Two weeks ago, I wrote that the White Glove Autopilot process failed on HP laptops. Some strange behavior was encountered around ‘TPM Attestation’. According to Microsoft: “Trusted Platform Module (TPM) key attestation is the ability of the entity requesting a certificate to cryptographically prove to a Certificate Authority (CA) that the RSA key in the certificate request is protected by either “a” or “the” TPM that the CA trusts.”
I predicted that Microsoft would release a patch with the appropriate fix in and thankfully, they have!
Introducing KB4522355: https://support.microsoft.com/en-us/help/4522355/windows-10-update-kb4522355, otherwise known as the October 24 2019 cumulative update!
There is a single entry on the list of fixes for Autopilot: “Addresses issue with Autopilot self-deploying mode and White glove deployments”.
In this case, I applied the patch to the Windows Image File (WIM) before testing using the DISM command line tool. This saves around twenty minutes per deployment rather than patching before beginning the White Glove process each time.
The results are positive; all HP laptops so far have run through the White Glove process successfully.
Some other points to bear in mind for a successful White Glove experience:
- Make sure the time on the laptop is set correctly. Anecdotally, this needs to be within five minutes of the correct time for Autopilot to work
- Whitelist the URL’s stipulated by Microsoft on your corporate network
- If you are deleting computer registrations from Intune, Autopilot and Azure Active Directory (AAD), give it at least ten minutes before trying to generate a new hash for White Glove. Although the portal will tell you that the object was deleted, there seems to be a delay before the registration is fully cleared
Good luck!