There is a problem that seems unique to AMD's Ryzen fTPM that does not occur with any other TPM vendors. There are many related discussions of users facing problems of failed AIK SCEP certificate enrollments. This is causing several issues with Windows 10 & 11 users such as:
Windows Autopilot pre-provisioned deployment & self-deploying mode stuck at "Securing your hardware" stage.
https://techcommunity.microsoft.com/t5/microsoft-intune/windows-autopilot-white-glove-self-deploy-fa...
https://www.reddit.com/r/Intune/comments/p8vluf/intune_preprovisioning_white_glove_tpm/haj24aa/?utm_...Multiple errors with event ID 86 generated in event logs
https://docs.microsoft.com/en-us/answers/questions/537944/tpm-event-logger-error-after-cpu-swap-even...System performance issue with event ID 86 logs. A workaround is to disable AMD's fTPM in BIOS, or use discrete TPM from other vendors.
https://linustechtips.com/topic/1353904-amd-ftpm-causing-random-stuttering/page/10/
From my observation, a message returned from Microsoft AIK server using request AIK SCEP url for AMD TPM is different from other TPM vendors.
AMD
https://AMD-keyid-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net/templates/Aik/scep
INTEL
https://INTC-KeyId-9aaf591ee263caae10f57ba04fa8d1dd6613f9eb.microsoftaik.azure.net/templates/Aik/sce...
INFINEON
https://IFX-keyid-9c7df5a91c3d49bbe7378d4aba12ff8e78a2d75c.microsoftaik.azure.net/templates/Aik/scep
STMicroelectronics
https://STM-keyid-fb17d70d734870e919c4e8e603975e664e0e43de.microsoftaik.azure.net/templates/Aik/scep
It seems Microsoft AIK server does not know where to look for AMD's authority for issuing a certificate. It might be a problem with Microsoft's AIK server configuration, or perhaps something AMD has to fix themselves on their server side. For other vendors, the error result is different and normal probably because the certificate was requested and already consumed successfully.
One thing to note is that the KeyID part of the AIK cert request url of AMD is not unique per computer. If you google using the above AMD's KeyID, it returns many results:
https://www.google.com/search?q=%22578c545f796951421221a4a578acdb5f682f89c8%22
I'm not sure whether this KeyID is supposed to be unique or not, but it does not make sense if it isn't. Otherwise, how would Microsoft AIK validate identity of each AIK certificate HTTP GET request and provide unique certificate response?
Below are solutions I have tried but given the same end result:
Fresh install of Windows 10
Fresh install of Windows 11
Use different networks with internet connections, Change DNS servers, Reset network adapter.
Try with other AMD Ryzen PCs = same error. With other Intel PC = no error.
Disable firewall
Clear-TPM, Reinitialize-TPM using both powershell and TPM.msc
Updates to the latest AMD Chipset driver
AMD Ryzen™ Chipset Driver Release Notes (3.09.01.140) | AMDInstall the latest Windows Updates and Hotfixes as of today.
The status from "tpmtool getdeviceinformation":
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: True
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: False
The PC used for testing is Zen AiO 24 M5401 with the following specs:
CPU: | AMD Ryzen™ 5 5500U |
Graphic Card: | AMD Radeon™ Graphics |
RAM: | 16GB DDR4 SO-DIMM |
Storage: | 512GB M.2 NVMe™ PCIe® 3.0 SSD |
