cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Autopilot white-glove / self-deploy fails on Lenovo

taikuli
Copper Contributor

‎Oct 01 2021 08:05 AM - edited ‎Oct 01 2021 08:06 AM

‎Oct 01 2021 08:05 AM - edited ‎Oct 01 2021 08:06 AM

Windows Autopilot white-glove / self-deploy fails on Lenovo

Hello,

I have a series of Lenovo Notebooks (ThinkBook 14 G2 ARE Laptop - Type 20VF) where Autopilot white-glove and self-deployment fail during enrollment of the AIK certificate with a http error 404.

Here's the logfile:

v2.0
TPM-Version:2.0 -Level:0-Revision:1.38-VendorID:'AMD '-Firmware:196650.5
AMD-KeyId-578c545f796951421221a4a578acdb5f682f89c8
CN=PRG-RN, O=Advanced Micro Devices, S=CA, L=Santa Clara, C=US, OU=Engineering
https://AMD-KeyId-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net/templates/Aik/scep
GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"amd-keyid-578c545f796951421221a4a578acdb5f682f89c8.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found

Now I'm wondering whether this is one of the rare cases that Michael mentions on his blog where the TPM has not been whitelisted by Microsoft (for whatever reason).

Some more details about the TPM:

C:\Windows\system32>tpmtool getdeviceinformation
-TPM Present: True
-TPM Version: 2.0
-TPM Manufacturer ID: AMD
-TPM Manufacturer Full Name: AMD
-TPM Manufacturer Version: 3.47.0.5
-PPI Version: 1.3
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: True
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: False
-PCR7 Binding State: 2
-Maintenance Task Complete: True
-TPM Spec Version: 1.38
-TPM Errata Date: Friday, March 02, 2018
-PC Client Version: 1.01
-Is Locked Out: False

Since the same configuration works like a charm for other notebook models, I assume, the reason somewhere in the TPM and not the configuration in Intune.

Does anybody have more details about TPM attestation and the background infrastructure?

7,205 Views
0 Likes
4 Replies
Reply
4 Replies
Rudy_Ooms_MVP

‎Oct 01 2021 10:33 PM

‎Oct 01 2021 10:33 PM

Re: Windows Autopilot white-glove / self-deploy fails on Lenovo

HI, which OS build is installed on the device? did you tried to reinstall it with the latest 21h2 build to see what happens?
0 Likes
Reply
taikuli

‎Oct 01 2021 10:44 PM

‎Oct 01 2021 10:44 PM

Re: Windows Autopilot white-glove / self-deploy fails on Lenovo

The ISO is 21H1. Do you have an official source for 21H2? I can't find it on MSDN or MPN yet.
0 Likes
Reply
taikuli

‎Oct 01 2021 11:57 PM

‎Oct 01 2021 11:57 PM

Re: Windows Autopilot white-glove / self-deploy fails on Lenovo

The error message in the UI reads now "TPM attestation timed out". Still the same 404 error in the enrollaik logfile. I'll wait for Windows 11 and try again, but I assume, it won't go away.
0 Likes
Reply