SOLVED

Is TPM compatibility on client/VM required for using AutoPilot in Endpoint Manage?

%3CLINGO-SUB%20id%3D%22lingo-sub-1899500%22%20slang%3D%22en-US%22%3EIs%20TPM%20compatibility%20on%20client%2FVM%20required%20for%20using%20AutoPilot%20in%20Endpoint%20Manage%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1899500%22%20slang%3D%22en-US%22%3EI%20wonder%20if%20its%20really%20required%20the%20support%20of%20TPM%20on%20target%20device%20if%20i%20want%20to%20use%20autopilot%20over%20Endpoint%20Manager%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20know%2C%20some%20of%20the%20apps%20like%20BitLocker%20is%20using%20TPM%2C%20but%20in%20my%20case%20it%20would%20be%20a%20basic%20windows%2010%20installation%2C%20without%20any%20special%20policy%2Ffeature.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1899500%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1899921%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20TPM%20compatibility%20on%20client%2FVM%20required%20for%20using%20AutoPilot%20in%20Endpoint%20Manage%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1899921%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F853771%22%20target%3D%22_blank%22%3E%40Busto445%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Efor%20user-driven%20Autopilot%20deployments%20there%20is%20no%20need%20for%20a%20TPM%20(but%20you%20may%20have%20other%20features%20like%20you%20said%2C%20BitLocker%20etc.%20which%20require%20one).%20For%20the%20Autopilot%20self-deploying%20scenario%20there%20is%20a%20dependency%20to%20a%20TPM%202.0%20with%20device%20attestation%2C%20as%20the%20device%20needs%20to%20authenticate%20during%20the%20early%20phase%2C%20see%20here%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fself-deploying%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Autopilot%20Self-Deploying%20mode%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CH2%20id%3D%22requirements%22%20class%3D%22heading-anchor%22%20id%3D%22toc-hId--1207477709%22%20id%3D%22toc-hId--1207477714%22%3ERequirements%3C%2FH2%3E%0A%3CP%3ESelf-deploying%20mode%20uses%20a%20device%E2%80%99s%20TPM%202.0%20hardware%20to%20authenticate%20the%20device%20into%20an%20organization%E2%80%99s%20Azure%20AD%20tenant.%20Therefore%2C%20devices%20without%20TPM%202.0%20can't%20be%20used%20with%20this%20mode.%20Devices%20must%20also%20support%20TPM%20device%20attestation.%20All%20new%20Windows%20devices%20should%20meet%20these%20requirements.%20The%20TPM%20attestation%20process%20also%20requires%20access%20to%20a%20set%20of%20HTTPS%20URLs%20that%20are%20unique%20for%20each%20TPM%20provider.%20For%20more%20information%2C%20see%20the%20entry%20for%20Autopilot%20self-Deploying%20mode%20and%20Autopilot%20pre-provisioning%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fnetworking-requirements%23tpm%22%20data-linktype%3D%22relative-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENetworking%20requirements%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%20class%3D%22alert%20is-primary%22%3E%0A%3CP%20class%3D%22alert-title%22%3E%3CSTRONG%3E%26nbsp%3BImportant%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20attempt%20a%20self-deploying%20mode%20deployment%20on%20a%20device%20that%20does%20not%20have%20support%20TPM%202.0%20or%20on%20a%20virtual%20machine%2C%20the%20process%20will%20fail%20when%20verifying%20the%20device%20with%20an%200x800705B4%20timeout%20error%20(Hyper-V%20virtual%20TPMs%20are%20not%20supported).%20Also%20note%20that%20Window%2010%2C%20version%201903%20or%20later%20is%20required%20to%20use%20self-deploying%20mode%20due%20to%20issues%20with%20TPM%20device%20attestation%20in%20Windows%2010%2C%20version%201809.%20Since%20Windows%2010%20Enterprise%202019%20LTSC%20is%20based%20on%20Windows%2010%20version%201809%2C%20self-deploying%20mode%20is%20also%20not%20supported%20on%20Windows%2010%20Enterprise%202019%20LTSC.%20See%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fknown-issues%22%20data-linktype%3D%22relative-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Autopilot%20known%20issues%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20review%20other%20known%20errors%20and%20solutions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor
I wonder if its really required the support of TPM on target device if i want to use autopilot over Endpoint Manager?

I know, some of the apps like BitLocker is using TPM, but in my case it would be a basic windows 10 installation, without any special policy/feature.
2 Replies
best response confirmed by Busto445 (New Contributor)
Solution

Hey @Busto445,

 

for user-driven Autopilot deployments there is no need for a TPM (but you may have other features like you said, BitLocker etc. which require one). For the Autopilot self-deploying scenario there is a dependency to a TPM 2.0 with device attestation, as the device needs to authenticate during the early phase, see here:

 

Windows Autopilot Self-Deploying mode | Microsoft Docs

Requirements

Self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant. Therefore, devices without TPM 2.0 can't be used with this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-Deploying mode and Autopilot pre-provisioning in Networking requirements.

 Important

If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC. See Windows Autopilot known issues to review other known errors and solutions.

 

best,

Oliver

Oliver, thanks a lot for your detailed reply. Now its clear.