The Last TPM Attestation Script from Your Lover

Last Updated on September 2, 2022 by rudyooms

This blog will be about some TPM Attestation issues you could encounter when running Windows Autopilot for Pre-provisioned deployments and how to troubleshoot them with a nice new shiny PowerShell Module. I will divide this blog into multiple parts

  1. Introduction
  2. The Script
  3. What does the module do
  4. Results

1. Introduction

In one of my latest blogs, I was showing you what happens when your device is “NOT Ready For Attestation” step by step!

Text

Description automatically generated

This blog also showed you how to deal with those attestation issues and how it really determines if the TPM is not ready for attestation.

That sounds great, right? But needing to troubleshoot all of these steps on your own isn’t great for most of us.

Hate This GIFs | Tenor

That’s why I decided to begin writing a PowerShell module that will check every single setting there is and will try to perform some remediation while doing so.

2. The Script

I decided to upload my script to the PowerShell gallery. Uploading it to the PowerShell gallery was a job on its own …. But it is working now….

Graphical user interface, text, application, email

Description automatically generated

When you want to start Autopilot PreProvisioning, you will need to make sure you start an additional cmd prompt. You could do so by using the Shift + F10 functionality. (If you haven’t disabled this wonderful feature)

Once you opened the cmd you will need to make sure you have opened PowerShell first before entering these commands.

Install-Module -Name Autopilottestattestation -force

set-executionpolicy unrestricted

import-module -Name Autopilottestattestation

test-autopilotattestation

3. What does the Module do

When we are taking a closer look at what the Test-AutopilotAttestation script (AutopilotTestAttestation Module) actually does, we will notice the script will try to execute these steps!

  • The script will check if there is an Internet connection
  • Will determine if the required TPM supplier websites are accessible, to fetch the EKCert
  • It will determine if the zero touch deploy Microsoft service is available, as the device will reach out to this Microsoft service to fetch its Autopilot profile
  • It will check if the time service is running, if not it will try to start it and configure the peer list
  • When it’s done checking the time service, it will determine if the license and product type is valid to be used in an Autopilot enrollment
  • The script will query the TPM settings with WMI to determine if the device is capable of attestation and if not it will try to run some additional commands
  • The additional commands will check if the device has the EKCert, and TCG log, if the TPM is owned, and if the TPM doesn’t have a vulnerable firmware
  • With this output, it will try to start some TPM Tasks.
  • If these tasks can’t be started it will again perform some remediation to make sure the TPM maintenance task could start
  • If it performed the remediations, it would try to rerun the tests again
  • If the device knows for sure it got an Endorsement Key, it will try to determine if it also got its required certs attached.
  • Even when the TPM-Maintenance task couldn’t be executed I decided to call up the tpmcoreprovisioning.dll myself
  • If the device is ready for attestation and has the certs it will try to fetch the test-AIK certificate, 10 times.
  • Depending on that outcome it will also try to test if the device is capable of attestation or the errors it got
  • When it looks like it’s really ready for attestation, it will also run the AikCertEnroll task and will watch the error code output
  • Determining the error output it will show you if the device is ready for attestation or… not… If it’s ready for attestation you will get a nice GIF! Isn’t that nice?

4 .Results

When you are running this PowerShell module on a Virtual Machine it will fail and will tell you that the device isn’t ready for attestation. That isn’t a surprise, right?

Text

Description automatically generated

When running the same script on a physical device, the result needs to be green. Of course, as mentioned in part 3 it will also try to remediate (if possible) if something is broken

Conclusion

This is still a beta version and I am trying to make sure it doesn’t fail you. So please try it yourself and reach out to me if you encounter some weird issues!

With your help we can build a PowerShell module to make sure, everyone can start troubleshooting their TPM attestation issues or we just th

Troubleshoot GIFs - Get the best GIF on GIPHY

12 thoughts on “The Last TPM Attestation Script from Your Lover

  1. get below error message:
    Retrieving AIK Certificate…..
    Fetching test-AIK cert – attempt 1
    Checking the Output to determine if the AIK CA Url is valid!
    AIK CA Url seems valid
    AIK TEST Certificate could not be retrieved
    Running another test, to determine if the TPM is capable for key attestation… just for fun!!
    We can almost start celebrating! Because the TPM is capable for attestation!
    Launching the real AikCertEnroll task!
    Reason: AIK Cert Enroll Failed!

    How to fix it, please? Thank you in advance.

    1. Hi.. Could you take a look at this registry key $AIKError = “HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\AIKCertEnroll\ and which errorcode that key has

      1. more information for your reference:
        SCEP Certificate enrollment for WORKGROUP\LAPTOP-VNL9760E$ via https://NTZ-KeyId-022cbeed5d77060f2833e9d5376ba8bc308cd9ba.microsoftaik.azure.net/templates/Aik/scep failed:

        SubmitDone
        Submit(Request): Bad Request
        {“Message”:”No valid TPM EK/Platform certificate provided in the TPM identity request message.”}
        HTTP/1.1 400 Bad Request
        Date: Sun, 04 Sep 2022 08:48:13 GMT
        Content-Length: 96
        Content-Type: application/json; charset=utf-8
        X-Content-Type-Options: nosniff
        Strict-Transport-Security: max-age=31536000;includeSubDomains
        x-ms-request-id: 89baaed4-4863-4e12-9699-cd4c088ed20c
        Method: POST(11422ms)
        Stage: SubmitDone
        Bad request (400). 0x80190190 (-2145844848 HTTP_E_STATUS_BAD_REQUEST

        Thanks.

        1. Hi, Just as the message is telling you: No valid TPM EK/Platform certificate provided in the TPM identity request message
          Could you check if the device has the ekcert installed? Could you list the output of this command: Get-TPMEndorsementkeyinfo I am curious if it has a valid certificate (additional or manufacture)

          1. PS C:\WINDOWS\system32> get-tpmendorsementkeyinfo

            IsPresent : True
            PublicKey : System.Security.Cryptography.AsnEncodedData
            PublicKeyHash :
            ManufacturerCertificates : {[Subject]
            TPMVersion=id:0755, TPMModel=Z32H330TC, TPMManufacturer=id:4E545A00

            [Issuer]
            CN=Nationz TPM Manufacturing CA 001, OU=Nationz TPM Device, O=Nationz Technologies Inc,
            C=CN

            [Serial Number]
            24D5408891E7802343F30571D7ADB00FE0A91243

            [Not Before]
            11/5/2020 8:00:00 AM

            [Not After]
            11/5/2035 8:00:00 AM

            [Thumbprint]
            31239F7219E1CC63A9C58AFCE33A9774011AEC7B
            }
            AdditionalCertificates : {}

          2. What kind of device is it? as the error you mentioned is normally be resolved by updating the firmware

  2. AIK Cert Enroll Failed!

    TPM has Vulnerable Firmware: True
    TPM Firmware Vulnerability: 0x00000001
    ADV170012 – IFX ROCA/Riemann

  3. Hi!

    thanks for this script. Are IFX TPMs the only one with vulnerabilities? If not, will the script be updated to include checks for all vulnerable TPMs?

  4. Thank you so much rudyooms!! This solved our TPM attestation problem (0x81039001) on ~20/1000 devices. Not sure why it was needed on these but since it’s solved, I don’t care anymore 🙂 You’re the best!

Leave a Reply

Your email address will not be published.

  +  47  =  54