This blog will show you how you could make sure you can pre-provision your devices even when they have Intel Tiger lake chipsets.

If you didn’t read my blogs first to know what we are going to fix.

I hope everybody has been busy reading my blog series about the TPM attestation issues you could encounter when deploying Autopilot White-Glove aka Windows Autopilot for pre-provisioned deployment

I will divide this blog into multiple parts

  1. The Fix
  2. How to Fix it
  3. The Results

Like I showed in the blog I mentioned earlier in this blog, the solution then was to enrol your device into the Insider previews to start updating your device to make sure you got the *KB5007253 installed in the OOBE screen to start enrolling your device!

*KB5007253 Aka: 2021-11 Cumulative Update Preview.

I still find it a little bit strange, that the huge TPM fix isn’t documented…

But did you know that you could also just download this required update manually? Looking at the picture below, you can also download it for Windows 10 2004/20H2/21H1…. Sooooo???

If you want to download it, here is the download link you will need.

Microsoft Update Catalog

But applying this fix, was of course fun to test with. But in a production environment, you don’t want to run insider builds on your devices. Also implementing this fix manually on each device is going to take a lot of your valuable time, so why not slipstream that KB?

There are many options available out there to fix it all! But let’s go back to the good old days and just slipstream that KB!

2.1 Prerequisites

First, let’s plug in the USB stick (or image, depending on what you want to do…) we are using to deploy Windows 10 to our devices.

We are going to use DISM, if you are not familiar with DISM, I would recommend just downloading the GUI DISM tool. This will be a lot easier for now…

Download DISM GUI free – latest version (softfamous.com) Downloading .. DISM GUI – Soft Famous

After we have downloaded the Tool we also need to download the required KB5007253 I mentioned earlier. Download link again Microsoft Update Catalog

Because I was already having a nice up to date 21H2 Windows 10 USB stick, I will stick with the update I showed you above.

Now we have all the prerequisites in place, we need to create 2 additional folders to keep everything tight and clean. In my example, I created two folders.

First one : 21H2Updates (in this folder I will put the KB5007253 file I downloaded earlier) Afbeelding met tekst  Automatisch gegenereerde beschrijving

Second one : Mounted-Wim (as we need to have a folder to “extract” the *install.wim file in to)

*”The install. wim file (Windows Image File) is a compressed file which contains a set of many files and associated file system metadata and is included in any Windows installation Media under the “sources” folder (sourcesinstall. wim)”

2.2 The DISM tool

Now we need to open the DISM tool we downloaded earlier and select the WIM file from the USB stick to start slipstreaming

Please note: If you don’t see the install.wim file in that folder, you will need to convert the install.esd to install.wim first.

Convert an ESD File to a WIM File for Driver Updates in Your Windows… (intel.com)

If you have selected the proper WIM file, we need to make sure we are selecting the right Windows 10 version to inject the KB into. We can simply do this by clicking on “Display WIM info”

In the example below, I want to target the Windows 10 pro build, so I need to select index 6

Afbeelding met tekst  Automatisch gegenereerde beschrijving

So please make sure that you select the right index before we mount the WIM file. To do so change the Index setting to match the Index you got from the WIM info

Now we are sure we have selected the WIM file we want to adjust, we also need to select the temporary wim folder. So please select the mounted-wim folder I showed you in the first steps

Now click on “mount wim” and get yourself a cup of coffee

Afbeelding met tekst  Automatisch gegenereerde beschrijving
Best Need Coffee GIFs | Gfycat

After a while you can switch the tab to “Package Management” to start the injection

Afbeelding met tekst  Automatisch gegenereerde beschrijving

To do so, we need to select the KB folder we have created in the first steps (duhhhh)

Afbeelding met tafel  Automatisch gegenereerde beschrijving

Now click on packages…. And again you will need to have some patience

Afbeelding met tekst  Automatisch gegenereerde beschrijving

After the package is successfully added, the only thing left to do is, to click on “Dismount WIM”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

And make sure we are committing the changes

Now let’s fire up your Intel Tiger lake device and start installing the device. After the default installation, we are going to first make sure we have the right build. So press shift + f10 to get a nice cmd and type: winver

Afbeelding met tekst  Automatisch gegenereerde beschrijving

As shown above, we get even a little bit newer build than I was expecting! Now we have 19044.1387 build!

Now let’s go further and start enrolling your device. When you want to test it without enrolling the device, we could just enter this wonderful command

certreq -enrollaik -config “” 

It will start the AIK Enrollment process, and that process was totally broken before!

Now we all know what we need to do, let’s go start slipstreaming that update! Danny watches Slipstream | Explore Tumblr Posts and Blogs | Tumgir

I hope that these blogs showed you everything you need to solve the TPM issues! Go check out the other blogs in the tpm attestation series

Attestation and Compliance Series – Call4Cloud

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.