Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

TPM Attestation Not Supported after AMD Ryzen Upgrade

Copper Contributor

Hi,
after Upgrading my CPU from Ryzen 5 2600 to Ryzen 7 5700x Windows Security Chip App reports "Attestation: Not Supported" but "Memory: Ready".
In die TPM Console it shows that the TPM Module is Ready for use.
The Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\EKCertStore\Certificates is empty with the R 7 5700x but has an entry when I use my old CPU.

 

I already tried to reset TPM, CMOS and Secureboot in Bios and in Windows TPM Console.
I disabled/enabled fTPM and Secure Boot several times.
Windows 10 and Windows 11 report the same. I already did a complete reinstall.
fTPM, Securechip, UEFI and Secureboot are enabled in BIOS.
Latest BIOS Updates and Windows Updates are installed.
The Windows Device Manager shows no errors. The AMD PSP 11.0 and TPM 2.0 is installed correctly.
When I switch back to my old Ryzen 5 2600 everything works.

 

My Setup:
Mainboard: ASUS TUF X470-PLUS GAMING
BIOS: Version 6042 from 2022/05/12
CPU: AMD Ryzen 7 5700x
Windows 10 x64 22H2

 

Sicherheitschip.pngTPM Console.png

14 Replies

@ultimatediddy Yes I have the exact same problem. Upgraded from 5600X to 5800X3D. EKCert is missing. I’m on build 22623.1255.

@AaronShero Hi,

yes I spent hours and days of testing and trying....

Resettet my TPM several times, according to different guides I found.

With my old CPU I have a certificate but with my new one it remains emptry.

I have this problem with Windows 10 (latest official build) and with Windows 11 fresh installed and updated.

I found out that there is a service in the Task Planer that seems to be responsible to obtain this certificate.

You can find it in Task Planer: \Microsoft\Windows\CertificateServicesClient the name is AikCertEnrollTask. But it fails with different errors.
In eventlog I found repeating entries of an error code 86 CertificateServicesClient-CertEnroll that is failing.

Fehler bei der Initialisierung der SCEP-Zertifikatregistrierung für WORKGROUP\DIDDY-PC$ über https://AMD-KeyId-..........microsoftaik.azure.net/templates/Aik/scep:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"amd-keyid-..........microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2023 18:46:43 GMT
Content-Length: 121
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 503e0312-0b3e-4245-8e4d-0737d3e9a845

Methode: GET(406ms)
Phase: GetCACaps
Nicht gefunden (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Hi,
yes I spent hours and days of testing and trying....
Resettet my TPM several times, according to different guides I found.
With my old CPU I have a certificate but with my new one it remains emptry.
I have this problem with Windows 10 (latest official build) and with Windows 11 fresh installed and updated.
I found out that there is a service in the Task Planer that seems to be responsible to obtain this certificate.
You can find it in Task Planer: \Microsoft\Windows\CertificateServicesClient the name is AikCertEnrollTask. But it fails with different errors.
In eventlog I found repeating entries of an error code 86 CertificateServicesClient-CertEnroll that is failing.

Fehler bei der Initialisierung der SCEP-Zertifikatregistrierung für WORKGROUP\DIDDY-PC$ über https://AMD-KeyId-..........microsoftaik.azure.net/templates/Aik/scep:
GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"amd-keyid-..........microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2023 18:46:43 GMT
Content-Length: 121
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 503e0312-0b3e-4245-8e4d-0737d3e9a845

Methode: GET(406ms)
Phase: GetCACaps
Nicht gefunden (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
Hi,

yes I spent hours and days of testing and trying....
Resettet my TPM several times, according to different guides I found.
With my old CPU I have a certificate but with my new one it remains emptry.
I have this problem with Windows 10 (latest official build) and with Windows 11 fresh installed and updated.
I found out that there is a service in the Task Planer that seems to be responsible to obtain this certificate.
You can find it in Task Planer: \Microsoft\Windows\CertificateServicesClient the name is AikCertEnrollTask. But it fails with different errors.
In eventlog I found repeating entries of an error code 86 CertificateServicesClient-CertEnroll that is failing.

Fehler bei der Initialisierung der SCEP-Zertifikatregistrierung für WORKGROUP\DIDDY-PC$ über (Link removed)

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"amd-keyid-..........microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2023 18:46:43 GMT
Content-Length: 121
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 503e0312-0b3e-4245-8e4d-0737d3e9a845

Methode: GET(406ms)
Phase: GetCACaps
Nicht gefunden (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
Why do my replies disappear after some time I posted them.....
Hi,
yes I spent hours and days of testing and trying....
Resettet my TPM several times, according to different guides I found.
With my old CPU I have a certificate but with my new one it remains emptry.
I have this problem with Windows 10 (latest official build) and with Windows 11 fresh installed and updated.
I found out that there is a service in the Task Planer that seems to be responsible to obtain this certificate.
You can find it in Task Planer: \Microsoft\Windows\CertificateServicesClient the name is AikCertEnrollTask. But it fails with different errors.
In eventlog I found repeating entries of an error code 86 CertificateServicesClient-CertEnroll that is failing.
Did you stay with your 5800X3D or did you roll back to your old CPU?
I'm not sure how this issue will impact Windows functionality in the future.
When I look at the Windows 11 AMD CPU Support List there is no entry for the 5800X3D and the 5700x
I am staying with the 5800X3D. I have spoken with Rudy from Call4Cloud who said a good few people have reported it to him so hopefully Microsoft might release a patch. The only functionallity that seems to use it is Intune and AutoPilot so it doesn't seem like a big deal. I woudln't worry too much about the support list, both those processors should be on it, probably just not updated.

https://call4cloud.nl/2021/11/the-pursuit-of-happy-uhhh-tpm-amd-happyness-part-3/
There was another issue before this one which seems to be fixed in 22360, only a few weeks ago, but this is a new problem again.
Thanks for your response. Would be nice if we could get an official answer by Microsoft if this is a known issue and that it does not impact windows functionality.
I already read that post.
I also found this post: https://learn.microsoft.com/en-us/mem/autopilot/known-issues
But I'm not sure if it is related to our problem.
Yeah it definitely could be.

My understanding of the task you had mentioned, AikCertEnrollTask, is that when a TPM and EKCert is present that task will be triggered to attempt to enroll for an AIK cert. Part of the name in the URL is constructed from information in the EK cert supplied by the hardware manufacturer so the task fails as there is no EKCert at all to look at.

@ultimatediddy 

 

After looking into this and based on the information you have provided, it seems that the issue may be related to the TPM firmware version not being compatible with the newer AMD Ryzen 7 5700x CPU. To troubleshoot this issue, you may want to try the following:

  1. Check the TPM firmware version: Check the TPM firmware version in the BIOS settings to see if it's up to date. If it's not up to date, update the firmware to the latest version available on the motherboard manufacturer's website.

  2. Check the TPM module connection: Check the TPM module connection to ensure that it's properly connected and seated in the motherboard.

  3. Check for any conflicting settings: Ensure that there are no conflicting settings in the BIOS that could be causing the issue. For example, if there's an option to enable both the fTPM and the hardware TPM, try disabling one of them to see if it makes a difference.

  4. Contact the motherboard manufacturer: Contact the motherboard manufacturer's technical support team for further assistance. They may be able to provide additional troubleshooting steps or suggest a solution to the problem.

  5. Consider rolling back the BIOS update: If you recently updated your BIOS, consider rolling it back to the previous version to see if that resolves the issue. Some BIOS updates can cause compatibility issues with hardware components.

It's worth noting that TPM attestation is not required for the TPM to function as a secure storage for encryption keys, so if you're not planning on using attestation, this issue may not be a significant problem for you. However, if you require attestation, you may need to explore other options, such as using a separate hardware TPM module that's compatible with your system.

Hey Mark,
thanks for your response.
1. I'm running the latest stabile BIOS Version. There is a version released a few days ago but its still beta and targets the Ryzen vulnerabilities ("Mitigate the AMD potential security vulnerabilities for AMD Athlon™ processors and Ryzen™ processors"). I dont really want to install a beta bios.
2. The TPM is a Firmware TPM by the CPU there are no TPM Modules on the board. There are no connectors for a discrete TPM either.
3. In the ASUS BIOS there is a switch for the AMD fTPM Module - which I enabled. After the reboot there was a new option für Trusted Computing which I enabled aswell - in this section I can set all the options for the TPM such as version, etc. I have to enable both of these features in order to get the TPM recognized in Windows.
4. I contacted ASUS Support, but didnt get a reply yet.

You said that TPM attestation is not required. What exactly is attestation for?
For me as a standard User (Office Apps, Gaming and Entertainment) do I ever need attestation?

Next question: How are the EK Certs generated? Are they branded by the manufacturer or are they obtained by the OS when booting for the first time?
When I use get-TpmEndorsementKeyInfo -hash "sha256" in Powershell my old Ryzen has a cert from 2018 and my new Ryzen has no certs.

problem still persists, i've done all that, latest bios, Asus x370f-gaming board, cpu Ryzen 7 5700x, even used some powershell commands to try to reset TPM status