diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
index 12fb0b9f..6f0575c1 100644
--- a/wolftpm/tpm2_wrap.h
+++ b/wolftpm/tpm2_wrap.h
@@ -3718,16 +3718,27 @@ WOLFTPM_API int wolfTPM2_PolicyAuthValue(WOLFTPM2_DEV* dev,
 
 
 
-/* pre-provisioned IAK and IDevID key/cert from TPM vendor */
+/* Pre-provisioned IAK and IDevID key/cert from TPM vendor */
+/* Tested with ST33KTPM devices */
+/* Default assumes: ECDSA SECP384P1, SHA2-384 */
 #ifdef WOLFTPM_MFG_IDENTITY
 
-/* Initial attestation key (IAK) and an initial device ID (IDevID) */
-/* Default is: ECDSA SECP384P1, SHA2-384 */
-#define TPM2_IAK_KEY_HANDLE     0x81080000
-#define TPM2_IAK_CERT_HANDLE    0x1C20100
-
-#define TPM2_IDEVID_KEY_HANDLE  0x81080001
-#define TPM2_IDEVID_CERT_HANDLE 0x1C20101
+/* Initial Attestation Key (IAK):
+ * Restrictive: Can only sign data generated by the TPM like a TPM2_Quote */
+#ifndef TPM2_IAK_KEY_HANDLE
+#define TPM2_IAK_KEY_HANDLE     0x81020001
+#endif
+#ifndef TPM2_IAK_CERT_HANDLE
+#define TPM2_IAK_CERT_HANDLE    0x1C90100
+#endif
+/* Initial Device ID (IDevID):
+ * Non-Restrictive: Can sign external data */
+#ifndef TPM2_IDEVID_KEY_HANDLE
+#define TPM2_IDEVID_KEY_HANDLE  0x81020000
+#endif
+#ifndef TPM2_IDEVID_CERT_HANDLE
+#define TPM2_IDEVID_CERT_HANDLE 0x1C90200
+#endif
 
 WOLFTPM_API int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
     uint8_t* masterPassword, uint16_t masterPasswordSz);