I'm trying to figure out which service in Windows makes contact with the domain ftpm.amd.com every hour. I suspect it might be downloading the TPM Endorsement Certificate since my TPM keys show up empty. After running a command, I discovered that the child process 'taskhostw.exe TpmTasks' is initiated by 'svchost.exe' with a 'Schedule' parameter. However, it appears this task is created temporarily and deleted afterward because my searches for scheduled tasks related to TPM yield no results except for Tpm-HASCertRetr and Tpm-Maintenance. Any insights on this activity?
8 Answers
It could be a utility checking for updated firmware. That's my best guess!
It’s probably something related to AMD, like a motherboard or graphics card service. Maybe a scheduled task too.
Grab Sysinternals procmon and start logging. When it tries to make that connection, stop the logging and filter the results to find the responsible process. Although the logs can get huge, the filtering tools are pretty effective!
Thanks! I actually figured it out and updated my initial post.
This might relate to Device Health Attestation.
Is there a way to catch the task while it’s being created, before it gets deleted?
Check this out for more details: https://call4cloud.nl/2021/11/the-pursuit-of-happy-uhhh-tpm-amd-happyness-part-3/#part6
If it's happening regularly, you should try using 'Process Monitor' from Microsoft Sysinternals. Set a filter for the domain, and you might catch which process is establishing that connection.
That connection is likely for checking the revocation status of TPM signing certificates. Intel has a similar endpoint too. It's integrated into the OS, but there's no specific process I can pinpoint for it.
Did you use a standard installer or a modified one that skips TPM and BitLocker checks? I have multiple AMD Ryzen systems with hardware and software TPM, but I don’t see that hostname in my DNS logs. I’m curious if I can replicate this issue.
BitLocker is off, and I used the Microsoft Image for the install. I tried triggering the task manually with taskhostw.exe TpmTasks but didn't get the expected behavior. I think it creates the task on the fly and then deletes it.
But if it's downloading a certificate for the TPM module, it might not just be firmware-related.