none
Device Attestation and TPM RRS feed

Answers

All replies

  • Hi OSD,

    With PowerShell as an admin: 

    Get-TpmSupportedFeatures -FeatureList "Key Attestation"

    More about this feature is mentioned in my Blogpost: https://www.infrastructureheroes.org/microsoft-infrastructure/active-directory/new-for-autopilot-with-windows-10-1903-updated/#more-180


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    • Marked as answer by -OSD- Saturday, December 7, 2019 9:46 AM
    Friday, December 6, 2019 5:06 PM
  • Hi OSD,

    With PowerShell as an admin: 

    Get-TpmSupportedFeatures -FeatureList "Key Attestation"

    More about this feature is mentioned in my Blogpost: https://www.infrastructureheroes.org/microsoft-infrastructure/active-directory/new-for-autopilot-with-windows-10-1903-updated/#more-180


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    And it would be supported if I get Key Attestation in output? 

    Get-TpmSupportedFeature -FeatureList "Key Attestation"
    key attestation

    Friday, December 6, 2019 8:20 PM
  • I saw you blog post, interesting, thanks for the link.

    Do you remember if you had issues with ports as White glove requires 80,443 and 123 (UDP) to be open. How to verify if port 123 (UDP) is open?


    • Edited by -OSD- Friday, December 6, 2019 8:37 PM
    Friday, December 6, 2019 8:35 PM
  • Right, if it is supported you get "Key Attestation" as output, otherwise the output is empty.

    Please mark my post as answer if this was the right solution for you.


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Friday, December 6, 2019 10:17 PM
  • I use Port Query for connection tests. I think you need to put it on a thumbdrive. 

    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Friday, December 6, 2019 10:19 PM
  • Right, if it is supported you get "Key Attestation" as output, otherwise the output is empty.

    Please mark my post as answer if this was the right solution for you.


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Definitely it does :)
    Saturday, December 7, 2019 9:47 AM
  • I use Port Query for connection tests. I think you need to put it on a thumbdrive. 

    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Is the local /Windows firewall I must check to verify if a certain port is open or check with ISP?

    Following are results of the local IP address results:

     1. Starting portqry.exe -n 192.168.1.1 -e 80 -p TCP ...

         TCP port 80 (http service): LISTENING
         portqry.exe -n 192.168.1.1 -e 80 -p TCP exits with return code 0x00000000.
        

    2. Starting portqry.exe -n 192.168.1.1 -e 443 -p TCP ...

        TCP port 443 (https service): LISTENING
        portqry.exe -n 192.168.1.1 -e 443 -p TCP exits with return code 0x00000000.

    3.  Starting portqry.exe -n 192.168.1.1 -e 123 -p UDP ...

        UDP port 123 (ntp service): LISTENING or FILTERED
        portqry.exe -n 192.168.1.1 -e 123 -p UDP exits with return code 0x00000002.

    ===========================================================

    Following are results if I check with my WAN IP address. Please note that xx.yy.zz.12 refers to my public WAN address.

    a) Starting portqry.exe -n XX.YY.ZZ.12 -e 80 -p TCP ..
        TCP port 80 (http service): LISTENING
        portqry.exe -n XX.YY.ZZ.12 -e 80 -p TCP exits with return code 0x00000000.

    b) Starting portqry.exe -n XX.YY.ZZ.12 -e 443 -p TCP ...
        TCP port 443 (https service): LISTENING
        portqry.exe -n XX.YY.ZZ.12 -e 443 -p TCP exits with return code 0x00000000.

    c) Starting portqry.exe -n XX.YY.ZZ.12 -e 123 -p UDP ...
       UDP port 123 (ntp service): LISTENING or FILTERED
       portqry.exe -n XX.YY.ZZ.12 -e 123 -p UDP exits with return code 0x00000002.

    =========================================================================

    • Edited by -OSD- Saturday, December 7, 2019 6:56 PM
    Saturday, December 7, 2019 9:49 AM
  • Be aware, "LISTENING or FILTERED" means not that is blocked. UDP did not send a confirmation about the receiving. I think you have a different issue then the Firewall.

    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Sunday, December 8, 2019 8:22 AM
  • UDP 123, you mean it should be considered open when I get "Listen or Filter" status with code 0x00000002 ?

    I do have multiple networks, Firewall should be Windows FW or should be check with ISP? 

    Reason for this is to know exactly because port 443 is open when I check my home network, but not when I check office network.



    • Edited by -OSD- Sunday, December 8, 2019 9:06 AM
    Sunday, December 8, 2019 9:03 AM
  • Mostly this means open, a REJECT would be mentioned. But this could be also a DROP. 

    I would expect, if this is a firewall issue, I would expect the ISP Firewall. The Windows Firewall did not block outgoing traffic by default. Even if you have defined rules, this would be apply later during the Intune / MDM part of Autopilot, not in the beginning.


    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Sunday, December 8, 2019 9:45 AM
  • Do you think it make sense to disable the WLAN's router's firewall for the network I am having port 443 blocked (or contact with ISP)?

    • Edited by -OSD- Sunday, December 8, 2019 5:04 PM
    Sunday, December 8, 2019 10:41 AM
  • Like I mentioned, I don't expect an connection issue here. Please open a new topic with the log files and the error message. I think the original question is answered.

    Viele Grüße / Kind regards
    Fabian Niesen
    ---
    Infrastrukturhelden.de (German) - Infrastructureheroes.org (English)
    LinkedIn - Xing - Twitter
    #Iwork4Dell - Opinions and Posts are my own
    My post are provided as they are. Usage is on your own risk.

    Sunday, December 8, 2019 8:02 PM