Hello Intel team,

I'm reporting what looks like a missing TCIC (TPM Certified Issuer Certificate) submission to Microsoft for an Intel
On-Die CA branch used on 13th-gen Raptor Lake HX laptops. This blocks all Windows TPM AIK-dependent features: Intune
Conditional Access, Azure Attestation, BitLocker AIK-bound policies, and consumer apps like Activision Ricochet.

My platform:
- CPU: Intel Core i7-13650HX (CPUID 0xB0671)
- PCH: ADL, DevID 0x7A0C, Rev B1, Production PRQ Revenue
- Intel ME firmware: 16.1.32.2473 H Consumer (vanilla, OEMP 0.0.0.0)
- TPM: Intel PTT 2.0, INTC 600.18.32.2473, spec 1.38
- TCB SVN: 1
- OS: Windows 11 25H2, build 26200.8328

EK chain (from tpmdiagnostics ekchainnv):
EK ← CSME ADL PTT 01SVN
← CSME ADL SVN01 Kernel CA
← CSME ADL ROM CA
← ODCA 2 CSME P_ADL 00002341 Issuing CA

The intermediate CSME ADL ROM CA is issued by www.intel.com, OU=ODCA 2 CSME P_ADL 00002341 Issuing CA — stored in
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement\IntermediateCACertStore, thumbprint
4AD05420DFB8FE88D841F65DFB4110BE0F66644B.

What Windows attempts:

Windows computes the AIK CA endpoint URL from the SHA-1 SKI of the issuing intermediate CA. For my chain this is
134d03d6581dabea3bf82eb2e34bf98192826962. Windows POSTs SCEP to:

https://INTC-KeyId-134d03d6581dabea3bf82eb2e34bf98192826962.microsoftaik.azure.net/templates/Aik/scep

The endpoint is reachable (DNS → prdf.aadg.msidentity.com, TLS OK, certificate CN=graph.windows.net). Microsoft's
service accepts the POST and rejects with:

HTTP/1.1 400 Bad Request
{"Message":"No valid TPM EK/Platform certificate provided in the TPM identity request message."}

Tpm-HASCertRetr task succeeds (LastResult=0) — Intel HAS endpoint works fine, only AIK CA rejects our EK.

Why this is platform-wide, not device-specific:

I verified that the newest publicly-available Intel ME 16.1.40.2765 (deployed by Panasonic Toughbook standalone
update, https://global-pc-support.connect.panasonic.com/dldocs/84585) still ships the same CSME ADL SVN01 Kernel CA
chain — confirmed by binary analysis of PcOemMeCorp_16_1_40_2765.cap. Every public Intel ME 16.1.x variant I inspected
(16.1.25.2020, 16.1.30.2264, 16.1.32.2473, 16.1.40.2765) shares this issuer. Updating CSME firmware has no effect on
the issuer.

This is the same class of issue Microsoft previously resolved for Infineon CA 035/039/042 by updating their AIK trust
pool after Infineon TCIC submissions were processed (see
https://patchmypc.com/blog/tpm-attestation-failures-windows-autopilot/ and
https://call4cloud.nl/tpm-attestation-0x80190190-0x81039001/). The same exact error is also reported on Intel Meteor
Lake (Lenovo ThinkBook 14/16 G7 IML, firmware INTC 45875219.x) in Microsoft Q&A thread 1861578, still unresolved.

My questions:

1. Has Intel submitted the TCIC bundle for ODCA 2 CSME P_ADL 00002341 Issuing CA (and/or its parent CSME ADL SVN01
Kernel CA) to Microsoft?
2. If yes — can Intel follow up with Microsoft Azure AAD team to add it to the AIK CA trust pool?
3. If no — can Intel submit it?
4. Is there a newer Intel CSME firmware (publicly released or planned) for 13th-gen Raptor Lake HX signed by a
different Kernel CA branch that IS in Microsoft's trust pool?

This affects multiple Chinese-market OEMs sharing the Clevo V25xRNx barebone (Colorful EVOL P15 TA 24, Mechrevo,
Hasee, Maibenben — likely thousands of devices). Users have no client-side path to resolve.

Happy to provide full diagnostics: MEInfoWin64 verbose dump, tpmdiagnostics output, Event ID 87 captures, ME capsule
binary scan results.

Thank you.
System serial: NKV357SNEYCF10004I00284