How to troubleshoot Windows Autopilot?

In this post I want to talk about troubleshooting in Windows Autopilot pre-provisioning mode. But before we go into troubleshooting, we should first repeat which steps are run through in the autopilot and in which order:

• The device sends its hardware hash to the Windows Autopilot services. Provided there is a Windows installation in the Professional version or higher. Windows Home is not supported by Autopilot.
• If the device is enrolled in Windows Autopilot and has an Autopilot profile assigned to it, the profile details are provided to the device. This provision is carried out in the form of a download of a JSON file with the settings. In the best case, the autopilot is set up for an Azure AD join and steps 4-7 do not apply.
• In the case of hybrid Azure AD join, the profile would tell the device which Azure AD tenant the device is associated with and that the device needs to be joined to Active Directory, but it does not provide Active Directory domain details. These must be mapped in an Intune „Domain Join“ profile and assigned to the device.
• The user is prompted for their Azure Active Directory credentials (or if using pre-provisioning, the device performs TPM verification) to obtain an Azure AD token. This token is used to enroll the device with Intune. Intune is notified as part of the enrollment process that the device needs to be joined to Active Directory.
• Intune looks for a domain join device configuration profile assigned to the device (through the groups the device belongs to). If it finds one, it creates a request for the offline domain join connector (called the Intune Connector for Active Directory). If it doesn’t find one, steps 5 and 6 will never be performed and the device will time out waiting for an ODJ blob that never comes.
• The Offline Domain Join (ODJ) connector fetches the ODJ request from the Intune service (the connector establishes an outbound connection every 2 minutes and asks Intune for requested ODJ profiles). If it finds a request, it tries to create an Active Directory object in the specified domain and OU with the specified name prefix (everything from the domain join profile). If successful, the resulting ODJ blob representing this computer account is uploaded to the Intune service.
• When the device performs its next MDM sync (typically every 3 minutes), it will receive this ODJ blob from Intune and apply it to the device. If the setting „Skip connectivity check“ is specified in the Autopilot profile, the device will reboot immediately to complete the domain join process. If the „Skip connectivity check“ setting is not specified, or if the device does not meet the requirement for this setting, the device first attempts to ping a domain controller for the domain (to ensure connectivity) before rebooting. If this ping test never succeeds, this step expires and you never get to step 7. After the device has been registered with OnPrem AD either via the ODJ or via the Azure AD Join in Azure AD, computer assignments such as applications and configuration profiles are processed. This process takes the longest time and installs all applications defined in the Enrollment Status Page.
• If the device performed a Hybrid Azure AD join, the user must now log into the device using Active Directory credentials that must be validated by an Active Directory domain controller, so connectivity is required at this point. VPN connectivity can be used. If the device has been set up according to the best case, an Azure AD join, the login must be carried out with the user’s Azure AD access.

But what can go wrong during the autopilot process?

• There is no assigned domain join profile for the device
• The ODJ Connector cannot create the ODJ blob for the device because it lacks permissions in the OU.
• The device loses or cannot connect at all.
• The user cannot log in.
• The user ESP times out after the user logs on.

ATTENTION: In order for the pre-provisioning mode to work properly, the user part of the autopilot process should be disabled. To do this, a CUSTOM Intune configuration profile must be created and assigned to the affected device group. The necessary OMA-URI configurations for this profile are as follows:

Name: SkipUserStatusPage
Description: Block User Part from Autopilot Setup
OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type: Boolean
Value: True

Troubleshooting Script

In order to be able to identify the cause of the problem, we can use a script from the PowerShell Gallery.

Installation of the Scripts:

• Press SHIFT (+FN) + F10
• Type „powershell“
• Type „Set-ExecutionPolicy Unrestricted“
• Type „Install-Script Get-AutopilotDiagnostics“
• Now we have to call the script with the parameter „-Online“ to get the Intune objects displayed with the display name
• Type „Get-AutopilotDiagnostics.ps1 -Online“ and authenticate at the Azure AD login window with an Intune Administrator account

Here we are now shown the details of the autopilot profile and, in the event of an error, can see where the ESP has stopped and can use this information to analyze the problem more precisely and implement a remedy.