TPM2.0 FW 5.63.3144.0 reported as vulnerable in windows 10.

[scyto]

I am having issues with my TPM not working in windows 10 19613
It seems the FW in the TPM has been marked vulnerable by Microsoft.
I see no later update on the FW page.

Is there a later FW available?

Here is the relevant output:

-TPM Has Vulnerable Firmware: True
-TPM Firmware Vulnerability: 0x00000004
TPM2_ActivateCredential - spurious TPM_RC_BINDING error

Code:

S C:\WINDOWS\system32> tpmtool getdeviceinformation

-TPM Present: True
-TPM Version: 2.0
-TPM Manufacturer ID: IFX
-TPM Manufacturer Full Name: Infineon
-TPM Manufacturer Version: 5.63.3144.0
-PPI Version: 1.3
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: False
-Information Flags Description:
        INFORMATION_ATTESTATION_VULNERABILITY
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: True
-TPM Firmware Vulnerability: 0x00000004
                TPM2_ActivateCredential - spurious TPM_RC_BINDING error

-PCR7 Binding State: 2
-Maintenance Task Complete: True
-TPM Spec Version: 1.16
-TPM Errata Date: Wednesday, September 21, 2016
-PC Client Version: 1.00
-Is Locked Out: False

[scyto]

Am i wrong to expect someone from Asus to comment on this?
This is causing significant headaches for me with things that use TPM (like windows hello for business, synchronizing edge settings in azure ad, etc).

[Jesseinsf]

Am i wrong to expect someone from Asus to comment on this?
This is causing significant headaches for me with things that use TPM (like windows hello for business, synchronizing edge settings in azure ad, etc).

Most likely because you have installed a "Windows Insiders" Fast Ring build. There is bound to be lots of bugs in the fast ring. The slow ring and release preview ring are using the Windows version that will be released at the end of the month or early next month. I would re-image your PC and switch to the release preview ring. Oh, and don't forget to add this feedback in the Windows Insiders feedback hub.

[scyto]

Most likely because you have installed a "Windows Insiders" Fast Ring build. There is bound to be lots of bugs in the fast ring. The slow ring and release preview ring are using the Windows version that will be released at the end of the month or early next month. I would re-image your PC and switch to the release preview ring. Oh, and don't forget to add this feedback in the Windows Insiders feedback hub.

Yes already submitted to insider hub
To be clear the firmware is vulnerable error also is present on release build.

I don't know if the attestation error is on released builds, would need to install on another HDD.
Might do it weekend and see.

Irrespective of that is Asus are a Microsoft partner and should also be verifying builds at least with smoke tests - that the whole freaking point of the insider builds.... not to mention the private builds they have access to.

[Jesseinsf]

Yes already submitted to insider hub
To be clear the firmware is vulnerable error also is present on release build.

I don't know if the attestation error is on released builds, would need to install on another HDD.
Might do it weekend and see.

Irrespective of that is Asus are a Microsoft partner and should also be verifying builds at least with smoke tests - that the whole freaking point of the insider builds.... not to mention the private builds they have access to.

I use to work at a large corporation and their new dell PCs and laptops had to have a TPM firmware update for a similar issue. Have you looked in to that?

[scyto]

Thanks, all my machines have latest firmwares, not sure why I am seeing similar messages on other machines given the resolution below.

Rather than rebuild the machine I used the following to install a second copy of Windows 10 but using build 1903.

• Created a windows to go install on SSD in USB enclosure

• Joined it to my Azure AD WhFB enabled domain, registration succeeded

• Realized while it does bitlocker on WTG it doesn't do attestation - oops and says the TPM is unavailable

• Converted drive to normal boot drive (used tool, took a few seconds)

• Plugged it into SATA port and changed BIOS boot order

Booting this way resolved all issues, you are indeed correct this is entirely a fast ring issue.

The key here is to make sure this issue doesn't progress into final builds - to date there has been no response from MS on hub or reddit (trying technet forum next).

This seems to be particularly problematic with the ASUS board, the surface books running the same build and same infineon chip report the same errors but do not have the broken functionality issues.

Also its a really weird bug that different machines (with different TPMs) would report different and highly specific known flaws via tpmtool. This is either one of the weirdest bugs i have seen or there is a set of undisclosed vulnerabilities that this build is detecting for... only time will tell :-)

thanks so much for your help, pointing me in the right direction and reminding me not to put so much faith in insider fast builds - which tbh i found to be surprisingly darn robust over last 3 years+.

Next text, change the 1903 build to slow ring and see if this is just fast ring or issue in the entire dev branch.

[scyto]

last attempt to get a confirmation from MS this is a known bug
https://social.technet.microsoft.com...InsiderPreview

[scyto]

one last question

have you ever used the 'firmware tpm' instead of the 'discrete tpm' - there is a toggle between the two in the BIOS....