Processors

I would open a Thread at Microsoft Forums to see if they believe it is a Windows issue, which I personally believe it is, since you do have fTPM enabled in BIOS.

I believe this Microsoft Tech Community Forum might be more suitable: https://techcommunity.microsoft.com/

Could also be a BIOS Setting issue so I would open a Support ticket with the manufacturer of your Motherboard to see if you need a BIOS upgrade or not.

Does Windows or BIOS generate the Certificates that TPM needs?

This Microsoft Support about TPM and Certificate might be useful in finding out if it is the Processor, BIOS, or Windows at fault: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals

TPM-based certificate storage

The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see Cryptography API: Next Generation.

Here is Microsoft Powershell commands for TPM from the link above: https://learn.microsoft.com/en-us/powershell/module/trustedplatformmodule/?view=windowsserver2022-ps

I've run Get-TpmEndorsementKeyInfo through powershell and i obtain the following output: 
IsPresent : True
PublicKey : System.Security.Cryptography.AsnEncodedData
PublicKeyHash :
ManufacturerCertificates : {}
AdditionalCertificates : {}

In particular the voice "ManufacturerCertificates" is empty and this should not happen, and maybe this is  the problem. But i don't know how to solve it

I have to say that for me it's exactly the same thing, that value is empty. Even run the more depth command "Get-TpmEndorsementKeyInfo -HashAlgorithm sha256" not give any reasults. It give my PublicKeyHash value but I believe it's a private thing so will not publish it here.

EDIT 2

Just to add more info if I run the windows task scheduler and check under the path "Task scheduler library>Windows>CertificatesServiceClient" the task "AikCertEnrollTask" which should be responsible for loading the certificates give a weird error "Could not find the item" (rough translation of "Impossibile trovare elemento"). Screenshot it's in italian but should be pretty understable.

EDIT 3

I have even tried to run windows 10 to see if works but I still get the error of "TPM Attestation: Not Supported" under Windows Security app.

So I think it's something that it's definitely missing for our cpu, not sure if it's AMD or Windows side.

Here is a more specific Microsoft Support article about TPM Attestation: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-att...

One way to eliminate the CPU fTPM is by installing a separate TPM card, if your Motherboard has a TPM Header, and see if it now works or not.

That would eliminate the CPU as the culprit for your problem.

I would suggest your both open a AMD SUPPORT - Warranty ticket and see if the CPU is the problem with the fTPM option from here: https://www.amd.com/en/maintenance/customer-care.html

NOTE: At the moment it is under Maintenance and not accessible.

I understand your solution, i'll definitely try buying the external TPM for my crosshair VIII hero mobo, but are you sure that this is the real problem? Because it's really strange that both of us, both coming from a 5600x, after swapping it with 5800x3d, obtained this same error. Maybe something went wrong with bios of our motherboards?

Installing a separate TPM Module is just to eliminate the CPU. But you are correct as I mentioned it could be a BIOS issue concerning TPM.

Just thinking that each CPU fTPM has it own unique key so by changing processors maybe there is a conflict concerning the old processor's fTPM and the new processor's fTPM.

what happens if your install the 5600x again? Does TPM now work normally again?

I would open a Motherboard Support ticket to find out if it is a BIOS issue or not.

Speaking of BIOS have you both done a CLEAR CMOS to see if that might clear any TPM conflicts from your previous CPU with the new CPU?

I don't know what would happen if you do a CLEAR CMOS (BIOS Set to defaults) with TPM enabled if it will brick your PC or not since it might delete the TPM keys not allowing access to your SSD/HDD.

Speaking for me I've already open a ticket with my mobo vendor, they weren't able to give me any useful tips. I have tried countless times to reset tpm in windows and/or in the BIOS, clean installing windows 11 but without any success. Tried even to revert to older bios. Honestly I think that clear cmos/resetting it will not cause any harm untill u have bitlocker enabled (Windows Encryption). By the way the only interesting thing I found is speaking with a guy working that works for Gigabyte on reddit told me a lot of user have reported issues with 5800X3D and TPM attestation. If it's helpful I can send the thread.

Beginning to sound like a Ryzen processor bug that would need be fixed by both AMD and Motherboard manufacturers with a updated BIOS fix.

After all the testing I've done my guessing is that AMD maybe have used different component for the internal TPM chip and it need to be supported with an update. Probably it's something that doesn't even affect the cpu revision (I already spoke with the other guy) since we both have stepping B2 and this revision if I'm not wrong has been released early 2022. For my knowledge this already happened before, first thing comes in my mind are memory chips on nvme drives of some brands...

Exactly, it's very strange that both me and xlollomanx are having the same exact issue on two different motherboards after swapping from 5600x to 5800x3d

Similiar to the Ryzen bug when Windows 11 first came out. Both AMD, Microsoft, Motherboard manufacturers needed to come out with a new BIOS and Windows update to fix the issue.

Exactly. The strange thing is that some other people with 5800x3d do not have this problem. So i wonder if in our case is related to the fact that we swapped processor on the same mobo …

Good point.

But if you did a CLEAR CMOS or even installed the BIOS again which would automatically be in default it should have deleted any data from the previous CPU TPM if there was any before unless the data in Windows was copied into BIOS again after the default was set.

The only work around I see is by installing a TPM Module and disabling fTPM in BIOS and see if that fixes the issue. It should since the TPM Module has it own unique key.

I have read in the past that TPM Module is more secure than using fTPM.  TPM Modules are relatively inexpensive. around $30 -$40 dollars depending on the Motherboard manufacturer.

I already tried to reset BIOS, TPM, Windows, everything, with no results. So i really don’t know what to do now, it should be a problem related to AMD processor, otherwise cleaning cmos and tpm from bios should have solved the problem

His motherboard should have a builtin tpm module. Every b550 and ryzen 5000 should support TPM 2.0 features out of the box. I have the same problem and I have a B550 Aorus Elite AX V2. Previously I have a ryzen 5600x inside and everything were fine (both tpm attestation and memory were on "Ready"). I tried every settings related to tpm to delete it and reset it after I swapped to 5800x3d but nothing changed. Attestation is on "Not supported" and memory is on "ready" status.

xlollomanx, his MB manual says there is NO TPM but a header. Without a TPM card  - no solution! Enjoy, John.

If I'm not wrong he tell me before swapping cpu his tpm status was fine. Even my mobo says is avaible a TPM header. Should't be the cpu itselft to work as TPM?

This is taken from my mobo manual: "AMD CPU fTPM Enables or disables the TPM 2.0 function integrated in the AMD CPU. (Default: Disabled)" Even his mobo should have the option to enable ftpm and use the chip inside the cpu.

But honestly I'm not sure. Wait for his reply.

Thanks, xlollomanx. The manual I DLed showed only a header. I assume the processor need support for TPM. I MB (Gigabyte) has a header and the manual directed me to the module to purchase. Wait is the right answer now. Enjoy, John.

Sincerely i never looked for attestation status with 5600x. But yes also my mobo has the option to enable fTPM instead of discrete TPM, so it should work out of the box i think 

I apologize marell. TMP is more complex than I thought.  As you commented you can use TPM or fTPM. Since fTPM fails, I suggest trying the plugin module. Mine cost less than USD 20 on Amazon. I agree with you that fTPM should work out of the box. While AMD support is on maintenance perhaps open a support request with the MB vendor now and AMD when back. Enjoy, John.

Yes i’ve ordered the tpm for my mobo, let’s see if i’m able to solve in this way.

Despite this, i still hope that AMD/ASUS/Microsoft will solve this issue because my mobo and processor work both very well and so i think that is not a problem on my side.

can you forward this problem to amd engineers?

marell, this is a User forum. I am a user and we see very few AMD persons here and very seldom, so no I cannot forward to AMD. I would hope you have opened Support requests with AMD and ASUS and wonder why MS has a part. I am glad you have ordered a TPM card. Please let us hear. Thanks and enjoy, John.

I have finally “solved” the problem thanks to the external TPM module! 

Great, marell! Thanks for telling us. Enjoy, John.

Thanks for the update.

At least that verifies it is a AMD Processor bug or defect that needs to be looked into by AMD and the Motherboard Manufacturers.

I can confirm too that I got it working with a TPM module. Also if I open the regedit on "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\EKCertStore\Certificates" now I have the folder with the certificate.

I have upgraded from a 3900x to a 5800x3d couple months ago. I never bother to look what the status of the attestation was. Even when i was on the 3900x. I always looked at tpm.msc. But does it really matter if the status of attestation is not supported? If U do not use Bitlocker or any form of encryption?

Btw if I sell my 3900x that person doesn't get any problems. He can just reset the tpm right?

xlollomanx, I don't think we even know what processor or MB you have. Please tell us. As I understand it some MBs support fTPM and some only TPM (requires a module built into the board or a purchased one plugged into a header) and some both. You really should open a new thread so responders can sort them out. In reality seldom do you have the same problem. Thanks and enjoy, John.

I posted earlier, btw I have a Gigabyte Aorus Elite B550 AX V2 (rev 1.0). I wrote here because I just met the thread owner in other forum just for coincidence and we found out we have the exact same issue. He told me he opend a post here and I replied just to let AMD know he's not the only one.

Just like him I upgraded my cpu to 5800X3D, after that was impossible obtain the status ready on "TPM Attestation". The most weird thing we found out  is when we look in regedit for "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\EKCertStore\Certificates" the folder is completely empty (inside should be exists a folder with the certificate) . I think in the end I'll buy a TPM module, I wasted too much time on this.

xlollomanx, when you post here you are NOT talking to AMD but to users such as I. Please open an AMD support request here. Currently on maintenance. Thanks, John.

Why did a TMP Module work while the CPU's fTPM didn't with the same BIOS?

Also their previous Ryzen CPUs worked fine before installing the new AMD Ryzen processor.

Wouldn't the error occur with both the TPM Module and fTPM installed or enabled?

But if your method works with fTPM enabled on the Ryzen then that would be great. Saves the issue of purchasing a separate TPM module.

Yes I believe that not all the TPM data was erased doing a CLEAR CMOS since the same issue persisted.

Clear CMOS does not clear the TPM keys because they are not in CMOS. The system CMOS only stores some base information about the TPM enablement and nothing of the TPM itself. People can even replace CMOS chips, but the actual configuration is not cleared at all. 
TPM is a self contained component with own storage and settings. It has parts what cannot be accessed and change, because it is to be Trusted. 
On a TPM enabled system there is a chain of trust. If one of the parts in the chain is reset or tampered, the Trust is broken and than various components are “locked”. Example, Windows will ask for a Bitlocker Key if Bitlocker is enabled, BIOS will give an Assestation Error.

When you keep this in mind, and know the behaviour of TPM @elstaci then you can see why the seperate TPM chip works, because it is new, not tampered yet and has its own configuration. Now imagine the following, when replacing the discrete TPM chip wit a new one, the same issue starts again. Because the BIOS (Secureboot actually) does not see matching keys on the new TPM chip and what it has in its own configuration. And an assestation error will happen again.

Now the question starts again, how can we reset the whole chain of trust again? This is where things starts to be complex. Because the whole damage started at the moment a Clear CMOS was done with TPM enabled. And somehow the normal reset procedure does not work as intended.

This will render OS unbootable when Bitlocker is enabled. So make sure you have your Bitlocker recovery key available. Do not take shortcuts, like disable TPM and skip the Secureboot, this will not reset Secureboot keys.
The first step is to disable Secure boot. After saving this, power off the system completely, even physical power switch because fast boot can be an pain in the …Then after a boot, force a Clear TPM. Some BIOS versions have an option like “Clear TPM on next reboot”. Save the setting and fully power off the system. Don’t restart, fully power off (fast boot can give issues so a real shutdown must have taken place to get everything working). 
At this point the chain of trust is gone, because there is no trust between Secure Boot, TPM and Windows, TPM.  Now disable TPM/fTPM complete what makes the system “default”. Reboot into BIOS (Windows 11 would not boot at all now). You will notice Secureboot cannot be enabled at this point. A clear CMOS can be optional performed now. So now it is time to Enable TPM/fTPM. After this, reboot and get into BIOS again, no need for a full reboot into Windows. Now Enable Secure Boot. Save the setting and poweroff the system. At this moment there may not be an Assestation error. If there is, then there is a BIOS/Firmware error and Secureboot did create new certificates and trust with the TPM chip. Now you can boot into Windows initialize TPM (trust between windows and TPM) and enable Bitlocker again.