Hello Intel team,

I have a TPM AIK enrollment issue on a 13th-gen Raptor Lake HX laptop that appears to be a missing TCIC submission for
an Intel On-Die CA branch.

Platform:
- CPU: Intel Core i7-13650HX, CPUID 0xB0671
- PCH: ADL, Device ID 0x7A0C, Revision B1, Production PRQ Revenue
- Intel ME firmware: 16.1.32.2473 H Consumer (vanilla, OEMP 0.0.0.0)
- TPM: Intel PTT 2.0, manufacturer version INTC 600.18.32.2473, spec 1.38
- TCB SVN: 1
- OS: Windows 11 25H2 build 26200.8328

EK certificate chain from tpmdiagnostics ekchainnv:

EK ← Issuer: CSME ADL PTT 01SVN
← Issuer: CSME ADL SVN01 Kernel CA
← Issuer: CSME ADL ROM CA
← Issuer: ODCA 2 CSME P_ADL 00002341 Issuing CA

dwErrorStatus = 0x10000 (CERT_TRUST_IS_PARTIAL_CHAIN).

Issue:

Windows TpmCertProvisioning computes the AIK CA endpoint hostname from the SHA-1 SKI of the issuing intermediate CA
(134d03d6581dabea3bf82eb2e34bf98192826962 — the SKI of ODCA 2 CSME P_ADL 00002341 Issuing CA) and POSTs an SCEP
request. The endpoint is reachable, TLS handshake completes, and the service rejects with HTTP 400 plus the JSON body
indicating no valid TPM EK/Platform certificate provided.

The related Tpm-HASCertRetr scheduled task succeeds (LastResult=0), so the Hardware Attestation Service endpoint works
fine with my EK. Only AIK CA enrollment fails.

What I verified is not the problem:

- TPM cleared via tpm.msc — same issuer, same failure
- Intel On-Die CA Root certificate installed in LocalMachine\Root from the Intel public On-Die CA distribution
- All three intermediate CAs present in HKLM SYSTEM CurrentControlSet Services TPM WMI Endorsement
IntermediateCACertStore
- No ECC EK exists on this TPM, only RSA EK
- Newest publicly-distributed Intel CSME 16.1.40.2765 capsule still ships the same CSME ADL SVN01 Kernel CA chain —
confirmed by binary inspection of the firmware blob

Questions:

1. Has Intel submitted the TCIC bundle for ODCA 2 CSME P_ADL 00002341 Issuing CA (or its parent CSME ADL SVN01 Kernel
CA) to Microsoft for inclusion in the Azure AIK CA trust pool?
2. Is there a newer Intel ME or CSME firmware planned for 13th-gen Raptor Lake HX signed by a different Kernel CA
branch that is already in Microsoft's AIK trust pool?
3. What is the correct Intel escalation path for TPM trust-pool gaps with the AIK CA — Customer Support, Premier
Support, or a specific Intel security or CSME engineering contact?

This affects multiple Raptor Lake HX laptops from several OEMs sharing the same chassis design — likely thousands of
devices in the field with the same INTC 600.18 firmware family.

Happy to provide full diagnostics on request: MEInfoWin64 verbose dump, tpmdiagnostics ekchainnv output, AIK
enrollment event captures, ME capsule binary scan results.

Thank you.