Results 1 to 8 of 8
  1. #1
    New ROGer Array
    Join Date
    Nov 2018
    Reputation
    10
    Posts
    7

    TPM2.0 FW 5.63.3144.0 reported as vulnerable in windows 10.

    I am having issues with my TPM not working in windows 10 19613
    It seems the FW in the TPM has been marked vulnerable by Microsoft.
    I see no later update on the FW page.

    Is there a later FW available?

    Here is the relevant output:

    -TPM Has Vulnerable Firmware: True
    -TPM Firmware Vulnerability: 0x00000004
    TPM2_ActivateCredential - spurious TPM_RC_BINDING error

    Code:
    S C:\WINDOWS\system32> tpmtool getdeviceinformation
    
    -TPM Present: True
    -TPM Version: 2.0
    -TPM Manufacturer ID: IFX
    -TPM Manufacturer Full Name: Infineon
    -TPM Manufacturer Version: 5.63.3144.0
    -PPI Version: 1.3
    -Is Initialized: True
    -Ready For Storage: True
    -Ready For Attestation: False
    -Information Flags Description:
            INFORMATION_ATTESTATION_VULNERABILITY
    -Is Capable For Attestation: True
    -Clear Needed To Recover: False
    -Clear Possible: True
    -TPM Has Vulnerable Firmware: True
    -TPM Firmware Vulnerability: 0x00000004
                    TPM2_ActivateCredential - spurious TPM_RC_BINDING error
    
    -PCR7 Binding State: 2
    -Maintenance Task Complete: True
    -TPM Spec Version: 1.16
    -TPM Errata Date: Wednesday, September 21, 2016
    -PC Client Version: 1.00
    -Is Locked Out: False

  2. #2
    New ROGer Array
    Join Date
    Nov 2018
    Reputation
    10
    Posts
    7

    Am i wrong to expect someone from Asus to comment on this?
    This is causing significant headaches for me with things that use TPM (like windows hello for business, synchronizing edge settings in azure ad, etc).
    Last edited by scyto; 05-14-2020 at 05:14 AM. Reason: more info

  3. #3
    New ROGer Array Jesseinsf PC Specs
    Jesseinsf PC Specs
    MotherboardASUS ROG Maximus XI Extreme (Z390)
    ProcessorIntel Core i9 9900K
    Memory (part number)Corsair CMW128GX4M4E3200C16
    Graphics Card #1NVIDIA - GeForce RTX 2080 Ti FE
    Sound CardCreative Labs Sound Blaster AE-9
    MonitorSamsung 32" UH750 QLED UHD Monitor
    Storage #1Samsung 970 Pro M.2 PCIe SSD 1TB
    CPU CoolerCooler Master MLX-D36M-A20PC-R1 w/ Noctua NF-F12 industrialPPC-2000 IP67 PWM x3 Fans
    CaseLian Li PC-011 Dynamic XL (ROG Certified)
    Power SupplyCooler Master V1200 Platinum
    Keyboard RAZER HUNTSMAN ELITE - LINEAR OPTICAL SWITCH (Red) w/ PBT Keycaps
    Mouse Razer Basilisk Ultimate with Charging Dock
    Headset Bowers and Wilkins P9 Signature
    Mouse Pad Razer Vespula V2 Mousepad
    Headset/Speakers Creative GigaWorks T40 Series II
    OS Windows 10 Pro for Workstations
    Network RouterROG Rapture GT-AC5300
    Accessory #1 Microsoft Xbox Elite Wireless Controller Series 2
    Accessory #2 Logitech BRIO ULTRA HD PRO WEBCAM
    Jesseinsf's Avatar
    Join Date
    Mar 2019
    Reputation
    22
    Posts
    209

    Quote Originally Posted by scyto View Post
    Am i wrong to expect someone from Asus to comment on this?
    This is causing significant headaches for me with things that use TPM (like windows hello for business, synchronizing edge settings in azure ad, etc).
    Most likely because you have installed a "Windows Insiders" Fast Ring build. There is bound to be lots of bugs in the fast ring. The slow ring and release preview ring are using the Windows version that will be released at the end of the month or early next month. I would re-image your PC and switch to the release preview ring. Oh, and don't forget to add this feedback in the Windows Insiders feedback hub.
    Last edited by Jesseinsf; 05-14-2020 at 08:31 AM.

  4. #4
    New ROGer Array
    Join Date
    Nov 2018
    Reputation
    10
    Posts
    7

    Quote Originally Posted by Jesseinsf View Post
    Most likely because you have installed a "Windows Insiders" Fast Ring build. There is bound to be lots of bugs in the fast ring. The slow ring and release preview ring are using the Windows version that will be released at the end of the month or early next month. I would re-image your PC and switch to the release preview ring. Oh, and don't forget to add this feedback in the Windows Insiders feedback hub.
    Yes already submitted to insider hub
    To be clear the firmware is vulnerable error also is present on release build.

    I don't know if the attestation error is on released builds, would need to install on another HDD.
    Might do it weekend and see.

    Irrespective of that is Asus are a Microsoft partner and should also be verifying builds at least with smoke tests - that the whole freaking point of the insider builds.... not to mention the private builds they have access to.

  5. #5
    New ROGer Array Jesseinsf PC Specs
    Jesseinsf PC Specs
    MotherboardASUS ROG Maximus XI Extreme (Z390)
    ProcessorIntel Core i9 9900K
    Memory (part number)Corsair CMW128GX4M4E3200C16
    Graphics Card #1NVIDIA - GeForce RTX 2080 Ti FE
    Sound CardCreative Labs Sound Blaster AE-9
    MonitorSamsung 32" UH750 QLED UHD Monitor
    Storage #1Samsung 970 Pro M.2 PCIe SSD 1TB
    CPU CoolerCooler Master MLX-D36M-A20PC-R1 w/ Noctua NF-F12 industrialPPC-2000 IP67 PWM x3 Fans
    CaseLian Li PC-011 Dynamic XL (ROG Certified)
    Power SupplyCooler Master V1200 Platinum
    Keyboard RAZER HUNTSMAN ELITE - LINEAR OPTICAL SWITCH (Red) w/ PBT Keycaps
    Mouse Razer Basilisk Ultimate with Charging Dock
    Headset Bowers and Wilkins P9 Signature
    Mouse Pad Razer Vespula V2 Mousepad
    Headset/Speakers Creative GigaWorks T40 Series II
    OS Windows 10 Pro for Workstations
    Network RouterROG Rapture GT-AC5300
    Accessory #1 Microsoft Xbox Elite Wireless Controller Series 2
    Accessory #2 Logitech BRIO ULTRA HD PRO WEBCAM
    Jesseinsf's Avatar
    Join Date
    Mar 2019
    Reputation
    22
    Posts
    209

    Quote Originally Posted by scyto View Post
    Yes already submitted to insider hub
    To be clear the firmware is vulnerable error also is present on release build.

    I don't know if the attestation error is on released builds, would need to install on another HDD.
    Might do it weekend and see.

    Irrespective of that is Asus are a Microsoft partner and should also be verifying builds at least with smoke tests - that the whole freaking point of the insider builds.... not to mention the private builds they have access to.
    I use to work at a large corporation and their new dell PCs and laptops had to have a TPM firmware update for a similar issue. Have you looked in to that?

  6. #6
    New ROGer Array
    Join Date
    Nov 2018
    Reputation
    10
    Posts
    7

    Thanks, all my machines have latest firmwares, not sure why I am seeing similar messages on other machines given the resolution below.

    Rather than rebuild the machine I used the following to install a second copy of Windows 10 but using build 1903.
    • Created a windows to go install on SSD in USB enclosure

    • Joined it to my Azure AD WhFB enabled domain, registration succeeded

    • Realized while it does bitlocker on WTG it doesn't do attestation - oops and says the TPM is unavailable

    • Converted drive to normal boot drive (used tool, took a few seconds)

    • Plugged it into SATA port and changed BIOS boot order


    Booting this way resolved all issues, you are indeed correct this is entirely a fast ring issue.

    The key here is to make sure this issue doesn't progress into final builds - to date there has been no response from MS on hub or reddit (trying technet forum next).

    This seems to be particularly problematic with the ASUS board, the surface books running the same build and same infineon chip report the same errors but do not have the broken functionality issues.

    Also its a really weird bug that different machines (with different TPMs) would report different and highly specific known flaws via tpmtool. This is either one of the weirdest bugs i have seen or there is a set of undisclosed vulnerabilities that this build is detecting for... only time will tell :-)

    thanks so much for your help, pointing me in the right direction and reminding me not to put so much faith in insider fast builds - which tbh i found to be surprisingly darn robust over last 3 years+.

    Next text, change the 1903 build to slow ring and see if this is just fast ring or issue in the entire dev branch.
    Last edited by scyto; 05-15-2020 at 04:11 PM. Reason: typo in list

  7. #7
    New ROGer Array
    Join Date
    Nov 2018
    Reputation
    10
    Posts
    7

    last attempt to get a confirmation from MS this is a known bug
    https://social.technet.microsoft.com...InsiderPreview

  8. #8
    New ROGer Array
    Join Date
    Nov 2018
    Reputation
    10
    Posts
    7

    one last question

    have you ever used the 'firmware tpm' instead of the 'discrete tpm' - there is a toggle between the two in the BIOS....

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •