Call4Cloud

The Pursuit of HAPPY…. Uhhh TPM AMD Happyness (Part 3)

This blog will hopefully show you some inside information on what issues you could run into when using AMD TPM attestation and Windows Autopilot for pre-provisioned deployments!

I will divide this blog into multiple parts

  1. The famous AMD AIK does not exist error
  2. Taking a better look at the AMD EKCert
  3. Taking a better look at the Key-Id’s
  4. Taking a better look at the Certificate Flow
  5. Let me correct something!
  6. Sources used
  7. Conclusion

1. The famous AIK does not exist error

There are a lot of different error codes we need to beware of that you could run into when your AMD devices times out during TPM attestation: Something Went Wrong or,0x81039024 or, The authority amd-keyid-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net does not exist.

Not to forget the error 0x800705b4 you could receive during the “Securing your Hardware” phase

Let’s start with taking a good look at the CertReq_enrollaik_output.txt file first because troubleshooting TPM attestation errors will begin with running the mdmdiagnosticstool!

When you have exported the log, open it and I guess everyone that is trying to perform a white glove ahh damn… Windows Autopilot for pre-provisioned deployments… (WAPD from now on) will see the same AIK url failing

Afbeelding met tekst

Automatisch gegenereerde beschrijving

So what’s up with that? It is somehow strange that this AIK service url is failing for everyone?

2.Taking a better look at the AMD Ekcert

In the TPM happyness bog series part 2 I was showing you, how you could export this EKCert.

When you want to export the EKCert on an AMD device, the command line to export the EKCert is somehow different.

(Get-TpmEndorsementKeyInfo).AdditionalCertificates | Foreach-Object -Process { Set-Content -Value $_.RawData -Encoding Byte -Path “$($_.Thumbprint).crt” -Force }

You could see it for yourself by using this command: get-TpmEndorsementKeyInfo -hash “sha256”. Instead of ManufacturerCertificates you will notice the AdditionalCertificates

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Now let’s take a look at the EK certificate itself

Afbeelding met tekst

Automatisch gegenereerde beschrijving

That’s a whole other Certificate Authority (CA) than we noticed earlier of course!

3. Taking a better look at the Key-IDS

So we have 2 CA Issuer ids.

The first one: 578c545f796951421221a4a578acdb5f682f89c8

The Second one: 52fb59e29aa83a962fb9eef0fe5b4811de6b751e

*The first one:

578c545f796951421221a4a578acdb5f682f89c8:

Now take a good guess about what the first CA issuer id stands for

As shown above, this certificate is the AMDTPM Root CA

*The second one:

52fb59e29aa83a962fb9eef0fe5b4811de6b751e

And now for the second one!

As shown above, this is the PRG-RN Intermediate Certificate ( AMD-fTPM-RSA-ICA-RNFamily)

Afbeelding met tekst

Automatisch gegenereerde beschrijving

4. Taking a better look at the certificate flow

Like I also did with the Intel TPM and Discrete TPMS, here is the flow with an AMD (f)TPM

Now we have seen the flow, I am going to ask you a simple question…. Which cert do we need?

So Freaking Effing Excited GIFs - Get the best GIF on GIPHY

Yes!!! The intermediate one! So why the hell are we building/creating an AIK url to the AMD Root AIK Service? That’s totally not right

Just open your browser and try both of them to see what happens!

AMD Root CA

Intermediate Root CA

5. Let me correct Something

Sometimes it’s late and you are tired and your brains just stop working…

Patrick Star Brain GIFs | Tenor

In my tweet I posted, I was asking myself what was happening with the Microsoft AIK services that are older than one year… Because normally certificates are only valid for 1 year, I had the stupid idea that could be the issue why AMD wasn’t working!… stupid me…

That’s totally not the case because The AIK certificates or signers are only replaced when they are revoked somehow. When they are revoked the new up-to-date and not revoked certificate is normally automatically updated.

6. Sources used

I can be quick about this… My own TPM blogs… learning about what is happening with the TPM during attestation and how the AIK is built showed me what to look for. Hopefully, this blog series showed you what to look out for!

7. Conclusion

So Microsoft/Windows is looking at the wrong cert to get the ISSUER id for Intel it needs to look at the ODCA intermediate certificate but for AMD it has to look at the EKCert to get the right Issuer ID.

Patience Padawan GIFs | Tenor

Again Microsoft is aware of this issue and is working on a fix so have patience. Update 21-02-2022:

If you are interested in the whole Attestation series, go and check them out!

Attestation and Compliance Series – Call4Cloud

19 thoughts on “The Pursuit of HAPPY…. Uhhh TPM AMD Happyness (Part 3)

  1. How long until they fix it I guess is the next question. I know we just got the first patches for Ryzen on Win 11. I was hoping they would have bundled it in there but no luck.

  2. In which version of windows it does not give this error, this to do an installation of that windows and it does not crash

  3. Something very strange is going on. According to the MS topic it was fixed in a preview build November 15th 2021: https://docs.microsoft.com/en-us/answers/questions/537944/tpm-event-logger-error-after-cpu-swap-event-id-86.html?page=1&pageSize=10&sort=oldest

    I have spent the last day installing multiple versions of Windows 11 and unless it’s because I migrated from 10 to 11 and not a clean install, the issue is still happening for me: https://i.imgur.com/btf3Rly.png

    I tried the public stable, dev and insider preview builds. If they did somehow fix it in November, they must have unfixed it between end of November and the latest January 2022 builds.

    1. Hi…a 50/50 answer… With the november update (like I am also describing in part 2) it fixed the intel tpm issue. but not the AMD… and so far as I know the code to fix it isn’t yet implemented

      1. I get that but it seems very strange how the bleeding edge dev build of January 2022 would not for some reason include a fix that dates 2 months prior where someone said it was fixed.

        To add to this, a majority of people with AMD CPUs simply don’t have this issue so what specific configuration is causing such an error in the first place? I actually once thought that maybe specific models of routers are blocking the data packets being requested?

        1. Hi, true.. But I guess that someone was wrong 🙂 … Only the Intel part was fixed not the AMD issue 🙂 . Older AMD and Intel cpu’s didn’t have the issue as some of them just have an embedded certificate.
          You could read my blogs about how the attestation URL gets created…with AMD the wrong certificate is used to build the aik URL so you would end up with an aik URL pointing to the AMD root cert in stead of the intermediate one

  4. Good explanation – I think you’re on to something. I found this related to a new laptop upgraded to Windows 11 home. It’s a Ryzen 7 5700u ASUS, the Hyper V crashed and this message appeared related to it – creepy sudden power offs. I signed up for Insider only release preview – really wasn’t interested in going for bleeding edge for stability but starting to look like not much choice. Anyone have any updates on this?

    1. Not that I have heard… This month only security updates… so I wont be expecting the AMD TPM attestation fix

      1. https://www.windowslatest.com/2022/03/09/windows-10-kb5011487-21h2-21h1-released-heres-whats-improved/

        “Fixed an issue where certificate enrollment fails”

        Not related?

  5. Today I installed a new (Beta) BIOS from ASUS that includes AGESA 1.2.0.7
    AMD AIK errors in the event log continue.
    Judging from your excellent, in depth, investigation, I assume that patches from Microsoft are also required.
    Not sure why Microsoft are trailing behind AMD. I am pretty sure they would have been working together with AMD on the solution and would have received pre-releases of the microcode.

    1. You should assume that indeed..- so far as I know the fix still isn’t released… (after months and months waiting)

  6. Any new on those AMD certificated ?
    I do still get error in event viewer
    Not Found
    {“Message”:”The authority \”amd-keyid-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net\” does not exist.”}

    1. I noticed some couple of lines mentioning tpm updates in the 2022-04 update kb5012643

      https://support.microsoft.com/en-us/topic/april-25-2022-kb5012643-os-build-22000-652-preview-43a75ee7-d857-4943-a2b9-f961538bd2b0

      Improves the Autopilot client to process updated Trusted Platform Module (TPM) capabilities that support self-deployment and pre-provisioning scenarios.

      Its worth a try to update a device with this update from the oobe screen before testing it

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  70  =  74