locked
TPM Attestation Broken Since at least build 19613 after clearing TPM + security warnings? RRS feed

  • Question

  • I have a Asus TPM on an ausus motherboard.

    Everything was ok until i cleared my TPM on build 19613 (i am on 19628 and issue is still present.

    After clearing the TPM nothing that uses a TPM works (thank god i didn't have bit locker on) for example WhFB PINs and Face IDs cannot be registered.

    Installing a clean 1903 build resolves this issues.

    I note on fast ring builds all TPMs i have (Dell XP13, surface book and this asus mobo) all are reported as having different security flaws and need a fw update - there are no updates (or rather i am fully upto date on public ones).  Is the build flagging a set of undisclosed security flaws - or is this a bug?

    Is the team aware of a bug that once a TPM is cleared this builds are no longer able to initialize and use it (and yes I have tried all the command line tools to reset and initialize).

    This is the output of tpmtool.

    S C:\WINDOWS\system32> tpmtool getdeviceinformation
    
    -TPM Present: True
    -TPM Version: 2.0
    -TPM Manufacturer ID: IFX
    -TPM Manufacturer Full Name: Infineon
    -TPM Manufacturer Version: 5.63.3144.0
    -PPI Version: 1.3
    -Is Initialized: True
    -Ready For Storage: True
    -Ready For Attestation: False
    -Information Flags Description:
            INFORMATION_ATTESTATION_VULNERABILITY
    -Is Capable For Attestation: True
    -Clear Needed To Recover: False
    -Clear Possible: True
    -TPM Has Vulnerable Firmware: True
    -TPM Firmware Vulnerability: 0x00000004
                    TPM2_ActivateCredential - spurious TPM_RC_BINDING error
    
    -PCR7 Binding State: 2
    -Maintenance Task Complete: True
    -TPM Spec Version: 1.16
    -TPM Errata Date: Wednesday, September 21, 2016
    -PC Client Version: 1.00
    -Is Locked Out: False

     


    Friday, May 15, 2020 4:18 PM

All replies

  • This seems to be issue unique to fast ring builds.

    It shouldn't cause any issues.

    turns out while I am still getting this issue the biggest issues was caused by the fact I cleared my TPM

    This seems to utterly break Windows Hello for Business for Edge profiles and pin logon.
    The way to tell is if you get Trusted Platform Module error code 80090016
    Solution blow away the affected user profile.
    There is no need to disjoin from AAD.
    Monday, May 18, 2020 1:23 AM