Windows Autopilot

Interpreting the Windows Autopilot profile

You’re probably used to looking at Windows Autopilot profiles in Intune.  But most of the time, I’m looking at one from the CAB file that is created by the MDMDiagnosticsTool.  As I noted in my previous log, these CAB files contain several files, including the AutopilotDDSZTDFile.json that contains all the Autopilot profile settings.  But those do require some interpretation, especially to decode the CloudAssignedobeConfig values.  To help with that, I published a new script on the PowerShell Gallery:

It’s a fairly simple script, but it is still useful to see what Windows Autopilot is using to provision the device.  Here are a few examples, first from a User-Driven Azure AD join profile:


See how the OOBE config value (28) breaks down to three separate bits (skipping EULA, skipping OEM screens, and skipping other OOBE express settings).  Next, here’s a Hybrid Azure AD Join profile:


Pretty much the same, except for a different join method.  And lastly, here’s a self-deploying mode profile:


There are a number of different flags set on that one (which is the only way you can tell the profile apart from a user-driven AAD join profile).

If you want to just check the meaning of a particular OOBE flag value, you can do that too:



Categories: Windows Autopilot

5 replies »

  1. Very interesting! What caught my attention in the samples are the “Enable patch download” and the “Autopilot update”-flags. Can you explain these in more detail, as I’m not aware what these flags are doing nor where they come from. Or I must have missed something completely….


    • The “Enable patch download” setting will be set automatically at some point (hopefully soon) to prevent OOBE from saying “there’s a new feature update available, would you like to install it.” (You might think that sounds useful, but it’s not – it just kicks off the download and install via WU after the user signs in, which won’t work if the user doesn’t have admin rights, and IT admins don’t like that either.) The “Autopilot update” flag is new, related to the ability we introduced in Windows 10 1903 (not exercised yet) to automatically update the Autopilot code.

      Liked by 1 person

  2. Thanks for the minute details Mike, got a question for you (not quite relevant to this blog though). Is there a way we can defer/exclude uninstall assignments from OOBE/Enrollment Status page. We are currently uninstalling a number of Store apps (considered bloatware) via Intune>Uninstall assignments targeted to user. However noticed in the logs that during ESP the store apps get called and the OOBE fails logging ‘Microsoft-Windows-AppXDeployment-Server cannot be found’ . ESP is already configured to install selected apps (foundation apps) and block certain others (Including the UWP apps) Is there another way to handling the removal, just not during OOBE. This is on a Windows 10 1809.