Hello OpenZiti team and community,
I'm deploying OpenZiti in a corporate environment and trying to leverage TPM 2.0 for device-bound identities on Windows clients. I've reviewed the blog post "Securing Ziti Identities with HSM/TPM" and the related forum discussions, but I'm still unclear on the current state of TPM support on Windows, especially when combined with OIDC-based authentication.
Our architecture.
We have the following setup:
OpenZiti Controller v2.1.0 (self-hosted, Linux)
Ziti Desktop Edge for Windows v2.9.7.1
Keycloak as an external OIDC provider, federated with corporate Active Directory
External JWT Signer configured on the controller pointing to Keycloak's JWKS endpoint
Auth Policy allowing ext-jwt primary authentication with the Keycloak signer
Just-in-time enrollment enabled — identities are auto-created on first successful OIDC authentication
The OIDC flow works end-to-end: ZDE opens the browser → Keycloak authenticates the user against AD → returns an OIDC token → ZDE presents the token to the controller → identity is created (or reused) and the user is connected.
What is the current status of TPM support in Ziti Desktop Edge for Windows? The forum mentions that "closer integration with Windows native keystore/TPM work is in progress" — is this still the case, and is there a public roadmap or ETA?
Is there a supported way today to bind a Windows ZDE identity to the TPM? For example:
A specific ziti-edge-tunnel enroll invocation with a PKCS#11 / CNG key URI?
A configuration flag in ZDE to force key storage in the Windows keychain / TPM?
A custom build or experimental branch we should be using?
If TPM binding is not yet available on Windows, what is the recommended workaround for device-bound identities?
Any guidance, pointers to documentation, or references to relevant GitHub issues would be greatly appreciated. We are happy to provide additional logs or details if needed.
Thank you for your time and for the great product!
