Last Updated on March 8, 2024 by rudyooms
This blog is going to be an additional blog to the TPM attestation series I wrote some time ago. In this one, I am going to take a closer look at why Attestation is timing out on a lot of HP G9 Serie devices when you are using Windows Autopilot for Pre-Provsioned deployments (or self-deploying)
I will divide this blog into multiple parts.
1. Introduction
A week ago, I received an email message in which someone was asking for help. He was trying to enroll his HP ZBook Fury G9 Mobile Workstation with Autopilot for Pre-Provisioned deployment.
While trying to perform TPM Attestation, something happened and a TPM attestation time-out occurred.
When the attestation fails, you will end up with a failed Autopilot enrollment. Attestation is needed to prove its trustworthiness and to show that it has not been tampered with. Without it, the Entra Join is not going to happen!
The funny thing is, that other HP G10 devices with the same TPM and firmware seem to be enrolling without any issue
Besides the working g10 devices, he already tried to fix the TPM attestation issues with the tool I wrote some time ago, so that made it even more interesting. So I guess this blog post is going to be an additional one to the TPM attestation series I wrote some time ago
Attestation and Compliance Series – Call4Cloud – Intune | MMP-C | WinDC | Autopilot
Shall we take a look at what was happening on the device?
Oh wait before you do… you need to read this blog before going further (if you know what ready for attestation truly means… you are good to go!)
2. The Main Issue
As mentioned in the introduction, he also tried to run the TPM diagnostics tool I wrote some time ago.
When looking at the output, it is pretty obvious that the Endorsement Key Certificate seems to be missing on the device (at least in the WMI task states registry key).
This EKCertificate is required to build the AIK attestation URL, so without it to valid AIK URL. As shown below, it seems that the first attempt to check the Certificate Failed
From there on the script tries to manually find and install the Ek Certificate itself, which seems to work. The only thing that was weird in the output above, is that the “Subject” is empty? So far, I know, this should contain some more information.
It looks that even with my TPM attestation script getting the EK Certificate, retrieving the test AIK Certificate with the certreq -enrollaik -config “” command was still failing
That’s weird, so I asked him if he could manually run the same command.
As shown above, the base request is trying to get more information about the EkCertificate but it doesn’t show any information about it. Instead, it is giving us the error message: Element not found (0x80070490) and the corresponding (Win32: 1168 ERROR_NOT_FOUND). This error message indicates a problem with getting the templates. This could be very true when looking at the certreq.exe. The first step it will take is getting the template property.
Once it gets the template, this request should start by creating the subject alternative name from the EK key first
This Subject’s Alternative name correlates to the missing Subject information we noticed in the Certreq request
If it gets the Subject Alternative name, it will try to get all the information about the Manufacturer and the EkCertificate
Which performs an external call to the crypttpmmeksvc.dll, which would fetch the information of the EkCert
If that doesn’t fail (as we noticed with the HP G9 Series) this is what we should get in a successful request.
I guess it’s pretty obvious that we have an issue fetching the Endorsement Key Info. We will spot the same kind of behavior when we manually execute the get-tpmendorsementkeyinfo.
As shown above, the Manufacturer Certificate shows the empty subject we also noticed. How are we going to fix this issue? It starts to look like an HP issue and not a Microsoft Issue because the working G10 HP device has the same TPM firmware: 983062.4308992 as the G9 one
3. The Hidden Fix
Luckily there is an easy fix to make sure your HP Elite, EliteBook, Pro, Probook, ZBook, and a lot more G9 HP series are going to have the possibility to perform a successful attestation.
There seems to be a very hidden document on the website of HP, that mentions all of the g9 devices that had issues during Autopilot and performing attestation
support.hp.com/us-en/document/ish_8006727-8004751-16
In this HP document, you will find a link to an Endorsement Key Certificate Update Utility.
https://ftp.hp.com/pub/softpaq/sp148001-148500/sp148219.exe
This utility updates the TPM Endorsement Key Certificate (EKcert) so that Microsoft TPM Attestation functions properly.
That indeed sounds like what we need! After running the tool on a different HP G9 device, we immediately spot the difference.
As shown above, we now have a filled-in subject. After the tool did its job we restarted the Autopilot enrollment and within a few seconds, TPM attestation was successful!
You might be wondering why I called it a hidden document… Well, this is why. When searching for that file or any keywords you will get zero useful results!
4. The flow everyone loves, right?
Conclusion
Hopefully, this blog post will increase the number of search results, and people who are experiencing TPM attestation issues with their HP G9 Devices are going to have an easy fix!
