In this post I just want to share some information about Windows AutoPilot, more specific the Device preparation phase.
During our testing with Windows AutoPilot self-deploying mode on our internal network, we run into an error during the Device Preparation phase:
Securing your hardware (Failed 0x800705b4)
Error 800705b4 is usually related to the TPM chip, but doesn`t exactly tell what is wrong with it. As we were testing self-deploying mode on pretty modern hardware, we checked the TPM attestation and that showed Ready as expected. After that we switched network to an unrestricted line (our internal network is restricted) and we found out self-deploying mode was working fine. So our issue should be network related. As we already whitelisted all the url`s we could find in the AutoPilot documentation from Microsoft, we were pretty curious what url`s we missed. After some testing we found a few url`s which pointed to two hardware vendor domains:
intel.com
nuvoton.com
After we have whitelisted those domains from both vendors on the internetal network, we could succesfully deploy the same piece of hardware using Windows AutoPilot self-deploying mode on our internal network.
It seems that not all hardware is shipped with the TPM certificate pre-installed and therefor during the TPM attestation proces the vendor website is contacted to get this certificate. On Michael Niehaus his blog about TPM attestation (found here, must read) there is a remark about a remote server which is contacted during the TPM attestation proces and that seems to be a site of a hardware vendor and not (only) a Microsoft site.
We (I) wasn`t aware of that, maybe you were not aware of that, so that`s why I wanted to share this small piece of info. Hope you can take advantage of it.
Happy testing!
13 Comments
I am facing the same issue, it works fine on open network but tpm attestation always fails on corporate network , it’s a surface pro 4 , could you please help which are the culprit urls that are not accessible on corporate network
First make sure the device is Attestation Ready. You can see that on a device in Windows Security, under Device Security, Security Processor. If the device supports this and that is fine. You have to check on the network level what URLs are blocked.
device attestation states ready , i also tried a fiddler trace , but was unable to capture the affected URLs , appreciate if you can share how you guys identified the blocked urls
Our network guys helped us out.
They provided us logging which showed a couple of blocked URLs which we whitelisted.
But if you have a look at Windows security, Security processor details, the manufacturer of the TPM is shown.
Can someone help me out? I am getting an error 0x081039020 Securing your hardware. using Self deployment mode, Everything seems correct on the Dell Latitude 3189. I deleted all the devices from intone and azure and reimported them but no luck. Has anyone came across this error before? I have it on about 10 devices already. Thanks in advance
Don`t recognize the error. But make sure nothing is wrong with the TPM chip and update the drivers of the devices to the latest and try again.
Hi,
did you find a solution on this problem?
Im getting this error with trying to selfdeploy a Surface Laptop 3. Get the 0x800705b4 on the securing hardware step. Occurs on a an open network and at the office.
Hi eceryone, since thursday oct 1e we do get error 0x800705b4, hence we do autopilot over private internet connection, so, there are no url blockings. The laptop is a HP 430 G7 with TPM enabled.
Seeing the same issue (error securing hardware – 0x81039024) with a Lenovo Thinkpad X1 – 5th gen on a LAN connection connected to a router without any filtering enabled. AzureADJoined device with Intune MDM and Autopilot selfdeploy…
I am trying to deploy Intune on a co-operate device. Hardware ID is enrolled at azure portal already. It fails before device setup with error 0x800705b4 at Preparing your device for mobile management. Any suggestions…?
Hi.. It’s me Arvind again. I am using my home network, so ideally there must not be a issue with internet. Do you recon, Updating Bios or resetting TPM would help?? By the way it’s a Lenovo T490S machine.
Hi Arvind,
It’s always advised to update the drivers, also to prevent other issues during enrollment.
And make sure the device is Attestation Ready. You can see that on a device in Windows Security, under Device Security, Security Processor.