Azure Attestation

Flyer1000 0 Reputation points
2026-06-22T00:23:35.85+00:00

After a motherboard replacement, Windows AIK enrollment against the Microsoft attestation endpoint fails. The TPM is an Intel PTT (firmware TPM, CSME) and is fully healthy — Secure Boot on, TPM 2.0 ready, EK certificate present and valid. This blocks downstream attestation-dependent applications. I am trying to get a clean AIK certificate issued.

Result: certreq -enrollaik -config "" reaches the endpoint and is rejected by the service:

HTTP/1.1 400 Bad Request
{"Message":"No valid TPM EK/Platform certificate provided in the TPM identity request message."}
x-ms-request-id: 2b12e008-2560-462d-8c64-3520f5fbc757
x-ms-client-request-id: c40347e5-0ac7-40d4-ada7-50f30505d23e
Date: Sun, 21 Jun 2026 23:50:58 GMT

Enrollment progresses through GetCACert / GetCACaps / CreateRequest / SubmitRequest and then fails at the service response (EnrollStage 220). The AIK SCEP URL it resolves to is: https://INTC-KeyId-77b63d9f8b73f5fbbd73ace7d8fbda37a6a7865f.microsoftaik.azure.net/templates/Aik/scep

The EK certificate is present locally and chains correctly on-die. Get-TpmEndorsementKeyInfo returns:

IsPresent : True
ManufacturerCertificates :
  Subject:  TPMVersion=id:02BC0013, TPMModel=MTP, TPMManufacturer=id:494E5443 (INTC)
  Issuer:   CN=ODCA 2 CSME MTP PCH SVN 01 PTT CA
  Serial:   594FB06A879E2A8FA54520951C4B2036
  NotBefore:6/5/2024
  NotAfter: 12/31/2049
  Thumbprint: 51B56FE3A06BC8A9753598A7A1DBAE7161A71542
AdditionalCertificates : {}

The request-side issuing CA reported by certreq is: CN=[www.intel.com], OU=ODCA 2 CSME P_MTP PCH 00003145 Issuing CA

This looks like the issuing CA for this PTT batch is not present/trusted in the Azure attestation directory, so the service rejects an otherwise valid EK. This appears to be the same class of issue as other recent reports where a newer Intel ODCA 2 CSME issuing CA had not been onboarded on the service side.

Environment:

  • Intel LGA1851 platform, Gigabyte Z890 AORUS ELITE WIFI7
  • TPM: Intel PTT (firmware TPM), TPM 2.0, Spec revision 1.59, VendorID INTC
  • Windows 11 (current), Secure Boot enabled, TPM ready per tpm.msc
  • Latest available motherboard BIOS and Intel CSME/ME firmware applied

Troubleshooting already done:

  • Cleared TPM via Windows Security → Security Processor → Clear TPM, rebooted, re-provisioned
  • Re-ran certreq -enrollaik -config "" from elevated cmd (not PowerShell) — same 400
  • Confirmed EK cert present and valid via Get-TpmEndorsementKeyInfo and tpmdiagnostics
  • Verified BIOS, chipset, and Intel ME firmware are current
  • Windows reports the device meets standard hardware security requirements

Ask: Can the issuing CA ODCA 2 CSME P_MTP PCH 00003145 be verified/onboarded in the Azure attestation ([microsoftaik.azure.net]) trusted directory? The failing transaction is x-ms-request-id: 2b12e008-2560-462d-8c64-3520f5fbc757 — happy to provide additional traces.

[Moved from Windows for home | Windows 11 | Security and privacy]

Windows for business | Windows Client for IT Pros | Devices and deployment | Other
0 comments No comments

1 answer

Sort by: Most helpful
  1. Jason Nguyen Tran 22,990 Reputation points Independent Advisor
    2026-06-22T13:24:46.2233333+00:00

    Hi Flyer1000,

    What’s happening here is that Azure Attestation relies on a trusted directory of TPM Endorsement Key (EK) issuing CAs. When certreq attempts to enroll an AIK certificate, the service validates the EK certificate chain against that directory. If the issuing CA for your Intel PTT batch isn’t onboarded yet, the attestation endpoint will reject the request even though the EK cert looks valid locally.

    In your case, the EK certificate is chaining to an Intel ODCA 2 CSME P_MTP PCH 00003145 Issuing CA. Based on recent reports, some newer Intel firmware TPM batches are using updated ODCA roots that have not yet been fully published to the Microsoft attestation trust store. That explains why you’re seeing the 400 Bad Request with “No valid TPM EK/Platform certificate provided.”

    The next step is to have Microsoft onboard that issuing CA into the attestation directory. This is not something you can fix client-side, even with a healthy TPM, Secure Boot enabled, and current firmware, the service must recognize the EK issuer. I recommend opening a formal support case with Microsoft, referencing the failing transaction ID (x-ms-request-id: 2b12e008-2560-462d-8c64-3520f5fbc757) and providing the EK certificate details you’ve already collected. That will allow the attestation team to validate the Intel CA and add it to the trusted list.

    Once the CA is onboarded, your AIK enrollment should succeed without further changes on your end. In the meantime, you’ve already confirmed that the TPM is healthy and the environment meets Windows security requirements, so you’re well-positioned once the trust update is applied.

    If you find this answer helpful, kindly hit “accept answer".

    Jason.

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.