Intune compliance issues Windows 11 22H2

Could you try to run these commands.
*Install the required module

Install-Module LocalMDM

*Open a new powershell session with the mta switch

powershell -mta

*Define the csp we want to fetch

$test1 = @"
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/HealthAttestation/Certificate</LocURI>
</Target>
</Item>
</Get>
</SyncBody>
"@

*send the request to the csp
send-localmdmrequest -SyncML $test1

Also wondering how the settings are defined here:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\TaskStates

Is this the export you are requesting? Rudy_Ooms_MVP 

The firmware i cant install with dism /Online /Add-Package /PackagePath:<PATH TO CAB FILE>
Error: The system cannot find the file specified.

When i use msinfo32 and Confirm-SecureBootUEFI and manage-bde -protectors -get $env:systemdrive

All results are good.

BIOS Mode is UEFI
PCR7 is BOUND
(Uses Secure Boot for intergrity validation) <- check!

It contains some errors :)... (just started it looking at it) but the activityerrors are going to show me where to search

{2147942402; onecore\base\ngscb\tpmhli\lib\registry.cpp; 506; TpmCoreProvisioning.DLL; 1; ; 7072; \TpmCoreProvFunction\activityVerifyDeviceHealth\TpmCoreProvFunction\activityTpmRetrieveHealthCertificate; 2; TpmCoreProvFunction; TpmCore::VerifyDeviceHealth; 6; activityTpmRetrieveHealthCertificate; }, , , , ,

EDIT: Yep....ErrorMessage="The X509 certificate cannot be validated. Intermediate CA cannot be trusted as its not present in the TrustedTpm_IntermediateCA store

So it looks like the healthcertificate its intermediate cert isnt trusted (not found/file not found) in that store.... without that trust  I guess its hard to successfully transfer data to the service

Let me wake up and try to determine what it should look like so we can have a look at your certificate... (export it from the blob in the registry)

please check Application and Services Logs > Microsoft > Windows > BitLocker-API > Management as suggested on https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/954cf796-a640-4134-b742-eaf0ed2663ff

1. hmmm, the latest Nuvoton firmware is 7.2.3.1 - https://www.catalog.update.microsoft.com/Search.aspx?q=nuvoton

(from https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/pcr7-configuration-binding-not-possible#more-information )  :
2. Open an elevated command prompt, and run the msinfo32 command.
In System Summary, verify that BIOS Mode is UEFI, and PCR7 Configuration is Bound.
3. on my desktop:
TPM:
ID: {GUID}
PCR Validation Profile:
7, 11
(Uses Secure Boot for integrity validation)
^^^^^^^^^^^^^
please verify that you can see this above line on your device

😄 Rudy_Ooms_MVP 

The task takes about 30-40 sec. The tpmtool.exe results are added as a screenshot. Now i gonna try with the wpr trace and post the results 🙂 Rudy_Ooms_MVP 

This?Rudy_Ooms_MVP 

Yes, see zip fileRudy_Ooms_MVP 

Deleted HealthCert, runned the task (stil fails) but there is a new HealthCert now, see screenshot.Rudy_Ooms_MVP 

buckbaggen 

When you delete that reg key and rerun the task does it get recreated (should be recreated)

The DLL file is avaible in system32, see screenshot. The healthcert, also see screenshot 🙂 Rudy_Ooms_MVP 

buckbaggen 

Yep, thats what i was afraid of. As it calls up on the dll… as the other task does work (tpm maintenance) the tpmtasks.dll should be on the device. 

working with procmon and reading the output could be a bit hard…

besides procmon… i am wondering if the healthcertifcate is created in the regitry currentcontrolset\services\tpm\wmi

Import worked, thanks! But still the same error 😞

I've downloaded procmon, but don't know how to use to get the right results you need?

Rudy_Ooms_MVP 

My Powershell skills are very low... Can you see what i'm doing wrong?Rudy_Ooms_MVP