I have recently activated the Intel PTT’s TPM 2.0 in the BIOS of my computer (PTT based on IntelME 126.96.36.19925, in a Skylake 6th generation system). After running MEInfo in the management engine SDK, the Endorsement Key (EK) appears as Revoked. The Re-key needed option is False. I tried re-keying again with "SetupME.exe -tcs -nodrv -s", but nothing changes.
TPM seems to be detected and working in the Windows 10 device manager, but Windows is anyway complaining with this error:
"Device health attestation isn't supported on this device." I think both problems are related, as an EK is required for the attestation to work. Am I right? Why my key is revoked and can I change that?
UEFI and secure boot are both enabled. But wait! After powering on the system today, Windows 10 does not complain anymore about the attestation thing! The Endorsement Key (EK) still appears as revoked in MEInfo, but Windows 10 seems to fully accept the TPM no with no error messages in the Security Processor window (https://support.microsoft.com/en-us/help/4096339/windows-10-device-protection-in-windows-defender-security-center#securityprocessor ). Any idea about what the revoked EK means?
One possibility is that the certificate provided by the BIOS has actually been revoked. Have you checked to see if there is a newer BIOS (firmware) release available for this board? It may fix this issue.
I found a hint in an internet search. Does this machine have full Internet access? One possible cause for revocation is that the verification of the EK cannot take place. This can be the result of no Internet access, a misconfiguration of the proxy, business-level blocking of verification, etc.
Articles/books worth checking out:
- Platform Embedded Security Technology Revealed: https://books.google.com/books?id=giZIBAAAQBAJ.
- TCG EK Credential Profile: https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
Hope this helps,