Thanks, all my machines have latest firmwares, not sure why I am seeing similar messages on other machines given the resolution below.
Rather than rebuild the machine I used the following to install a second copy of Windows 10 but using build 1903.
Created a windows to go install on SSD in USB enclosure
Joined it to my Azure AD WhFB enabled domain, registration succeeded
Realized while it does bitlocker on WTG it doesn't do attestation - oops and says the TPM is unavailable
Converted drive to normal boot drive (used tool, took a few seconds)
Plugged it into SATA port and changed BIOS boot order
Booting this way resolved all issues, you are indeed correct this is entirely a fast ring issue.
The key here is to make sure this issue doesn't progress into final builds - to date there has been no response from MS on hub or reddit (trying technet forum next).
This seems to be particularly problematic with the ASUS board, the surface books running the same build and same infineon chip report the same errors but do not have the broken functionality issues.
Also its a really weird bug that different machines (with different TPMs) would report different and highly specific known flaws via tpmtool. This is either one of the weirdest bugs i have seen or there is a set of undisclosed vulnerabilities that this build is detecting for... only time will tell
🙂thanks so much for your help, pointing me in the right direction and reminding me not to put so much faith in insider fast builds - which tbh i found to be surprisingly darn robust over last 3 years+.
Next text, change the 1903 build to slow ring and see if this is just fast ring or issue in the entire dev branch.
