I was first in line for a Framework 13 Ryzen machine and I tried Azure Active Directory Joining it but ran into some issues with it showing as non-compliant (attached). I know when the 6000-series AMD chips came out my company had issues and had to disable Pluton but there doesn’t appear to be an option to do that in the Framework BIOS.
Does anyone know if there are Pluton-specific policies that need to be pushed to allow those devices to join correctly? This is a “personal” machine that I want to use for work and I am able to talk with IT to update policies if necessary. From what I can tell, Microsoft hasn’t done a great job of documenting Pluton even though it’s been on the market for 18 months.
@Twistgibber It seems like other manufacturers are getting around this by letting Pluton be disabled in BIOS (and falling back to other TPM methodologies). I imagine this problem is only going to grow as Framework Ryzen machines get into the wild. Is there any ETA or roadmap for making this happen?
We’re currently investigating this. If folks could write into support (referencing this thread) with additional logging around this, that would be be helpful for our debugging:
Creating a directory, opening a command prompt as administrator and navigating to the directory, and running:
Case logged with a download link for the files as requested…
The error “The Device Health Certificate could not be provisioned from has.spserv.microsoft.com. HTTP status code 400: <?xml version="1.0" encoding="utf-8"?>”
Thanks for the Logs.
I am looking for an easy way to replicate this issue without having to setup an intune / AAD environment to debug what is going on.
I tried running a few different commands to see if i can spot where any issues are.
MdmDiagnosticsTool.exe -area Tpm;DeviceProvisioning -cab tpmlogs.cab
Shows the certificates on device, and a test sign which looked successful.
I did see a mention from one blog that if an intermediate CA is not trusted it may cause an error like this, but it sounds like I need to trigger an attestation check to duplicate this error.
I am not sure how you can TBH. If it helps you can reach out to me and I can try differing things in our AAD/Intune environment as I have access to it.
Hi, we’re running into the same problem with the device we just added to our AAD & Intune. As a workaround we excluded the device from the policies, but do appreciate a solution. Is there any update?
@Kieran_Levin any update? Would really like to know if I’ll be able to use the laptop for its intended purpose soon (BYOD at work) or if I need to try and sell it and get something that is compatible with one of the largest/most popular device management tools…
Hi Everyone,
Update on this is we have been able to reproduce this on our system with AMD, and the reference design, so we have this escalated with Microsoft.
There are two TPMs that can be used, the Pluton TPM and an AMD PSP firmware TPM. The issue only reproduces on the Pluton TPM which is what we have enabled.
Switching from the Pluton TPM to the PSP firmware TPM is not something we want to enable at the moment, as it cannot be done seamlessly during the BIOS update process. We are going to track this with Microsoft.
Could you post your windows version?
Eg from intune → device ->Hardware:
We did some more experimenting and want to double check your are running the latest version of windows.
We are still debugging this with AMD/MSFT. However I ran into an issue that you might be able to help with me.
I was previously using a trial of Intune+Entra P2. But our trial expired. I migrated to Office 365 Business pro license which also includes Intune+Entra P1. From what I can find regarding licensing, this should have the same features we need to test.
However now I get a new error, that I was not seeing before: Do any of you think this could be related to licensing?
@Kieran_Levin - I also have the same issue and just sent in my logfiles via ticket named “Submission from Service Request Form: Cannot get FW13 Compliant in InTune - known Pluto issue?”
I am happy to support, please DM me any time.
(Also happy to provide you guys a fully licensed E5 testuser if that helps).
The more I think about it, the more critical it gets.
Basically, like it is now, this chipset cannot be used for Business use if Intune should be used - this is something which Framework should clearly put on their website until the issue is fixed.
Also, I would kindly ask the Framework team to come up with a timeline if/when this is going to be fixed. We have several devices we would like to order but obviously won’t until we know this is fixed. If it cannot be fixed without replacing the hardware, this is a different discussion but knowing would help, because customers then either decide to go Intel or buy a different platform.
