Articles on: ggRock

🛠️ Running the Native TPM Pre-Attestation Task & Checking Measured Boot

🛠️ Running the Native TPM Pre-Attestation Task & Checking Measured Boot

Here is the complete manual guide to running the built-in health check and verifying your system's Measured Boot logs, script-free.


📋 Step 1: Find and Trigger the Built-In Task

Windows already maintains this task natively. You just need to locate and wake it up.

  1. Press Win + R, type taskschd.msc, and hit Enter to open Task Scheduler.
  2. In the left sidebar, navigate through the folders exactly like this:

Task Scheduler Library

└── Microsoft

└── Windows

└── TPM

  1. In the center pane, locate Tpm-PreAttestationHealthCheck.
  2. Right-click the task and select Run.

💡 Note: If the task is grayed out, right-click it and choose Enable first, then click Run.


🔍 Step 3: Verify the Results via Event Viewer

Because this is a native system process, it leaves its completion details inside the Windows security logs.

  1. Press Win + X and select Event Viewer (eventvwr.msc).
  2. Navigate through the left folder tree:

Applications and Services Logs

└── Microsoft

└── Windows

└── TPM-WMI

└── Operational

  1. Look at the top log entries generated at the exact time you forced the task to run.

🔑 What the Logs Mean:

  • 🟢 Event ID 1041 (Success): The system states the TPM is Attestable. Your hardware, keys, and firmware are completely secure.
  • 🔴 Event ID 1040 (Failure): The system states the TPM Cannot be Attested. This usually means a motherboard fTPM firmware update is required.


📊 Bonus: How to Check Measured Boot Logs

Measured Boot uses the TPM to log the cryptographic hashes of every driver, boot component, and firmware state during startup. You can inspect these logs to see exactly what was measured.

Method A: The Built-In Event Viewer (Easiest)

  1. In Event Viewer, navigate to:

Applications and Services Logs

└── Microsoft

└── Windows

└── Kernel-Boot

└── Operational

  1. Look for Event ID 103. This event contains the raw boot metrics initialization data.
  2. Look for Event ID 151. This indicates that the boot-time Measured Boot log was successfully created and handed off to the OS.

Method B: The Local Measured Boot Log Files

Windows stores the raw binary logs of the current and past boot cycles directly on your storage drive.

  1. Open File Explorer and paste the following path into the address bar:

C:\Windows\Logs\MeasuredBoot

  1. Inside, you will find files with the extension .wbh (Windows Boot Health), named chronologically (e.g., 0000000000000001.wbh).

📝 Note: These .wbh files are binary logs meant to be collected by enterprise MDM systems (like Microsoft Intune) for remote security validation. To read them locally in plain text, developers typically use the Windows Driver Kit (WDK) tool PCPTool.exe with the getlog switch.

Updated on: 26/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!