Win11 Autopilot TPM attestestation timed out

[Lazarus]

I'm trying to set up a VM with Win11 and install it with Microsoft's Autopilot and Intune. The machine has been pre-added, and the machine is identified for my company. So I try to install a preprovision package. Then about 5-7min are spent before the process fails with message "Something happened, and TPM attestestation timed out".

Did anyone else run into this?

Here's the VM config:

agent: 1
bios: ovmf
boot: order=scsi0
cores: 4
cpu: host,flags=+pcid;+ibpb;+hv-tlbflush;+aes
efidisk0: volatile:vm-126-disk-2,efitype=4m,pre-enrolled-keys=1,size=1M
ide0: local:iso/virtio-win-0.1.266.iso,media=cdrom,size=707456K
ide2: local:iso/Win11_24H2_EnglishInternational_x64.iso,media=cdrom,size=5695402K
machine: pc-q35-9.0
memory: 10240
meta: creation-qemu=9.0.2,ctime=1740672871
name: intunemachine
net0: e1000=ab:cd:ef:12:34:56,bridge=vmbr0,firewall=1
numa: 0
ostype: win11
scsi0: volatile:vm-126-disk-1,cache=writeback,discard=on,size=80G
scsihw: virtio-scsi-pci
smbios1: uuid=12345678-1234-1234-1234-123456789abc,manufacturer=YWJjMTIz,product=YWJjMTIz,version=YWJjMTIz,serial=YWJjMTIz,sku=YWJjMTIz,family=YWJjMTIz,base64=1
sockets: 1
tpmstate0: volatile:vm-126-disk-0,size=4M,version=v2.0
vmgenid: 12345678-1234-1234-1234-123456789abc

*Some of the details redacted for privacy.

 

[ryanwww]

Running into this same issue and curious if anyone has resolved it.

tpmtool getdeviceinformation shows the TPM2.0 is there and ready for attestation but Autopilot still fails on the "Securing your device" step every time.

 

[guruevi]

Sadly this can mean anything from “can’t reach the Microsoft servers” to “TPM chip isn’t in setup mode”. Any logs from the system or details when you run tpm.msc?

 

[readyspace]

Hi @Lazarus , may I know if you have checked the following?

• TPM is enabled in the BIOS/UEFI, and the machine has TPM 2.0 (which is required for Autopilot).
• Secure Boot is also enabled.
• The system firmware is up-to-date.
• The machine has a stable internet connection.
• I’ve verified that the device is properly registered in Intune and Autopilot.

 

[FirstSoul]

Same here!
any soloution?

@readyspace tips are correkt on my VM.

 

[readyspace]

Hi, it seems like a TPM attestation issue caused by how QEMU emulates TPM 2.0 in Proxmox. Try switching your VM’s TPM device to version=v2.0,model=crb and ensure Secure Boot is enabled with Microsoft keys (not pre-enrolled-keys=1).

Also make sure your guest clock syncs early via the QEMU guest agent, as timing drift can trigger attestation timeouts. If it still fails, update to the latest OVMF firmware from pve-firmware 3.0+. See if this helps

 

[FirstSoul]

TPM version=v2.0,model=crb doenst work. After saving the config, it will be removed from the hardware and the efi doesnt have one anymore. and if i disable pre-enrolled keys. the secure boot ist deactivated in efi...

 

[readyspace]

Looks like the issue is caused by volatile EFI/TPM devices — OVMF loses the TPM state after save, so Secure Boot and attestation can’t complete. Please try recreating both efidisk0 and tpmstate0 on a persistent storage pool (not volatile:).

Then enable Secure Boot again in the EFI menu. This keeps TPM state across reboots and should let Intune attestation succeed.
If it still fails, update to the latest edk2-ovmf firmware (pve-firmware package) — older builds don’t persist TPM event logs properly.

Please try.

 

[FirstSoul]

Ok. Got a new VM. Set EFI and TPM right, installed Win11 new, and... same error

pve-manager/9.0.11/3bf5476b8a4699e2 (running kernel: 6.14.11-2-pve)