How to attestation for verify pc security boot,... by using TPM Azure Attestation in C# Project

Question

How to attestation for verify pc security boot,... by using TPM Azure Attestation in C# Project

PThanh 0

1.My project uses C# along with nuget:

,,,,,,,,,,,,,,,,,,,,,,,,,,,

0 comments

2 answers

Your answer

Answer 1

Nancy Vo (WICLOUD CORPORATION) 4,765 Microsoft External Staff Moderator

Hello @PThanh ,

Thanks for your question.

You can’t directly verify Secure Boot from C# by calling Azure Attestation alone. Azure Attestation only works if your app can first collect TPM attestation evidence from the PC (a TPM quote + measured boot log). Then Azure Attestation checks that evidence against a policy and returns a signed result token.

You can refer to the following flow:

PC creates “proof” The PC (Windows + TPM) creates proof that includes:

TPM quote (signed by TPM)
PCR values (numbers that represent boot measurements)
Measured Boot Log / Event Log (what was measured during boot)

Send proof to Azure Attestation Your C# app sends that proof to your Azure Attestation Provider endpoint.
Azure Attestation returns a result Azure returns an attestation token (JWT) that is signed by Azure. Your app verifies the JWT and checks the claims

I hope this addresses your question. If this response was helpful, please consider following the guidance to provide feedback.

Nancy Vo (WICLOUD CORPORATION) 4,765 Reputation points Microsoft External Staff Moderator

2026-05-11T06:18:52.0933333+00:00

Hello @PThanh ,
If you're still interested or have any questions, feel free to reach out whenever it works best for you.
PThanh 0 Reputation points

2026-05-15T13:06:13.44+00:00

Hi @Nancy Vo (WICLOUD CORPORATION) ,
I fully understand the process you provided. However, I'm still having trouble with step 2: collecting TPM data on the PC device to send authentication request messages. I've successfully completed step 1 with the initialization message, receiving the challenge and service_context.
Nancy Vo (WICLOUD CORPORATION) 4,765 Reputation points Microsoft External Staff Moderator

2026-05-18T05:07:36.9066667+00:00
Hello @PThanh ,

You’ve completed the initialization call and received the challenge + service_context.

Next (Step 2), the PC must create proof for Azure Attestation:

Use the challenge to let Windows/TPM create a signed “quote” (proof from the TPM chip).

Get the Measured Boot Log (a boot record from Windows).

Send the quote + boot log + service_context in the next attest request.

Note: a NuGet package cannot create this proof by itself. The proof must come from the PC (Windows + TPM).

Please check:

TPM 2.0 is ON and ready (tpm.msc)

Secure Boot is ON (if your policy needs it)

For the service call and request formatting, you can use the official Microsoft.Attestation.Client NuGet package and refer to the official sample repository.

While this is a non-Microsoft link, it’s official Github documentation and is safe to visit.
Nancy Vo (WICLOUD CORPORATION) 4,765 Reputation points Microsoft External Staff Moderator

2026-05-20T02:32:03.9666667+00:00

Hi @PThanh ,

Please feel free to contact me whenever suits you best if you’re still interested or have any concerns.
Nancy Vo (WICLOUD CORPORATION) 4,765 Reputation points Microsoft External Staff Moderator

2026-05-22T02:28:25.5266667+00:00

Hi @PThanh ,

Please don’t hesitate to contact me if you’re still interested or have any questions.

Answer 2

The context only documents the high-level TPM attestation workflow and policy behavior, not the exact JSON payload format, nonce handling, or quote/signature encoding required by the Azure Attestation TPM protocol. It does not describe the request schema for AttestTpmAsync, nor how to construct the quote, signature, nonce, and service_context fields for the second call, so the root cause of the 400 invalid data field error cannot be determined or corrected from the available information.

References:

Share via

How to attestation for verify pc security boot,... by using TPM Azure Attestation in C# Project

2 answers

Your answer