There is a problem that seems unique to AMD's Ryzen fTPM that does not occur with any other TPM vendors. There are many related discussions of users facing problems of failed AIK SCEP certificate enrollments. This is causing several issues with Windows 10 & 11 users such as:
Windows Autopilot pre-provisioned deployment & self-deploying mode stuck at "Securing your hardware" stage.
https://techcommunity.microsoft.com/t5/microsoft-intune/windows-autopilot-white-glove-self-deploy-fa...
https://www.reddit.com/r/Intune/comments/p8vluf/intune_preprovisioning_white_glove_tpm/haj24aa/?utm_...
Multiple errors with event ID 86 generated in event logs
https://docs.microsoft.com/en-us/answers/questions/537944/tpm-event-logger-error-after-cpu-swap-even...
System performance issue with event ID 86 logs. A workaround is to disable AMD's fTPM in BIOS, or use discrete TPM from other vendors.
https://linustechtips.com/topic/1353904-amd-ftpm-causing-random-stuttering/page/10/
From my observation, a message returned from Microsoft AIK server using request AIK SCEP url for AMD TPM is different from other TPM vendors. You can click on each link below to see the result by yourself.
AMD
https://AMD-keyid-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net/templates/Aik/scep
INTEL
https://INTC-KeyId-9aaf591ee263caae10f57ba04fa8d1dd6613f9eb.microsoftaik.azure.net/templates/Aik/sce...
INFINEON
https://IFX-keyid-9c7df5a91c3d49bbe7378d4aba12ff8e78a2d75c.microsoftaik.azure.net/templates/Aik/scep
STMicroelectronics
https://STM-keyid-fb17d70d734870e919c4e8e603975e664e0e43de.microsoftaik.azure.net/templates/Aik/scep
It seems Microsoft AIK server does not know where to look for AMD's authority for issuing a certificate. It might be a problem with Microsoft's AIK server configuration, or perhaps something AMD has to fix themselves on their server side. For other vendors, the error result is different and normal probably because the certificate was requested and already consumed successfully.
One thing to note is that the KeyID part of the AIK cert request url of AMD is not unique per computer. If you google using the above AMD's KeyID, it returns many results:
https://www.google.com/search?q=%22578c545f796951421221a4a578acdb5f682f89c8%22
I'm not sure whether this KeyID is supposed to be unique or not, but it does not make sense if it isn't. Otherwise, how would Microsoft AIK validate identity of each AIK certificate HTTP GET request and provide unique certificate response?
Below are solutions I have tried but given the same end result:
Fresh install of Windows 10
Fresh install of Windows 11
Use different networks with internet connections, Change DNS servers, Reset network adapter.
Try with other AMD Ryzen PCs = same error. With other Intel PC = no error.
Disable firewall
Clear-TPM, Reinitialize-TPM using both powershell and TPM.msc
Updates to the latest AMD Chipset driver
AMD Ryzen™ Chipset Driver Release Notes (3.09.01.140) | AMD
Install the latest Windows Updates and Hotfixes as of today.
The status from "tpmtool getdeviceinformation":
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: True
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: False
Our base PC used for testing is Zen AiO 24 M5401 with the following specs:
CPU: | AMD Ryzen™ 5 5500U |
Graphic Card: | AMD Radeon™ Graphics |
RAM: | 16GB DDR4 SO-DIMM |
Storage: | 512GB M.2 NVMe™ PCIe® 3.0 SSD |
I hope someone at AMD will help answer whether this problem is recognized or being worked on. The problem is preventing our company from replacing many PCs and laptops with AMD Ryzen CPU since we cannot do Windows Autopilot pre-provisioned deployment.
have the same problem, Microsoft blames it on AMD.
If this thread is about the SCEP Certificate another User opened up a thread about it very recently: https://community.amd.com/t5/processors/failed-to-initialize-scep-certificationregistration-windows-...
Have a look at TPM event logger error after cpu swap, Event id 86 - Microsoft Q&A
Page 4. Short: MS is working on a fix, they've already fixed an expired cert, that prevented some apps to work correctly.
Not sure where it specifically says that they're working on that error. Not do I see it being mentioned that they're even aware
And the certs they fixed is for Windows 11, not 10. As the snipping tool didn't work on that one if I remember right.
Last I spoke to Microsoft, they blamed it on AMD, contact them, they said
i have the same issue after a clean install via usb media creation tool of windows 11, microsoft support told me:
it was because i had used an insider version of windows 11 and that my amd processor was not supported on windows 11. currently reverting back to windows 10 for now i guess
spec
5900x
dark hero x570
32gb 4x8 team group 3600 ud4 cl14
I guess it leads to some bsod in windows 11, but the error is still there in windows 10 as well. Although it doesn't crash the system. So it's more of a universal problem windows os wise
I'm on Windows 10 with fTPM turned on and have been having this error for months. I reported it to Microsoft months ago and I see multiple reports here to AMD from months ago. No one has a solution and I can't find any actual words from either AMD or Microsoft saying they know what the problem is and are working on it. To be blunt, I've seen nothing from anyone official even acknowledging the problem. How can Microsoft and AMD not care that Windows 10 and 11 don't seem to be able to find AMD's security certificate?
This blog post from 19 November 2021 seems to explain what the problem is:
https://call4cloud.nl/2021/11/the-pursuit-of-happy-uhhh-tpm-amd-happyness-part-3/
The conclusion states:
"So Microsoft/Windows is looking at the wrong cert to get the ISSUER id [I've added a minor edit here -- ". F"]or Intel it needs to look at the ODCA intermediate certificate but for AMD it has to look at the EKCert to get the right Issuer ID."
Even more irritating with this issue: I just switched from Windows 10 to Windows 11 and I'm getting the same error message there. I could understand Microsoft not bothering all that much with fixing this on 10 (since TPM isn't required). But on 11, there's no excuse. Of course, since the fix appears to be simply telling Windows the correct location to use for finding the AMD certificate, if they fixed it on one platform, it ought to be fixed on all platforms.