Forum Discussion
Intune compliance issues Windows 11 22H2
I guess its time to run a wpr trace
https://call4cloud.nl/wp-content/uploads/2023/01/log.zip
you can start it by using: wpr -start c:\locationofthefile ... execute the task until it fails... and then
wpr -stop c:\temp\log.etl
In that wpr file I added the provider that logs the device health attestation and the activityVerifyDeviceHealth function... with that log we should know the "why"
Could you try to run these commands.
*Install the required module
Install-Module LocalMDM
*Open a new powershell session with the mta switch
powershell -mta
*Define the csp we want to fetch
$test1 = @"
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/HealthAttestation/Certificate</LocURI>
</Target>
</Item>
</Get>
</SyncBody>
"@
*send the request to the csp
send-localmdmrequest -SyncML $test1Also wondering how the settings are defined here:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\TaskStates
- ehhh i am missing the SignedHealthCert blob in it... there should be something in it... if that's missing...
Is this the export you are requesting? Rudy_Ooms_MVP
The firmware i cant install with dism /Online /Add-Package /PackagePath:<PATH TO CAB FILE>
Error: The system cannot find the file specified.
When i use msinfo32 and Confirm-SecureBootUEFI and manage-bde -protectors -get $env:systemdrive
All results are good.
BIOS Mode is UEFI
PCR7 is BOUND
(Uses Secure Boot for intergrity validation) <- check!It contains some errors :)... (just started it looking at it) but the activityerrors are going to show me where to search
{2147942402; onecore\base\ngscb\tpmhli\lib\registry.cpp; 506; TpmCoreProvisioning.DLL; 1; ; 7072; \TpmCoreProvFunction\activityVerifyDeviceHealth\TpmCoreProvFunction\activityTpmRetrieveHealthCertificate; 2; TpmCoreProvFunction; TpmCore::VerifyDeviceHealth; 6; activityTpmRetrieveHealthCertificate; }, , , , ,EDIT: Yep....ErrorMessage="The X509 certificate cannot be validated. Intermediate CA cannot be trusted as its not present in the TrustedTpm_IntermediateCA store
So it looks like the healthcertificate its intermediate cert isnt trusted (not found/file not found) in that store.... without that trust I guess its hard to successfully transfer data to the service
Let me wake up and try to determine what it should look like so we can have a look at your certificate... (export it from the blob in the registry)
- perhaps this page will give you some new ideas to test + gather some more low level info: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5429
please check Application and Services Logs > Microsoft > Windows > BitLocker-API > Management as suggested on https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/954cf796-a640-4134-b742-eaf0ed2663ff
1. hmmm, the latest Nuvoton firmware is 7.2.3.1 - https://www.catalog.update.microsoft.com/Search.aspx?q=nuvoton
(from https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/pcr7-configuration-binding-not-possible#more-information ) :
2. Open an elevated command prompt, and run the msinfo32 command.
In System Summary, verify that BIOS Mode is UEFI, and PCR7 Configuration is Bound.
3. on my desktop:
TPM:
ID: {GUID}
PCR Validation Profile:
7, 11
(Uses Secure Boot for integrity validation)
^^^^^^^^^^^^^
please verify that you can see this above line on your deviceThe task takes about 30-40 sec. The tpmtool.exe results are added as a screenshot. Now i gonna try with the wpr trace and post the results 🙂 Rudy_Ooms_MVP
