Not Another TPM 0x81039023 error

This blog will show you how to deal with the 0x81039023 you could get when enrolling Windows 11 SE with Autopilot for pre-provisioning deployments.

I will divide this blog into multiple parts.

  1. The 0x81039023 TPM error
  2. The Workaround

1. The 0x81039023 Error

When you are trying to enroll your Windows 11 SE (built for education) devices with Autopilot for pre-provisioning deployments you could stumble upon the 0x81039023 TPM attestation error.

Of course, not to be confused with the 0x81039024 TPM error even when it almost looks the same! In the past, I wrote a lot about TPM attestation errors and how you could start troubleshooting them. It’s worth reading!

2. The Workaround

Normally I would recommend making sure you are using the latest Windows build when you want to make use of the Autopilot for pre-provisioning deployment option but this time it’s not the solution. It almost sounds like the ongoing AMD TPM issue, right?

To make sure people could still enroll their device with Autopilot, we need to switch to the user-driven Autopilot and change some other settings

2.1 Autopilot Profile

First, let’s make sure we are converting our existing Windows Autopilot profile to a user-drive one

A picture containing timeline

Description automatically generated

2.2 ESP Page

When we removed the ability to perform a pre-provisioning on the device we also need to make sure we are changing the Enrollment Status Page (ESP). As shown below, please make sure you change the option: “allow users to reset device if installation error occurs” to yes!

Graphical user interface, text

Description automatically generated

When you have configured this option, as shown above, you are making sure the end-user could reset the device on their own without the need to call in an IT guy/woman to reinstall the whole device

2.3 The Lingering Intune Object

When moving over to a user-driven Autopilot it’s always best practice to make sure you delete the Intune object first before retrying the Autopilot enrollment. Please make sure you remove this object from the endpoint.manager.com portal instead of the education portal as you don’t want to also remove the Azure object while doing so!

If you want to read more about the “Why” you need to remove the object, please read my blog below

Graphical user interface, text, application, email

Description automatically generated

Autopilot and disabling “set up local account” prompt (call4cloud.nl)

Conclusion:

Changing the autopilot profile to a user-driven one is not exactly a fix but more like a workaround for now. Hopefully, MS will fix this issue in a future release!

Customer-driven innovation. The thing with disruption is, it is so… | by  Ventures Platform | Series V | Medium

Leave a Reply

Your email address will not be published.

  +  52  =  53