Windows AutoPilot Securing your hardware Failed 0x800705b4

In this post I just want to share some information about Windows AutoPilot, more specific the Device preparation phase.

During our testing with Windows AutoPilot self-deploying mode on our internal network, we run into an error during the Device Preparation phase:
Securing your hardware (Failed 0x800705b4)

Error 800705b4 is usually related to the TPM chip, but doesn`t exactly tell what is wrong with it. As we were testing self-deploying mode on pretty modern hardware, we checked the TPM attestation and that showed Ready as expected. After that we switched network to an unrestricted line (our internal network is restricted) and we found out self-deploying mode was working fine. So our issue should be network related. As we already whitelisted all the url`s we could find in the AutoPilot documentation from Microsoft, we were pretty curious what url`s we missed. After some testing we found a few url`s which pointed to two hardware vendor domains:
intel.com
nuvoton.com

After we have whitelisted those domains from both vendors on the internetal network, we could succesfully deploy the same piece of hardware using Windows AutoPilot self-deploying mode on our internal network.

It seems that not all hardware is shipped with the TPM certificate pre-installed and therefor during the TPM attestation proces the vendor website is contacted to get this certificate. On Michael Niehaus his blog about TPM attestation (found here, must read) there is a remark about a remote server which is contacted during the TPM attestation proces and that seems to be a site of a hardware vendor and not (only) a Microsoft site.
We (I) wasn`t aware of that, maybe you were not aware of that, so that`s why I wanted to share this small piece of info. Hope you can take advantage of it.

Happy testing!




7 Comments

  1. I am facing the same issue, it works fine on open network but tpm attestation always fails on corporate network , it’s a surface pro 4 , could you please help which are the culprit urls that are not accessible on corporate network

    • First make sure the device is Attestation Ready. You can see that on a device in Windows Security, under Device Security, Security Processor. If the device supports this and that is fine. You have to check on the network level what URLs are blocked.

      • device attestation states ready , i also tried a fiddler trace , but was unable to capture the affected URLs , appreciate if you can share how you guys identified the blocked urls

  2. Our network guys helped us out.
    They provided us logging which showed a couple of blocked URLs which we whitelisted.

    But if you have a look at Windows security, Security processor details, the manufacturer of the TPM is shown.

  3. Can someone help me out? I am getting an error 0x081039020 Securing your hardware. using Self deployment mode, Everything seems correct on the Dell Latitude 3189. I deleted all the devices from intone and azure and reimported them but no luck. Has anyone came across this error before? I have it on about 10 devices already. Thanks in advance

  4. Im getting this error with trying to selfdeploy a Surface Laptop 3. Get the 0x800705b4 on the securing hardware step. Occurs on a an open network and at the office.

Leave a Reply

Your email address will not be published.


*