Trust Policy
Define fleet-wide attestation and trust rules. Centres and desks must comply to be Trusted.
AK
PLATFORM ONLY
May 19 – May 25, 2025
Policy Status
Active
Enforced across the fleet · Since 12 May 2025
Policy Version
v6.5.0
Last updated by Super Admin · 20 May 2025
Scope
All Tenants
All Centres & Desks
Compliance (3d)
Compliant 8,214 (96%)
Non-Compliant 282
Unknown 60
Enforcement
Strict
Non-compliant = Unbound · No grace mode
Secure Boot Policy
Only devices with Secure Boot enabled and compliant key sets are Trusted.
| Policy Item | Requirement | Approved Value |
|---|---|---|
| Secure Boot State | Must Be Approved | Enabled |
| Platform Key (PK) | Must Be Approved | Microsoft Windows Production PCA 2011 SHA256: 3B 1E A5 D2 … |
| Key Exchange Key (KEK) | Must Be Approved | Microsoft Corporation KEK CA 2011 SHA256: 9C A4 B0 7F … |
| db (Allowed Signatures) | Must Be Approved | Microsoft Windows UEFI CA 2011 SHA256: 5E 6F 8A 12 … |
| dbx (Blocked Signatures) | Must Be Approved | Microsoft UEFI CA 2011 (revocation) SHA256: 1A 2B 3C 4D … |
| DB Policy Mode | Required (TPM 2.0) | User Mode (Enforced) |
Allowed Secure Boot Sources
Only signatures from the following CAs / vendors are accepted.
| Vendor / CA | Purpose |
|---|---|
| Microsoft Windows UEFI CA 2011 | db / OS Loader |
| Microsoft Corporation KEK CA 2011 | KEK |
| Microsoft Windows Production PCA 2011 | Platform Key |
| Provion Core CA | Provion Core Components |
General Rules
TPMRequired (TPM 2.0)
dm-verityRequired
Kernel LockdownRequired (confidentiality)