did you also tried to use the tpmdiagnostics tool to determine if the device is able to get the ekcert from the web of nvr?
https://call4cloud.nl/2022/08/ready-for-attestation-a-true-underdog-story/#15_Did_I_miss_something
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have received a couple of new Lenovo Thinkbook 14 G7 IML but we are unable to entoll with autopilot.
We get the following error. Device Preparation: Secucing pur Hardware (0x800705b4)
it look like it is unable to the TPM Certificate
we have tried to run the following command: Certreq /enrollaik /config ""
Then we get the following error:
{"Message":"No valid TPM EK/Platform certificate provided in the TPM identity request message."}
Full decription:
TPM-Version:2.0 -Level:0-Revision:1.59-VendorID:'INTC'-Firmware:45875219.329746
INTC-KeyId-6b773f7fc8eaf6a5b10d7361bf2013d128d03846
CN=www.intel.com, OU=ODCA 2 CSME P_MTL SOC 00003043 Issuing CA
Mappeadresse: TPMVersion=id:02BC0013 TPMModel=MTL TPMManufacturer=id:494E5443 (INTC)
x-ms-client-request-id = c2d4de41-b2a6-432f-8ef8-4f970ce1b42d
SHA256
AES128
SubmitDone
Submit(Request): Bad Request
{"Message":"No valid TPM EK/Platform certificate provided in the TPM identity request message."}
HTTP/1.1 400 Bad Request
Date: Fri, 09 Aug 2024 08:53:25 GMT
Content-Length: 96
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 85de13d9-e8f5-4b0a-a18a-26a4aa113f52
EnrollStage = 220
GetCACert = 188ms
GetCACaps = 297ms
CreateRequest = 500ms
SubmitRequest = 688ms
ProcessResponse1 = 0ms
SubmitChallengeAnswer = 0ms
ProcessResponse2 = 0ms
Enroll = 1188ms
Total = 2985ms
The TPM is enabled and running 2.0
BIOS is updated to the latest version.
did you also tried to use the tpmdiagnostics tool to determine if the device is able to get the ekcert from the web of nvr?
https://call4cloud.nl/2022/08/ready-for-attestation-a-true-underdog-story/#15_Did_I_miss_something
@Mikkel Loose Havmand, Thanks for posting in Q&A.
To clarify this issue, please check the following.
1.Please check the Default Windows restrictions under Device platform Restriction.
2.Please share with us what kind of Autopilot deployment do you use?
3.Restart Autopilot or wipe the device and it might go through the Device preparation -> Securing your hardware step this time
You can normally restart the ESP process without needing to wipe the device by:
Press SHIFT+F10 to open CMD
Run regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning \AutopilotSettings\
Delete the following keys:
DevicePreparationCategory.Status
DeviceSetupCategory.Status
In CMD, run shutdown /r /t 0 to restart and the ESP should start from the beginning again
4.Please try to remove the device completely from Intune and Autopilot and restart it.
Here is a link with detail information.
https://call4cloud.nl/2021/11/amd-autopilot-attestation-issue/
Non-official, just for reference.
Please try above information, if there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.