Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ikerrg
Beginner
1,169 Views

Intel Platform Trust Technology and revoked Endorsement Key

Hello,

 

I have recently activated the Intel PTT’s TPM 2.0 in the BIOS of my computer (PTT based on IntelME 11.8.50.3425, in a Skylake 6th generation system). After running MEInfo in the management engine SDK, the Endorsement Key (EK) appears as Revoked. The Re-key needed option is False. I tried re-keying again with "SetupME.exe -tcs -nodrv -s", but nothing changes.

 

TPM seems to be detected and working in the Windows 10 device manager, but Windows is anyway complaining with this error:

"Device health attestation isn't supported on this device." I think both problems are related, as an EK is required for the attestation to work. Am I right? Why my key is revoked and can I change that?

 

Many thanks.

0 Kudos
5 Replies
n_scott_pearson
Super User Retired Employee
656 Views

Just a thought: do you have Secure Boot enabled in the BIOS? ​If not, you should try enabling it.

H​ope this helps,

...S

ikerrg
Beginner
656 Views

UEFI and secure boot are both enabled. But wait! After powering on the system today, Windows 10 does not complain anymore about the attestation thing! The Endorsement Key (EK) still appears as revoked in MEInfo, but Windows 10 seems to fully accept the TPM no with no error messages in the Security Processor window (https://support.microsoft.com/en-us/help/4096339/windows-10-device-protection-in-windows-defender-se... ). Any idea about what the revoked EK means?

n_scott_pearson
Super User Retired Employee
656 Views

One possibility is that the certificate provided by the BIOS has actually been revoked. Have you checked to see if there is a newer BIOS (firmware) release available for this board? It may fix this issue.

...S

ikerrg
Beginner
656 Views

​That is an interesting thought. In any case, there is no new BIOS, so maybe the key has been revoked due to other reason. What is that EK and what does it protect?

n_scott_pearson
Super User Retired Employee
656 Views

I found a hint in an internet search. Does this machine have full Internet access? One possible cause for revocation is that the verification of the EK cannot take place. This can be the result of no Internet access, a misconfiguration of the proxy, business-level blocking of verification, etc.

 

Articles/books worth checking out:

 

 

Hope this helps,

...S

Reply