When you configure TPM Key Attestation with the "Endorsement key" TPM trust model by using TPM 2.0 for a Windows 10 client that's connecting to Windows Server 2012 R2 that's running Active Directory Certificate Services. Certificate enrollment fails, and you receive the "Error Cannot Process TPM Attestation" and the "ERROR_INVALID_PARAMETER" error messages.
To fix this issue, install the June 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (KB3161606).
Get more information about TPM Key Attestation on the Microsoft website.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 3154769 - Last Review: Feb 14, 2017 - Revision: 1
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation