This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 10%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi everyone
I just wanted let you know that we have found an error in combination with TPM-saved RSA certificates and Client Authentication on TLS1.2 with newer Windows 10 Clients (probably all after 1909).
It seems that a lot of 2.0 TPMs have a problem with RSA PSS.
I wanted to share this problem because we have spent a lot of time to identify the issue. So I hope that other admins will find this post before they spend a lot of time in troubleshooting.
The issue happens during the TLS handshake. The TPM just doesn't signs the certificate verify step as shown on this print screen:
By disabling RSA PSS on the client, the client uses another cipher to sign the packet and then it works.
You can disable RSA PSS by following those steps:
After the reboot, the client uses now RSA PKCS1 and the signature step runs successful:
The issue was initially identified on a EAP-TLS authentication for an IPSec tunnel. But the issue happens also on client certificate authentication on https websites as both use TLS for the handshake.
Keep in mind that this is only a workaround and should not be used as a final solution. We are actually still working with Microsoft on a solution.
It's still not 100% clear if it's the TPM that is making the issue or if it is the OS.
I will keep you updated...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
We are also facing the same issue. Did you ever resolve it with Microsoft?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 67%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
Bump, same here
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 43%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Any update on this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 98%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHK%3C/text%3E%3C/svg%3E)
Thank you, I also confirm have the same issue, after reinstalling using latest USB from Microsoft, on Windows 10.0.22621
I also confirm that removing these 3 keys resolved the issue.
Can you confirm what is this exactly? will this be fixed in future version? should we revert those registry keys back at some point etc?
thank you so much, but this is the only solution on the internet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Thanks, I had the same issue with Win11 on an older HP laptop with tpm2.0, pulling out my hair for 3 days while trying to configure TLS/EAP, removing the 3 suites from the registry value worked for me.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Issue is impacting specific HW models with TPM subversion 1.16 (2.0, 0, 1.16): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
Possible WA is to either update TPM or disable RSA PSS.
Lenovo:
https://support.lenovo.com/gb/en/product_security/len-15552
DELL:
https://www.dell.com/support/kbdoc/es-es/000144419/infineon-trusted-platform-module-tpm-vulnerability-cve-2017-15361-impact-status-on-dell-products?lang=en
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 12%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWR%3C/text%3E%3C/svg%3E)
When RSA PSS is deactivated on the client, a lot of TLS 1.3 enabled websites and services were not reachable from and on our Win11 clients. IIS Express, LRS Personal Print Manager, Whiteboard, Invoke-WebRequest to a lot of websites, like https://www.microsoft.com did not work.
We resorted to temporary disabling client and server-side TLS 1.3 on the clients (setting under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server and Client, Enabled=0).
We're in a process of setting the defaults back for most of our client computers, since only the oldest models (Lenovo Tx80 and M920) are still on TPM 2.0 Rev 1.16. All the other TPM 2.0 1.38 and higher models seem to work fine with the default configuration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Was there ever any proper solution to this issue?
We are encountering this with our older TPM 1.2 devices with always on VPN tunnels using PEAP-TLS, and wondered if we could have Windows instead store certs/keys for the VPN certificates in the software crypto provider rather than TPM?
Cheers
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
THANK YOU for this. Mystery handshake error with EAP/TLS Wi-Fi authentication to Cisco ISE on Surface Pro 4 solved instantly. (after hours of head scratching in the lab)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 3%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
Thanks this also resolved a mystery issue with AOVPN and Win 2022 NPS servers, auth worked fine with 2019 NPS but kept failing with 2022 NPS. Removed registry keys et voila, connected!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 75%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Although removing 3 cipher suites from the registry resolves the issue. We found it can the cause other issues with TLS authentication. Was there any other suggestion to resolve this properly.?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 20%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
The only solution is to upgrade the TPM to v2.0 subversion 1.38
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 6%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Thanks for the information! This caused connection problems to the AlwaysOn VPN service in Azure on our user computers that were recently updated to the Win 10 23H2 version. Manually removing those three ciphers did fix the issue. Another solution is to revert back to 22H2 update.
The error message in Event viewer was:
The user xxxxx dialed a connection named xxxxx which has failed. The error code returned on failure is -1878457596.