Last Updated on September 2, 2022 by rudyooms
This blog will be about some TPM Attestation issues you could encounter when running Windows Autopilot for Pre-provisioned deployments and how to troubleshoot them with a nice new shiny PowerShell Module. I will divide this blog into multiple parts
In one of my latest blogs, I was showing you what happens when your device is “NOT Ready For Attestation” step by step!
This blog also showed you how to deal with those attestation issues and how it really determines if the TPM is not ready for attestation.
That sounds great, right? But needing to troubleshoot all of these steps on your own isn’t great for most of us.
That’s why I decided to begin writing a PowerShell module that will check every single setting there is and will try to perform some remediation while doing so.
2. The Script
I decided to upload my script to the PowerShell gallery. Uploading it to the PowerShell gallery was a job on its own …. But it is working now….
When you want to start Autopilot PreProvisioning, you will need to make sure you start an additional cmd prompt. You could do so by using the Shift + F10 functionality. (If you haven’t disabled this wonderful feature)
Once you opened the cmd you will need to make sure you have opened PowerShell first before entering these commands.
Install-Module -Name Autopilottestattestation -force
import-module -Name Autopilottestattestation
3. What does the Module do
When we are taking a closer look at what the Test-AutopilotAttestation script (AutopilotTestAttestation Module) actually does, we will notice the script will try to execute these steps!
- The script will check if there is an Internet connection
- Will determine if the required TPM supplier websites are accessible, to fetch the EKCert
- It will determine if the zero touch deploy Microsoft service is available, as the device will reach out to this Microsoft service to fetch its Autopilot profile
- It will check if the time service is running, if not it will try to start it and configure the peer list
- When it’s done checking the time service, it will determine if the license and product type is valid to be used in an Autopilot enrollment
- The script will query the TPM settings with WMI to determine if the device is capable of attestation and if not it will try to run some additional commands
- The additional commands will check if the device has the EKCert, and TCG log, if the TPM is owned, and if the TPM doesn’t have a vulnerable firmware
- With this output, it will try to start some TPM Tasks.
- If these tasks can’t be started it will again perform some remediation to make sure the TPM maintenance task could start
- If it performed the remediations, it would try to rerun the tests again
- If the device knows for sure it got an Endorsement Key, it will try to determine if it also got its required certs attached.
- Even when the TPM-Maintenance task couldn’t be executed I decided to call up the tpmcoreprovisioning.dll myself
- If the device is ready for attestation and has the certs it will try to fetch the test-AIK certificate, 10 times.
- Depending on that outcome it will also try to test if the device is capable of attestation or the errors it got
- When it looks like it’s really ready for attestation, it will also run the AikCertEnroll task and will watch the error code output
- Determining the error output it will show you if the device is ready for attestation or… not… If it’s ready for attestation you will get a nice GIF! Isn’t that nice?
When you are running this PowerShell module on a Virtual Machine it will fail and will tell you that the device isn’t ready for attestation. That isn’t a surprise, right?
When running the same script on a physical device, the result needs to be green. Of course, as mentioned in part 3 it will also try to remediate (if possible) if something is broken
This is still a beta version and I am trying to make sure it doesn’t fail you. So please try it yourself and reach out to me if you encounter some weird issues!
With your help we can build a PowerShell module to make sure, everyone can start troubleshooting their TPM attestation issues or we just th