The red screen before Christmas

The red screen before Christmas

Using Autopilot will give you a lot of benefits, especially when combining it with White Glove.  When you have got new devices, you are good to go but when you want to enroll existing “older” devices into Autopilot White Glove you can run into some problems.

When we were enrolling a lot of new devices at a customer site no problems were encountered, because we previously enrolled them with Autopilot White glove. After our work was done, the customer asked us to enroll some existing older devices. No problem at all, we took all the older devices with us to be reinstalled at our company.  

First, we checked if the devices had TPM 2.0 enabled as it is one of the requirements. Before we reinstalled the device we opened the TPM.msc and device manager to check if TPM 2.0 was available

-Starting: Tpm.msc (sorry for the blurry screenshot, but it says version 2.0)

-Opening: Device manager

After we checked if TPM 2.0 was available, we uploaded the device hash into Intune and waited for it to be assigned. After the deployment profile was assigned, we reinstalled the device with the latest Windows build available to be sure everything works.

No problems were encountered with the whole bunch of devices. The devices were all the same, at least that’s what we thought. After the first 10 devices, on the next one, we encountered some problems.

After pressing the Windows logo key 5 times and started the white glove deployment, within a few seconds it failed. At the first step: Securing hardware we received the error: 0x81039024 and the famous autopilot red error screen appeared.

The first thing we did, we tried to google it. But not a lot of results I can tell you. Luckily there are a lot of troubleshooting tools available to get some more information.

So we pressed shift + F10 and opened PowerShell and the event logs to start troubleshooting.  The first place to look when the first step fails will be the Microsoft-Windows-ModernDeployment-diagnostics-Provider event log.

As shown above, it’s obvious what the problem is. The TPM is not configured for hardware TPM attestation.

First, some backstory of the TPM.

Microsoft uses the Microsoft Platform Crypto Provider Key Storage Provider (KSP) to support the protection of the user’s private key by a TPM. This protection is done by using the ability of the entity requesting a certificate to cryptographically prove to a CA that the RSA Key in the certificate request is protected by a TPM.

Autopilot White glove needs TPM attestation to prove the device is, who he says it is to Azure. There needs to be a check if the device is the same device you have registered within Intune Autopilot. I guess you want to be sure no other devices can enroll with Autopilot into your tenant.

When you have some brand new devices, this normally will not be a problem because all devices released after 2016 should support TPM attestation.

But then there was a little vulnerability because the Infineon RSA library did not properly generated RSA key pairs and the devices with the Infineon TPM needed patching.

VU#307015 – Infineon RSA library does not properly generate RSA key pairs (cert.org)

And of course, companies not using the TPM did not update the firmware.

So back to the devices that weren’t working. When opening the TPM.msc module again we noticed the version number: 7.61.2785.0

And we realized this was a version that needed to be patched.  There are also some other methods to get more details

-Launching a Powershell prompt to get some more information about the TPM:

 “Tpmtool getdeviceinformation” and “tpmtool gatherlogs c:\install\”

Running the gatherlogs command, will give you some better information inside the tpminformation.txt. You can also open the tpmevents.evtx to check the TPM event log itself.

-Running “Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab” to get some more information.

– Running  Certutil -csp “Microsoft Platform Crypto Provider” -key, to check if the certificate is stored.

After updating the TPM with the latest firmware, we could enroll the device with White glove with no problems at all.

Conclusion:

When you want to make use of Autopilot White glove, ensure that you:

*always use the latest Windows 10 build

*always check and when needed update your TPM (opening your security processor settings will show you all you need to know)

I hope this blog will help you understand why you need TPM attestation and when you encounter problems, you know how to troubleshoot them. And the next time

Leave a Reply

Your email address will not be published. Required fields are marked *

1  +  9  =