Mike Niehaus has a great blog on how TPM attestation works with Autopilot and highlights that there exists certain virtual TPMs that require EK certs from an Azure webserver before they can enrol successfully
But once you have diagnosed you are missing the cert (I have found the issue on Lenovo Yoga 260, Yoga 460s & X1 Carbons) how do you fix it?
First check that you indeed are missing the EK cert using from an admin command prompt run:
A machine missing the certs will list “No Manufacturer Endorsement Key Certificates” and\or “No Other Endorsement Key Certificates”
Autopilot will try and fix the issue by kicking off the TPM maintenance task in Task Scheduler Library > Microsoft > Windows > TPM but likely this will get stuck in the running state
The root cause is you need a couple of files and a service which is part of the Intel Management engine interface e.g.:
Specifically the files are present under “C:\Program Files\Intel\Intel(R) Managament Engine Components\ICLs” and are called IntelPTTEKRecertification.exe and TPMProvisioningService.exe
Once installed ensure you have an internet connection (run start ms-availablenetworks:) then reboot to grab the EK certs. Certutil will show the new certs.
Autopilot should now finish the securing your hardware step in a few seconds after starting.
I have found the new cert changes the hardware hash of the device so then needed to delete out of Azure AD before it would pass the next step of “registering your device for mobile management”