Share via

Intel PTT EK certificate service returns 404 "Certificate not found" — TPM attestation fails (Z790, i9-14900F)

lag_of_duty 0 Reputation points
2026-06-08T21:56:47.41+00:00

Intel PTT (firmware TPM) endorsement key has no EK certificate available from Intel's EK cert service, which breaks Windows AIK attestation. This blocks anti-cheat attestation (Call of Duty) even though the TPM, Secure Boot, and CSME firmware are all healthy.

SYSTEM

  • CPU: Intel Core i9-14900F
  • Motherboard: ASUS TUF Gaming Z790-PLUS WIFI, BIOS 1836
  • CSME/ME firmware: 16.1.40.2765 (HealthState OK, MEI + DAL services running)
  • TPM: Intel PTT 2.0, ManufacturerVersion 600.18.1040.2765
  • OS: Windows 11 24H2 (build 26200)
  • Secure Boot: On, CSM disabled, TPM owned and ready

THE PROBLEM

EK KeyId: 6faa3846534cc1abb71a50f9403b0ad584ca402d

Issuing CA: ODCA 2 CSME P_ADL 00002983 Issuing CA

Intel's EK certificate service returns 404 for this key:

GET https://proserv.intel.com/ekcertservice/xx7l7bfyZulE8doir_5FGcLNdjfnsiS2GlYcIOLAGIA%3D

Response: HTTP 404 "Certificate not found"

Intel x-amzn-RequestId: 947bd839-3394-4b28-8895-3ad87f08a926

As a downstream result, Microsoft AIK enrollment also 404s:

https://INTC-KeyId-6faa3846534cc1abb71a50f9403b0ad584ca402d.microsoftaik.azure.net/templates/Aik/scep

Response: HTTP 404 "The authority ... does not exist"

Microsoft x-ms-request-id: b3cbba60-1a2e-419e-946d-e340a2b81eef

WHAT I'VE VERIFIED LOCALLY

  • EK cert chain reads correctly on-die (tpmdiagnostics ekchainNV) — chains PTT 01SVN -> CSME ADL SVN01 Kernel CA -> CSME ADL ROM CA -> Intel root
  • My issuing CA (ADL 00002983) IS present in Microsoft's TrustedTPM.cab
  • tpmdiagnostics InstallEkCertThroughCoreProv succeeds locally, but AdditionalCertificates stays empty
  • Cleared TPM, toggled PTT, reinstalled full Intel ME software, cleared the AIKCertEnroll registry cache — KeyId never changes and the 404 persists
  • This failed before and after a BIOS update, so it is not a BIOS-flash regression

ASK

Intel's EK cert service has no certificate provisioned for this PTT endorsement key. Please provision/reissue the EK certificate for KeyId 6faa3846534cc1abb71a50f9403b0ad584ca402d so attestation can complete. Happy to attach an Intel SSU report.

Windows for home | Windows 11 | Security and privacy
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-08T21:57:02.3633333+00:00

    The EK certificate itself must be issued and hosted by Intel’s EK certificate service; Windows and Microsoft’s attestation services only consume what Intel publishes. When Intel’s EK service returns HTTP 404 for a valid EK key ID, that is an Intel provisioning/back‑end issue, not something that can be fixed from Windows, firmware settings, or by reinstalling software.

    From the Windows and Microsoft side, the relevant points from the documented flow are:

    • The TPM endorsement certificate is created and stored by the TPM/firmware vendor and is used as the root of trust for attestation.
    • For Intel firmware TPM, the endorsement certificate is obtained online from Intel and stored in the TPM. If Internet access is filtered, the Intel EK service URL must be reachable: https://ekop.intel.com/ekcertservice.
    • Windows then uses that EK to derive an Attestation Identity Key (AIK) and obtains an AIK certificate from the Microsoft Cloud CA. If the EK certificate cannot be validated or retrieved, AIK enrollment can fail.

    Relevant behavior from the documentation:

    • The endorsement certificate is produced by the TPM manufacturer and is used to prove the authenticity of the TPM to applications or cloud services.
    • For Intel firmware TPM, the endorsement certificate is created when the TPM is initialized by contacting Intel’s online service.
    • Windows health/TPM attestation relies on the EK and AIK chain; Microsoft Cloud CA issues the AIK certificate only after it can establish that it is talking to a real TPM with a valid EK.

    Given that:

    1. The EK chain reads correctly on the device and chains to Intel’s root.
    2. The issuing CA is present in Microsoft’s TrustedTPM list.
    3. Intel’s EK service returns 404 for the EK key ID.
    4. Microsoft’s AIK enrollment endpoint then also returns 404 for that key ID.

    This indicates that the Intel EK certificate for this specific EK key ID is not present/registered in Intel’s EK service back end. Microsoft’s attestation service cannot work around a missing EK record; it depends on Intel’s service to provide the EK certificate and associated metadata.

    From the Windows side, the only actionable checks are:

    1. Ensure the Intel EK service URL is reachable from the device when the TPM is initialized:
      • https://ekop.intel.com/ekcertservice (for Intel firmware TPM) If this URL is blocked by a firewall or filtering, allow it and then clear and re‑initialize the TPM so the firmware can re‑provision the EK certificate.
    2. Confirm Secure Boot and TPM are correctly enabled and owned, which is already the case in this configuration.

    If the EK service remains reachable and still returns 404 for this EK key ID after TPM clear/re‑provision, the remaining step is to escalate to Intel (and, if needed, ASUS) support with:

    • The EK key ID.
    • The EK certificate chain as read from the TPM.
    • Confirmation that https://ekop.intel.com/ekcertservice is reachable during TPM initialization.

    Only Intel can provision or correct a missing EK certificate record in its EK service; Microsoft’s attestation and AIK issuance cannot compensate for a 404 at Intel’s endpoint.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.