.3.1 – Otherwise, the following exception is thrown: Invalid provider type specified.
- Go to Start and type mmc in the search field to open the console.
- Go to File and click Add/Remove Snap-in.
- Select Certificates and then click Add.
- In the Certificates snap-in dialog box, select My user account.
- Click Finish.
- Click OK.
- Under Console Root, expand Certificates - Current User.
- Expand the Personal folder, click Certificates, right click the Okta MTLS certificate, and then choose Delete.