Framework 13 Ryzen - Intune Compliance Issue (Pluton?)

Hi everyone,

I was first in line for a Framework 13 Ryzen machine and I tried Azure Active Directory Joining it but ran into some issues with it showing as non-compliant (attached). I know when the 6000-series AMD chips came out my company had issues and had to disable Pluton but there doesn’t appear to be an option to do that in the Framework BIOS.

Does anyone know if there are Pluton-specific policies that need to be pushed to allow those devices to join correctly? This is a “personal” machine that I want to use for work and I am able to talk with IT to update policies if necessary. From what I can tell, Microsoft hasn’t done a great job of documenting Pluton even though it’s been on the market for 18 months.

I am in the exact same position. Anyone with any ideas?

I found this article that I feel documents the issue but I am unsure if there are any changes that can be made to help.

@Twistgibber It seems like other manufacturers are getting around this by letting Pluton be disabled in BIOS (and falling back to other TPM methodologies). I imagine this problem is only going to grow as Framework Ryzen machines get into the wild. Is there any ETA or roadmap for making this happen?

We’re currently investigating this. If folks could write into support (referencing this thread) with additional logging around this, that would be be helpful for our debugging:

  • Creating a directory, opening a command prompt as administrator and navigating to the directory, and running:
  • tpmtool GATHERLOGS .

Case logged with a download link for the files as requested…

The error “The Device Health Certificate could not be provisioned from HTTP status code 400: <?xml version="1.0" encoding="utf-8"?>”

Appears repeatedly

Also sent in my logs!

Thanks for the Logs.
I am looking for an easy way to replicate this issue without having to setup an intune / AAD environment to debug what is going on.

I tried running a few different commands to see if i can spot where any issues are.
MdmDiagnosticsTool.exe -area Tpm;DeviceProvisioning -cab
Shows the certificates on device, and a test sign which looked successful.

I did see a mention from one blog that if an intermediate CA is not trusted it may cause an error like this, but it sounds like I need to trigger an attestation check to duplicate this error.

I am not sure how you can TBH. If it helps you can reach out to me and I can try differing things in our AAD/Intune environment as I have access to it.

hi @Kieran_Levin do you have any updates to this topic?

Hi, we’re running into the same problem with the device we just added to our AAD & Intune. As a workaround we excluded the device from the policies, but do appreciate a solution. Is there any update?

Thanks, Tobias