Intel® NUCs
Assistance in Intel® NUC products
13292 Discussions

Intel Platform Trust Technology and revoked Endorsement Key

ikerrg
Beginner
‎08-12-2019 01:56 PM
2,251 Views

Hello,

 

I have recently activated the Intel PTT’s TPM 2.0 in the BIOS of my computer (PTT based on IntelME 11.8.50.3425, in a Skylake 6th generation system). After running MEInfo in the management engine SDK, the Endorsement Key (EK) appears as Revoked. The Re-key needed option is False. I tried re-keying again with "SetupME.exe -tcs -nodrv -s", but nothing changes.

 

TPM seems to be detected and working in the Windows 10 device manager, but Windows is anyway complaining with this error:

"Device health attestation isn't supported on this device." I think both problems are related, as an EK is required for the attestation to work. Am I right? Why my key is revoked and can I change that?

 

Many thanks.

0 Kudos

Link Copied

5 Replies
n_scott_pearson
Super User Retired Employee
‎08-12-2019 04:09 PM
1,738 Views

Just a thought: do you have Secure Boot enabled in the BIOS? ​If not, you should try enabling it.

H​ope this helps,

...S

0 Kudos
Copy link
ikerrg
Beginner
‎08-12-2019 05:24 PM
1,738 Views
In response to n_scott_pearson

UEFI and secure boot are both enabled. But wait! After powering on the system today, Windows 10 does not complain anymore about the attestation thing! The Endorsement Key (EK) still appears as revoked in MEInfo, but Windows 10 seems to fully accept the TPM no with no error messages in the Security Processor window (https://support.microsoft.com/en-us/help/4096339/windows-10-device-protection-in-windows-defender-security-center#securityprocessor ). Any idea about what the revoked EK means?

In response to n_scott_pearson
0 Kudos
Copy link
n_scott_pearson
Super User Retired Employee
‎08-12-2019 08:08 PM
1,738 Views

One possibility is that the certificate provided by the BIOS has actually been revoked. Have you checked to see if there is a newer BIOS (firmware) release available for this board? It may fix this issue.

...S

0 Kudos
Copy link
ikerrg
Beginner
‎08-12-2019 09:50 PM
1,738 Views
In response to n_scott_pearson

​That is an interesting thought. In any case, there is no new BIOS, so maybe the key has been revoked due to other reason. What is that EK and what does it protect?

In response to n_scott_pearson
0 Kudos
Copy link
n_scott_pearson
Super User Retired Employee
‎08-13-2019 12:11 AM
1,738 Views

I found a hint in an internet search. Does this machine have full Internet access? One possible cause for revocation is that the verification of the EK cannot take place. This can be the result of no Internet access, a misconfiguration of the proxy, business-level blocking of verification, etc.

 

Articles/books worth checking out:

 

 

Hope this helps,

...S

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.