cancel
Showing results for 
Search instead for 
Did you mean: 

TPM2.0 FW 5.63.3144.0 reported as vulnerable in windows 10.

scyto
Level 8
I am having issues with my TPM not working in windows 10 19613
It seems the FW in the TPM has been marked vulnerable by Microsoft.
I see no later update on the FW page.

Is there a later FW available?

Here is the relevant output:

-TPM Has Vulnerable Firmware: True
-TPM Firmware Vulnerability: 0x00000004
TPM2_ActivateCredential - spurious TPM_RC_BINDING error

S C:\WINDOWS\system32> tpmtool getdeviceinformation

-TPM Present: True
-TPM Version: 2.0
-TPM Manufacturer ID: IFX
-TPM Manufacturer Full Name: Infineon
-TPM Manufacturer Version: 5.63.3144.0
-PPI Version: 1.3
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: False
-Information Flags Description:
INFORMATION_ATTESTATION_VULNERABILITY
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: True
-TPM Firmware Vulnerability: 0x00000004
TPM2_ActivateCredential - spurious TPM_RC_BINDING error

-PCR7 Binding State: 2
-Maintenance Task Complete: True
-TPM Spec Version: 1.16
-TPM Errata Date: Wednesday, September 21, 2016
-PC Client Version: 1.00
-Is Locked Out: False
3,490 Views
7 REPLIES 7

scyto
Level 8
Am i wrong to expect someone from Asus to comment on this?
This is causing significant headaches for me with things that use TPM (like windows hello for business, synchronizing edge settings in azure ad, etc).

scyto wrote:
Am i wrong to expect someone from Asus to comment on this?
This is causing significant headaches for me with things that use TPM (like windows hello for business, synchronizing edge settings in azure ad, etc).

Most likely because you have installed a "Windows Insiders" Fast Ring build. There is bound to be lots of bugs in the fast ring. The slow ring and release preview ring are using the Windows version that will be released at the end of the month or early next month. I would re-image your PC and switch to the release preview ring. Oh, and don't forget to add this feedback in the Windows Insiders feedback hub.

Jesseinsf wrote:
Most likely because you have installed a "Windows Insiders" Fast Ring build. There is bound to be lots of bugs in the fast ring. The slow ring and release preview ring are using the Windows version that will be released at the end of the month or early next month. I would re-image your PC and switch to the release preview ring. Oh, and don't forget to add this feedback in the Windows Insiders feedback hub.


Yes already submitted to insider hub
To be clear the firmware is vulnerable error also is present on release build.

I don't know if the attestation error is on released builds, would need to install on another HDD.
Might do it weekend and see.

Irrespective of that is Asus are a Microsoft partner and should also be verifying builds at least with smoke tests - that the whole freaking point of the insider builds.... not to mention the private builds they have access to.

scyto wrote:
Yes already submitted to insider hub
To be clear the firmware is vulnerable error also is present on release build.

I don't know if the attestation error is on released builds, would need to install on another HDD.
Might do it weekend and see.

Irrespective of that is Asus are a Microsoft partner and should also be verifying builds at least with smoke tests - that the whole freaking point of the insider builds.... not to mention the private builds they have access to.

I use to work at a large corporation and their new dell PCs and laptops had to have a TPM firmware update for a similar issue. Have you looked in to that?

Thanks, all my machines have latest firmwares, not sure why I am seeing similar messages on other machines given the resolution below.

Rather than rebuild the machine I used the following to install a second copy of Windows 10 but using build 1903.
    Created a windows to go install on SSD in USB enclosure

    Joined it to my Azure AD WhFB enabled domain, registration succeeded

    Realized while it does bitlocker on WTG it doesn't do attestation - oops and says the TPM is unavailable

    Converted drive to normal boot drive (used tool, took a few seconds)

    Plugged it into SATA port and changed BIOS boot order


Booting this way resolved all issues, you are indeed correct this is entirely a fast ring issue.

The key here is to make sure this issue doesn't progress into final builds - to date there has been no response from MS on hub or reddit (trying technet forum next).

This seems to be particularly problematic with the ASUS board, the surface books running the same build and same infineon chip report the same errors but do not have the broken functionality issues.

Also its a really weird bug that different machines (with different TPMs) would report different and highly specific known flaws via tpmtool. This is either one of the weirdest bugs i have seen or there is a set of undisclosed vulnerabilities that this build is detecting for... only time will tell 🙂

thanks so much for your help, pointing me in the right direction and reminding me not to put so much faith in insider fast builds - which tbh i found to be surprisingly darn robust over last 3 years+.

Next text, change the 1903 build to slow ring and see if this is just fast ring or issue in the entire dev branch.

one last question

have you ever used the 'firmware tpm' instead of the 'discrete tpm' - there is a toggle between the two in the BIOS....