Call4Cloud | MMP-C | Autopilot | Device Preparation

Houston, we have a TPM Attestation problem

Patch My Pc | install & update thousands of apps

This blog will be an additional blog to the TPM attestation series I wrote some time ago. In this one, I am going to take a closer look at why Attestation is timing out on a lot of HP G9 Serie devices when you are using Windows Autopilot for Pre-Provsioned deployments (or self-deploying)

1. Introduction to TPM Attestation errors

A week ago, I received an email message in which someone was asking for help. He was trying to enroll his HP ZBook Fury G9 Mobile Workstation with Autopilot for Pre-Provisioned deployment.

While trying to perform a TPM Attestation, something happened, and a TPM attestation time-out occurred.

Something Happened, ant TPM attestation timed out during Windows Autopilot Pre-Provisioning

When the attestation fails, you will have a failed Autopilot enrollment. Attestation is needed to prove the system’s trustworthiness and to show that it has not been tampered with. Without it, the Entra Join will not happen!

The funny thing is, that other HP G10 devices with the same TPM and firmware seem to be enrolling without any issue.

Besides the working g10 devices, he already tried fixing the TPM attestation issues with the tool I wrote some time ago, making it even more interesting. So I guess this blog post is going to be an additional one to the TPM attestation series I wrote some time ago

Attestation and Compliance Series – Call4Cloud – Intune | MMP-C | WinDC | Autopilot

Shall we take a look at what was happening on the device?

Oh, wait. Before you do… you need to read this blog. (If you know what ready for attestation truly means… you are good to go!)

https://call4cloud.nl/2022/08/ready-for-attestation-a-true-underdog-story

2. The Main Issue

As mentioned in the introduction, he also tried to run the TPM diagnostics tool I wrote some time ago.

When looking at the output, it is pretty obvious that the Endorsement Key Certificate seems to be missing on the device (at least in the WMI task states registry key).

EccEkCertificate Present in the registry

This EKCertificate is required to build the AIK attestation URL, so without it to valid AIK URL. As shown below, it seems that the first attempt to check the Certificate Failed.

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

From there on the script tries to manually find and install the Ek Certificate itself, which seems to work. The only weird thing in the output above, is that the “Subject” is empty? So far, I know, this should contain some more information.

It looks that even with my TPM attestation script getting the EK Certificate, retrieving the test AIK Certificate with the certreq -enrollaik -config “” command was still failing

That’s weird, so I asked him if he could manually run the same command.

certreq output shows the missing aik template and 0x80070490

As shown above, the base request is trying to get more information about the EkCertificate but it doesn’t show any information about it. Instead, it is giving us the error message: Element not found (0x80070490) and the corresponding (Win32: 1168 ERROR_NOT_FOUND). This error message indicates a problem with getting the templates. This could be very true when looking at the certreq.exe. The first step it will take is getting the template property.

Once it gets the template, this request should start by creating the subject alternative name from the EK key first

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

This Subject’s Alternative name correlates to the missing Subject information we noticed in the Certreq request

If it gets the Subject Alternative name, it will try to get all the information about the Manufacturer and the EkCertificate

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

Which performs an external call to the crypttpmmeksvc.dll, which would fetch the information of the EkCert

If that doesn’t fail (as we noticed with the HP G9 Series) this is what we should get in a successful request.

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

I guess it’s pretty obvious that we have an issue fetching the Endorsement Key Info. We will spot the same kind of behavior when we manually execute the get-tpmendorsementkeyinfo.

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

As shown above, the Manufacturer Certificate shows the empty subject we also noticed. How are we going to fix this issue? It starts to look like an HP issue and not a Microsoft Issue because the working G10 HP device has the same TPM firmware: 983062.4308992 as the G9 one

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

3. The Hidden Fix

Luckily, there is an easy fix to ensure your HP Elite, EliteBook, Pro, Probook, ZBook, and a lot more G9 HP series will be able to perform a successful attestation.

There seems to be a very hidden document on the website of HP, that mentions all of the g9 devices that had issues during Autopilot and performing attestation

support.hp.com/us-en/document/ish_8006727-8004751-16

In this HP document, you will find a link to an Endorsement Key Certificate Update Utility.

https://ftp.hp.com/pub/softpaq/sp148001-148500/sp148219.exe

This utility updates the TPM Endorsement Key Certificate (EKcert) so that Microsoft TPM Attestation functions properly.

That indeed sounds like what we need! After running the tool on a different HP G9 device, we immediately spot the difference.

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

As shown above, we now have a filled-in subject. After the tool did its job we restarted the Autopilot enrollment and within a few seconds, TPM attestation was successful!

You might be wondering why I called it a hidden document… Well, this is why. When searching for that file or any keywords you will get zero useful results!

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

4. The flow everyone loves, right?

Conclusion

Hopefully, this blog post will increase the number of search results, and people who are experiencing TPM attestation issues with their HP G9 Devices will have an easy fix!

2 thoughts on “Houston, we have a TPM Attestation problem

  1. Great article and detailed explanation.
    I am having the same exact issue but on a virtual machine on HyperV. Do you think there is a fix for this from MS like the one from HP?

    1. Did you also checked https://call4cloud.nl/autopilot-0x80280009-tpm-attestation-virtual-machine/ … as tpm attestation is not possible on hyper-v

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  70  =  77

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.