Introduction

This post is a straight-forward troubleshooting guide when experiencing issues with Windows Autopilot or Device Preparation in Intune. Everything on Intune:

Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended for any reader who is new to Intune or would

At a glance: Common issues and error codes

  • Internet connectivity and firewall/proxy restrictions - first of all make sure the device has Internet connection and all the network endpoints are reachable
  • Intune/Entra ID device restrictions - Platform restrictions are configured or device count limits may be exceeded or a deployment profile or enrollment status page (ESP) may be configured incorrect or not assigned.
  • Intune license make sure the user who sets up the device/signs-in in the out of the box experience (OOBE) has an appropriate Intune license assigned.
  • Hardware: TPM version - Windows 11 requires TPM 2.0. Especially for self-deploying devices, this requires TPM attestation too and is never possible on a VM.
  • Application installation issues - some Applications may not install during OOBE, usually the application needs some type of user input or too many applications are targeted to be installed during the enrollment process. I recommend a maximum of 5 applications for a smooth deployment. You can also remove apps from the provisioning process to identifiy potential issues. (try removing Company Portal from provisioning required apps 😉)
⚠️
If you are approaching Autopilot with Hybrid Join, this is very likely to fail. Microsofts recommendation is to use Entra ID Join only. Official statement

For Windows Autopilot you may encounter these error codes:

Error code Reason What to do
801C0003 User reaches the device limit Check Intune configuration for enrollment device limit restrictions
80180018 No Intune license assigned to the user Assign an Intune license to the user
0x800705B4 TPM version issues Verify and update TPM
0x801c03ea TPM attestation failed Verify and update TPM
0xc1036501 The device can't do an automatic MDM enrollment because there are multiple MDM configurations in Entra ID Target one single MDM configuration (check Intune configuration)
0x81039023 Pre-provisioning technician flow or self-deployment mode failed due to TPM attestation Verify and update TPM
0x81039024 Known vulnerabilities detected with the TPM Update TPM firmware
0x80180014 Trying to redeploy an pre-provisioned or self-deployment device Delete the device record in Intune, and then redeploy the profile
0x801C03F3 Device is not present in Entra ID Try to re-enroll the device
0x80070002 Hybrid Entra ID Join (HEIDJ) only - device is already joined to Active Directory Verify the hybrid components
0x801c0003 Entra ID Join failure Check EID device configuration and retry
0x80180018 MDM enrollment failure Check Intune configurations and retry

Troubleshooting in Intune portal/service

This section will give an overview of potential Intune/Entra ID portal settings that are misconfigured. You will always see a little description, likely (impacting) settings, a navigation or link where to find it and a sample image.

Entra ID

MDM & MAM scope

The MDM and MAM scope defines the set of users that are eligible to use Microsoft Intune for device management through Entra ID. Verify if the corresponding user is part of the MDM user scope selected group or switch it to all.

Devices>Enroll devices>Automatic Enrollment
mdmmamscope-1.png

Device join

It is key, that the setting Users may join the device to Entra ID is enabled for the Autopilot users. You may also check the Maximum number of devices per user if a non-Intune/device administrator sets up the device and joins it to Entra ID.

Entra ID>Devices
devicesettingsaad.png

Intune

Enrollment device limit restrictions

There may be a device limit restriction applied to a non-Intune/device administrator.

Devices>Enroll devices>Enrollment device limit restrictions (at the side)
enrollmentdevicelimitrestrictions.png

Enrollment device platform restrictions

Check the platform restriction and the blocked manufacturers.

Devices>Enroll devices>Enrollment device platform restrictions (at the side)
enrollmentdeviceplatformrestrictions.png

🗒️
While you can have both Autopilot (v1) and Autopilot Device Preparation profiles side-by-side in your tenant, a device can only use one method at the time. Depending on your use case you should choose which one.

-If you have Autopilot v1 = Deployment profile + ESP (assigned to device)
-If you have Autopilot Device Preparation = Device Preparation Profile (assigned to user)

My recommendation is to use the new Autopilot Device Preparation method.

Device Preparation profile

Make sure you don't encounter issues on saving the Device Preparation profiles. It automatically detected potential misconfigurations for the device group. The group you specify there, must have an owner defined:
Intune Autopilot ConfidentialClient (if that one is not present, wait a few mintues and add Intune Provisioning Client).

Screenshot 2024-07-29 at 13.14.25.png

Screenshot 2024-07-29 at 13.13.33.png

Deployment profile

Make sure the deployment profile is in the right Deployment method and has all settings configured as desired. (can mostly left to default). Make sure it is assigned to the right group, where your device hash or user is a member of.

Devices>Enroll devices>Deployment profile
Screenshot 2024-07-29 at 13.11.13.png

Enrollment status page (ESP)

ESP can be completely skipped (Show app and profile configuration progress) or configured. Usually it is Block device use until required apps are installed if they are assigned to the user/device that makes problems during Autopilot, specify less than 5 apps. Make sure it is assigned to the right group, where your device hash or user is a member of.

Devices>Enroll devices>Enrollment status page
esp.png


Monitor Autopilot deployments

In Intune, naviagate to devices>Monitor.

devicemonitor-1.png

Here you can find reports for both Autopilot and Device Preparation:
Screenshot 2024-07-29 at 13.19.31.png
Each enrollment is listed here with near real-time reporting data. Especially Device Preparation includes improved reporting with the status of enrollment phase, app installation and reasons for failure.


Troubleshooting on the device

How to open a command prompt in OOBE

Press Shift + (FN) F10 to open a cmd

Enter "powershell" in cmd to switch to a PowerShell session

These acronyms might be helpful to type into command prompt to open a Windows built-in system application:

  • explorer - File Explorer
  • eventvwr - Event Viewer
  • control - Control Panel
  • devmgmt - Device Manager
    • taskmgr - Task Manager

Press Win + R and type "ms-settings:" to open the Windows Settings App

MDMDiagnosticsTool

MDMDiagnosticsTool.exe is your full reporting tool to get everything logs you need! Execute it with:

mdmdiagnosticstool.exe -out c:\IntuneLogs

Eventviewer

For more detailed troubleshooting, I recommend to have a look at the event viewer channels that relate to Windows provisioning, these are the most relevant ones:

Applications and Services Logs > Microsoft > Windows

  1. Devicemanagement-Enterprise-Diagnostics-Provider
  2. Moderndeployment-Diagnostics-Provider
  3. Provisioning-Diagnostics-Provider
  4. Aad-Operational

Troubleshoot policies & apps

If something goes wrong with policies & apps, other components than just the provisioning service may be the source. This includes mainly the Intune Management Extension (IME) which is responsible for apps and scripts. Follow this troubleshooting flow:

Learn more in the dedicated post:

Troubleshooting Intune policies and apps
Introduction This post aims to explain a standard procedure when investigating for unexpected behavior or errors between Intune and an endpoint. This means, when the IT admin configures anything in the Intune admin portal and the device should apply the setting, but encounters issues. Things could go wrong with these

powered by Oceanleaf

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended for any reader who is new to Intune or would
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.