In this post I just want to share some information about Windows AutoPilot, more specific the Device preparation phase.
During our testing with Windows AutoPilot self-deploying mode on our internal network, we run into an error during the Device Preparation phase:
Securing your hardware (Failed 0x800705b4)
Error 800705b4 is usually related to the TPM chip, but doesn`t exactly tell what is wrong with it. As we were testing self-deploying mode on pretty modern hardware, we checked the TPM attestation and that showed Ready as expected. After that we switched network to an unrestricted line (our internal network is restricted) and we found out self-deploying mode was working fine. So our issue should be network related. As we already whitelisted all the url`s we could find in the AutoPilot documentation from Microsoft, we were pretty curious what url`s we missed. After some testing we found a few url`s which pointed to two hardware vendor domains:
After we have whitelisted those domains from both vendors on the internetal network, we could succesfully deploy the same piece of hardware using Windows AutoPilot self-deploying mode on our internal network.
It seems that not all hardware is shipped with the TPM certificate pre-installed and therefor during the TPM attestation proces the vendor website is contacted to get this certificate. On Michael Niehaus his blog about TPM attestation (found here, must read) there is a remark about a remote server which is contacted during the TPM attestation proces and that seems to be a site of a hardware vendor and not (only) a Microsoft site.
We (I) wasn`t aware of that, maybe you were not aware of that, so that`s why I wanted to share this small piece of info. Hope you can take advantage of it.