Autopilot & Device Preparation Troubleshooting
Introduction
This post is a straight-forward troubleshooting guide when experiencing issues with Windows Autopilot or Device Preparation in Intune. Everything on Intune:
At a glance: Common issues and error codes
- Internet connectivity and firewall/proxy restrictions - first of all make sure the device has Internet connection and all the network endpoints are reachable
- Intune/Entra ID device restrictions - Platform restrictions are configured or device count limits may be exceeded or a deployment profile or enrollment status page (ESP) may be configured incorrect or not assigned.
- Intune license make sure the user who sets up the device/signs-in in the out of the box experience (OOBE) has an appropriate Intune license assigned.
- Hardware: TPM version - Windows 11 requires TPM 2.0. Especially for self-deploying devices, this requires TPM attestation too and is never possible on a VM.
- Application installation issues - some Applications may not install during OOBE, usually the application needs some type of user input or too many applications are targeted to be installed during the enrollment process. I recommend a maximum of 5 applications for a smooth deployment. You can also remove apps from the provisioning process to identifiy potential issues. (try removing Company Portal from provisioning required apps 😉)
For Windows Autopilot you may encounter these error codes:
Error code | Reason | What to do |
---|---|---|
801C0003 | User reaches the device limit | Check Intune configuration for enrollment device limit restrictions |
80180018 | No Intune license assigned to the user | Assign an Intune license to the user |
0x800705B4 | TPM version issues | Verify and update TPM |
0x801c03ea | TPM attestation failed | Verify and update TPM |
0xc1036501 | The device can't do an automatic MDM enrollment because there are multiple MDM configurations in Entra ID | Target one single MDM configuration (check Intune configuration) |
0x81039023 | Pre-provisioning technician flow or self-deployment mode failed due to TPM attestation | Verify and update TPM |
0x81039024 | Known vulnerabilities detected with the TPM | Update TPM firmware |
0x80180014 | Trying to redeploy an pre-provisioned or self-deployment device | Delete the device record in Intune, and then redeploy the profile |
0x801C03F3 | Device is not present in Entra ID | Try to re-enroll the device |
0x80070002 | Hybrid Entra ID Join (HEIDJ) only - device is already joined to Active Directory | Verify the hybrid components |
0x801c0003 | Entra ID Join failure | Check EID device configuration and retry |
0x80180018 | MDM enrollment failure | Check Intune configurations and retry |
Troubleshooting in Intune portal/service
This section will give an overview of potential Intune/Entra ID portal settings that are misconfigured. You will always see a little description, likely (impacting) settings, a navigation or link where to find it and a sample image.
Entra ID
MDM & MAM scope
The MDM and MAM scope defines the set of users that are eligible to use Microsoft Intune for device management through Entra ID. Verify if the corresponding user is part of the MDM user scope selected group or switch it to all.
Devices>Enroll devices>Automatic Enrollment
Device join
It is key, that the setting Users may join the device to Entra ID is enabled for the Autopilot users. You may also check the Maximum number of devices per user if a non-Intune/device administrator sets up the device and joins it to Entra ID.
Intune
Enrollment device limit restrictions
There may be a device limit restriction applied to a non-Intune/device administrator.
Devices>Enroll devices>Enrollment device limit restrictions (at the side)
Enrollment device platform restrictions
Check the platform restriction and the blocked manufacturers.
Devices>Enroll devices>Enrollment device platform restrictions (at the side)
-If you have Autopilot v1 = Deployment profile + ESP (assigned to device)
-If you have Autopilot Device Preparation = Device Preparation Profile (assigned to user)
My recommendation is to use the new Autopilot Device Preparation method.
Device Preparation profile
Make sure you don't encounter issues on saving the Device Preparation profiles. It automatically detected potential misconfigurations for the device group. The group you specify there, must have an owner defined:
Intune Autopilot ConfidentialClient (if that one is not present, wait a few mintues and add Intune Provisioning Client).
Deployment profile
Make sure the deployment profile is in the right Deployment method and has all settings configured as desired. (can mostly left to default). Make sure it is assigned to the right group, where your device hash or user is a member of.
Devices>Enroll devices>Deployment profile
Enrollment status page (ESP)
ESP can be completely skipped (Show app and profile configuration progress) or configured. Usually it is Block device use until required apps are installed if they are assigned to the user/device that makes problems during Autopilot, specify less than 5 apps. Make sure it is assigned to the right group, where your device hash or user is a member of.
Devices>Enroll devices>Enrollment status page
Monitor Autopilot deployments
In Intune, naviagate to devices>Monitor.
Here you can find reports for both Autopilot and Device Preparation:
Each enrollment is listed here with near real-time reporting data. Especially Device Preparation includes improved reporting with the status of enrollment phase, app installation and reasons for failure.
Troubleshooting on the device
How to open a command prompt in OOBE
Press Shift + (FN) F10 to open a cmd
Enter "powershell" in cmd to switch to a PowerShell session
These acronyms might be helpful to type into command prompt to open a Windows built-in system application:
- explorer - File Explorer
- eventvwr - Event Viewer
- control - Control Panel
- devmgmt - Device Manager
-
- taskmgr - Task Manager
Press Win + R and type "ms-settings:" to open the Windows Settings App
MDMDiagnosticsTool
MDMDiagnosticsTool.exe is your full reporting tool to get everything logs you need! Execute it with:
mdmdiagnosticstool.exe -out c:\IntuneLogs
Eventviewer
For more detailed troubleshooting, I recommend to have a look at the event viewer channels that relate to Windows provisioning, these are the most relevant ones:
Applications and Services Logs > Microsoft > Windows
- Devicemanagement-Enterprise-Diagnostics-Provider
- Moderndeployment-Diagnostics-Provider
- Provisioning-Diagnostics-Provider
- Aad-Operational
Troubleshoot policies & apps
If something goes wrong with policies & apps, other components than just the provisioning service may be the source. This includes mainly the Intune Management Extension (IME) which is responsible for apps and scripts. Follow this troubleshooting flow:
Learn more in the dedicated post:
powered by Oceanleaf