3.6.1 Trusted Platform Module (TPM)
All device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted
Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default.
The following requirements must be met:
• All TPM configurations must comply with local laws and regulations.
• Firmware-based components that implement TPM capabilities must implement version 2.0 of the TPM specification.
• An EK certificate must either be pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device
during the first boot experience.
• It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note that it is acceptable to ship TPMs with a single
switchable PCR bank that can be utilized for SHA-256 measurements.
• It must support TPM2_HMAC command.
A UEFI firmware option to turn off the TPM is not required. Upon approval from Microsoft, OEM systems for special purpose commercial
systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.
For detailed and to-to-date TPM requirements, refer to the relevant section in Windows Hardware Compatibility Program requirements