Windows enrollment attestation
The goal of Windows enrollment attestation is to make devices more secure and trustworthy within the network they join. With this feature, you can check that Windows 10 and 11 devices meet strict security standards during enrollment, using Trusted Platform Module (TPM) technology to enhance their defense against threats. The Windows enrollment attestation feature also confirms and reports on the devices that enroll securely, ensuring the process is reliable.
Here’s how it benefits organizations:
Improved security: TPM attestation helps detect and address security weaknesses or compromised devices and lowers the chance of unauthorized access or security incidents.
Meeting regulatory standards: Windows attestation helps organizations prove they follow strict security measures during device enrollment, which is important for meeting industry regulations and compliance requirements.
The main goal is to establish a more secure and trusted environment for devices within the organizational infrastructure by using Windows attestation during the enrollment process.
Requirements for Windows enrollment attestation
We recommend using the latest updates for a more successful attestation rate.
Windows 10
- 10.0.19045.3996+
Windows 11
- 10.0.22000.2713+
- 10.0.22621.2792+
- 10.0.22631.2792+
Minimum TPM 2.0 on devices
Physical devices are supported.
Note
Virtual machines can't attest, including the following, even if they use vTPMs:
- Hyper-V and Azure virtual machines
- Azure Virtual Desktop session hosts
- Windows 365 Cloud PCs
- Microsoft Dev Box
Attestation with TPM in this feature is during Intune device management enrollment, after the TPM attestation that occurs in Autopilot pre-provision and Shared device mode (SDM).
List of applicable Configuration Service Providers (CSPs) for Windows attestation:
How Windows enrollment attestation works
Device attestation status report
The report shows information about the device, its TPM, and whether the device successfully attested on enrollment. If a device doesn’t attest, the report explains why in the Status details section. Use this report to see the full list of devices and check which ones successfully attested on enrollment.
To access this report:
Sign in to the Microsoft Intune admin center.
Select Reports > Device attestation status (preview) under the Device Management section.
Filter by Attestation status or Ownership type and select Generate report.
After the report is generated, The top-level details that you see include:
Device name
Device ID
UPN
Device attestation status
Status detail
OS
OS version
Ownership
Last check-in
Enrollment date
TPM version
TPM manufacturer
Model
By selecting an entry, you can find more detailed information about the device. You can also select an entry using the left-hand Select column and re-attest using the Attest device action at the top of the report.
The following table lists status details and their descriptions:
| Status detail | Description |
|---|---|
| Entra key can't be attested | Entra team didn't store the ENTRA certificate's key in TPM. If device is enrolled with AP ODJ, then this Status Detail is temporary. |
| Attestation is in process | Device is still working on attestation when Intune queries for its latest status. |
| TPM isn't trusted | Device contains a TPM that isn't trusted and therefore can't be attested. |
| TPM isn't available | Device doesn't have TPM 2.0 or TPM can't be attested due to firmware needing update. For more information on how to update firmware, see Resources |
| TPM isn't ready | TPM isn't ready to be used by this device. User needs to reset TPM ownership. For more information on how to reset TPM ownership, see Resources |
| Client request is rejected | Client's attestation request didn't reach MDM server or server rejected the request. |
| AIK certificate wasn't provided | AIK certificate is missing on the device. Could be due to network issue. If temporary, attestation would retry successfully once device receives AIK cert. |
| Client didn't provide all required parameters | Both AIK certificate and AIK public key are missing. |
| MDM key is already in TPM | Device indicates that the MDM key is already stored in TPM. But Intune is unable to attest it because AIK certificate or AIK public key is missing, or ENTRA key can't be attested. |
| Feature isn't supported | This status shows for devices that aren't yet attestable. Examples include Hyper-V and Azure virtual machines, Azure Virtual Desktop session hosts, Windows 365 Cloud PCs, Microsoft Dev Box. |
| Entra token doesn't match device identity | ENTRA token for enrollment doesn't match the ENTRA key presented in the enrollment request. You can fix this issue by upgrading to the latest Windows build and by retrying attestation. |
| Entra token is missing device identity | ENTRA token for enrollment is missing ENTRA device identity. |
Note
For more information, see the Resources section.
Attest device action
If you see devices in the report that have Not started TPM attestation, you can select a few of those devices at a time and TPM attest them using the new device action Attest device at the top of the report. This device action should take less than a few minutes to attest the device and is reflected in the report when you Refresh.
To attest some Not Started devices:
Use the drop-down filters at top of report to filter to Not Started attestation status.
Select Generate again. From there, select a few devices and then select Attest device action at the top of the report.
Attestation can take up to 15 min depending on activity of device and number of devices selected. Refresh after some time to see the updated status of the selected devices.
Note
You can only select up to 100 devices at a time for device action and wait at least 1 minute between triggering Attest device action.
If devices are failing attestation, depending on the value in the Status detail column, you can retry attestation using the Attest device action. If any of the following Status details appear, we recommend re-attempting the Attest device action.
AIK certificate wasn't provided by client
Attestation is in process
MDM key is already in TPM
TPM isn't ready
Authentication failed
Client didn't provide all required parameters needed for attestation
Entra token does not match device identity
Permissions for device action
To use the Attest device device action, you require a role based permission known as Remote tasks: Indicates mobile device management (MDM) attestation if device is capable for it. Set the Permission to yes to enable the action. With the permission set to Yes, IT admins can initiate Attest device action.
Resources
Important
Troubleshooting TPM usually requires a Wipe and Reset action, which can result in data loss. Ensure that you have backups in place before carrying out any TPM troubleshooting steps.
Additional links: