Windows Autopilot

Trying out Windows Autopilot with Windows 10 1903? Install the latest update.

As you kick the tires on Windows Autopilot scenarios (whether new scenarios like white glove or existing ones), make sure you’ve installed a recent cumulative update and aren’t using just the original unpatched Windows 10 1903 media.  These updates do fix known issues, and will reduce your overall frustration when trying things out.

Today’s update, KB4505903, which can be downloaded from the Windows Update catalog, includes two new Windows Autopilot fixes, on top of three other related fixes that were included in previous updates.  The list of issues we’ve addressed:

  • Windows Autopilot white glove does not work for non-English OSes.  (If you’ve seen a red screen from Windows Autopilot that says “Success” and you were using a non-English OS, you now know why.)
  • Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations.  (This typically would happen if you reset the OS or used a custom sysprepped image.)
  • BitLocker encryption is not correctly configured via Windows Autopilot scenarios.  (BitLocker didn’t get an expected notification after policies were applied to begin encryption.)
  • Unable to install UWP apps from the Microsoft Store (online apps), causing failures during Windows Autopilot.  (If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this one.)
  • User is not granted administrator rights after Windows Autopilot user-driven Hybrid Azure AD join scenario.  (Another non-English issue.)

So, download the update, inject it into the image that you are using, and use that for your evaluation.

Categories: Windows Autopilot

14 replies »

  1. Hi Michael, Does windows Autopilot white glove support win32 app deployments. I am facing issue during device Provisioning. Same win 32 application i was able to deploy via windows autopilot user driven azure ad join scenario. Any help.

    Like

  2. Is it possible for Office 365 to be deployed during the technician portion of White Glove as the App Type “Office 365 ProPlus Suite (Windows 10)” as opposed to a Win32 or LOB app? I have it set to be targeted to the device and required for all Autopilot devices. When I run through autopilot, it quickly skips past the app portion and then lets me reseal without installing anything. After the user logs in, the app does eventually install but our hope is to have install prior to user set up. See https://techcommunity.microsoft.com/t5/Microsoft-Intune/Intune-White-Glove-and-Office-365-Deployment/td-p/700145

    Like

    • We’re working on that. In Hybrid Azure AD Join white glove scenarios, policies aren’t being delivered when expected, during the device ESP (technician phase). We hope to have a fix in place for that within the next two weeks.

      Like

      • We are seeing the same but for application deployment. Applications target to device are not installed during white glove. So when we hit reseal no applications are installed and are being installed when user enroll the device. Is this a known bug? Alzo fixed in 2 weeks?

        Like

  3. Hi Michael, thanks for this post, it however still looks like that the patch of the 26th July doesn’t resolve the sysprep issue. After the sysprep the autopilot profile is still removed and therefore autopilot for existing devices has stopped working for us. Is this something which is still under investigation and are there any timelines in which we can expect an update?

    Like

  4. We are trying to get WhiteGlove working on HP ProBook 430 G6 laptops, strange thing is the ProBook 430 G5 works like a charm. Installed all the latest Firmware updates on the devices. Do you have some advice how to properly troubleshoot the issue? We have opened a case with support.

    Like

    • Well, without any more details on what happened, it’s hard to guess. But my general troubleshooting guidance is to collect logs (“mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab”) and go through the event logs included in it to see what errors were logged. The TPM-related files are also interesting.

      Like

      • A few errors are seen in the various logs:
        – AutopilotWhiteGlove Failure: 0x801c0003
        – {“Code”:”AuthorizationError”,”Subcode”:”MsaTicketTpmValidationFailed”,”Message”:”Failed to register pre-created device”,”TraceId”:”5934e087-0381-4c21-a87b-dd6a2d08cda4″,”Time”:”08-05-2019 10:28:11Z”}
        – AutopilotManager failed during device enrollment phase AADEnroll. HRESULT = 0x801C0003

        TPM related
        – AutopilotManager enabled TPM requirement due to WhiteGlove policy value 2

        2019-08-05T10:52:47
        TpmHLI GetVersion result: 0x00000000
        TpmHLI Version: 2.0
        Manufacturer: Infineon
        Uefi Is Present: Yes
        TpmHLI IsReady result: 0x00000000
        Ready: False
        Bits: 0x0000000000000002
        -NoValidEkCert: No valid EK cert found

        AutopilotManager reported that MSA TPM is not configured for hardware TPM attestation even though the profile indicates it is required. Autopilot cannot proceed.

        Like

    • That’s certainly a new enough model. Can you e-mail me (mniehaus@microsoft.com) a set of logs (zipped) gathered with “mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab” after the failure?

      Like

Leave a Reply to Sandeep Sanju Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s