We should be able to store device credentials in a local TPM2 when running the manufacturing service process. The details of the format are covered in FDO standard for Credentials in TPM2.
We should have some logic, both on the service side and the manufacturing client side which covers the following:
Exit the manufacturing process if we can read a device credential in the TPM2 so the provisioning process doesn't block on a manufacturing service not being around if we have a credential
Have the a manufacturing service policy giving the ability to force a new credential to be stored for users that may require their own generated credentials
Store the credential in the proper location and proper format on the TPM2
We should be able to store device credentials in a local TPM2 when running the manufacturing service process. The details of the format are covered in FDO standard for Credentials in TPM2.
We should have some logic, both on the service side and the manufacturing client side which covers the following: