Hi Flyer1000,
What’s happening here is that Azure Attestation relies on a trusted directory of TPM Endorsement Key (EK) issuing CAs. When certreq attempts to enroll an AIK certificate, the service validates the EK certificate chain against that directory. If the issuing CA for your Intel PTT batch isn’t onboarded yet, the attestation endpoint will reject the request even though the EK cert looks valid locally.
In your case, the EK certificate is chaining to an Intel ODCA 2 CSME P_MTP PCH 00003145 Issuing CA. Based on recent reports, some newer Intel firmware TPM batches are using updated ODCA roots that have not yet been fully published to the Microsoft attestation trust store. That explains why you’re seeing the 400 Bad Request with “No valid TPM EK/Platform certificate provided.”
The next step is to have Microsoft onboard that issuing CA into the attestation directory. This is not something you can fix client-side, even with a healthy TPM, Secure Boot enabled, and current firmware, the service must recognize the EK issuer. I recommend opening a formal support case with Microsoft, referencing the failing transaction ID (x-ms-request-id: 2b12e008-2560-462d-8c64-3520f5fbc757) and providing the EK certificate details you’ve already collected. That will allow the attestation team to validate the Intel CA and add it to the trusted list.
Once the CA is onboarded, your AIK enrollment should succeed without further changes on your end. In the meantime, you’ve already confirmed that the TPM is healthy and the environment meets Windows security requirements, so you’re well-positioned once the trust update is applied.
If you find this answer helpful, kindly hit “accept answer".
Jason.