I have already created a post about Autopilot Troubleshooting nearly 2 years ago, but I wanted to update it and make it a little more structured and straight-forward.
What is Microsoft Intune Endpoint Management?
Essentially Microsoft Intune uses the capability of Windows Autopilot to enroll Windows 10 and 11 devices.
- On my blog you can find various Intune Endpoint Management blog posts
At a glance: Common issues and error codes
- Internet connectivity and firewall/proxy restrictions - first of all make sure the device has Internet connection and all the network endpoints are reachable
- Intune/Azure AD device restrictions - Platform or device count limits may be exceeded or a deployment profile or enrollment status page (ESP) may be configured incorrect or not assigned.
- Intune license make sure the user who sets up the device/signs-in in the out of the box experience (OOBE) has an appropriate Intune license assigned.
- Hardware: TPM version - Windows 11 requires TPM 2.0. Especially for self-deploying devices, this requires TPM attestation too and is never possible on a VM.
- Application installation issues - some Applications may not install during OOBE, usually the application needs some type of user input or too many applications are targeted to be installed during the ESP. I recommend a maximum of 5 applications for a smooth deployment.
- Hybrid - when attempting to use Hybrid Azure AD join, you will need an Intune connector to perform an offline domain join (ODJ), this offers a lot of potential issues.
|Error code||Reason||What to do|
|801C0003||User reaches the device limit||Check Intune configuration for enrollment device limit restrictions|
|80180018||No Intune license assigned to the user||Assign an Intune license to the user|
|0x800705B4||TPM version issues||Verify and update TPM|
|0x801c03ea||TPM attestation failed||Verify and update TPM|
|0xc1036501||The device can't do an automatic MDM enrollment because there are multiple MDM configurations in Azure AD||Target one single MDM configuration (check Intune configuration)|
|0x81039023||Pre-provisioning technician flow or self-deployment mode failed due to TPM attestation||Verify and update TPM|
|0x81039024||Known vulnerabilities detected with the TPM||Update TPM firmware|
|0x80180014||Trying to redeploy an pre-provisioned or self-deployment device||Delete the device record in Intune, and then redeploy the profile|
|0x801C03F3||Device is not present in Azure AD||Try to re-enroll the device|
|0x80070002||Hybrid Azure AD Join (HAADJ) only - device is already joined to Active Directory||Verify the hybrid components|
|0x801c0003||Azure AD Join failure||Check AAD device configuration and retry|
|0x80180018||MDM enrollment failure||Check Intune configurations and retry|
Microsoft published a document about all Windows Autopilot deployment processes. (It is from 2019 but still has good value)
Troubleshooting in Intune portal/service
This section will give an overview of potential Intune/Azure AD portal settings that are misconfigured. You will always see a little description, likely (impacting) settings, a navigation or link where to find it and a sample image.
MDM & MAM scope
The MDM and MAM scope defines the set of users that are eligible to use Microsoft Intune for device management through Azure AD. Verify if the corresponding user is part of the MDM user scope selected group or switch it to all.
Devices>Enroll devices>Automatic Enrollment
It is key, that the setting Users may join the device to Azure AD is enabled for the Autopilot users. You may also check the Maximum number of devices per user if a non-Intune/device administrator sets up the device and joins it to AAD.
Enrollment device limit restrictions
There may be a device limit restriction applied to a non-Intune/device administrator.
Enrollment device platform restrictions
Check the platform restriction and the blocked manufacturers.
Make sure the deployment profile is in the right Deployment method and has all settings configured as desired. (can mostly left to default). Make sure it is assigned to the right group, where your device hash or user is a member of.
Enrollment status page (ESP)
ESP can be completely skipped (Show app and profile configuration progress) or configured. Usually it is Block device use until required apps are installed if they are assigned to the user/device that makes problems during Autopilot, specify less than 5 apps. Make sure it is assigned to the right group, where your device hash or user is a member of.
Devices>Enroll devices>Enrollment status page
Monitor Autopilot deployments
In the Endpoint Manager admin center, naviagate to devices>Monitor.
Here you can find a (preview) report about Autopilot deployments and other useful monitoring subjects. For the enrollment, you can see the following information:
Troubleshooting on the device
How to open a command prompt in OOBE
Press Shift + (FN) F10 to open a cmd
Enter "powershell" in cmd to switch to a PowerShell session
These acronyms might be helpful to type into command prompt to open a Windows built-in system application:
- taskmgr - Task Manager
- explorer - File Explorer
- control - Control Panel
- devmgmt - Device Manager
Press Win + R and type "ms-settings:" to open the Windows Settings App
MDMDiagnostics is to dig deeper - please visit Michael Niehaus reference.
Troubleshooting in hybrid scenarios (Hybrid Azure AD Join)
I once made a complete blog post about Autopilot White Glove Hybrid AzureAD Join that explains the concept and process about it.
Additional component list
|Intune Connector||This service is installed on a domain server. It will handle the offline domain join (ODJ) request from the Intune cloud service. When a device starts Autopilot and is in the Hybrid Azure AD Join (HAADJ) scenario, it will always attempt the domain join through the internet over the Intune connector.|
|Azure AD Connect Sync||This service is installed on a domain server. It synchronizes Active Directory (AD) identities and our Autopilot HAADJ device object and other objects to Azure Active Directory (AAD).|
|Domain controller||As soon as the Autopilot process is finished, a user can logon in the Windows lockscreen. These credentials are always verified against the domain controller in HAADJ. This means the device must have line of sight to it through a direct network connection or VPN.|
How it works
The Intune connector is responsible for doing the offline join most known as ODJ blob. This blob will be requested from the Intune cloud for a new device and generated through the Intune connector, uploaded back to the Intune cloud and the device will download the blob and (hopefully) apply it.
One more part is the connectivity check, which basically tries to communicate with the domain controller. This is usually the last step before rebooting and finishing the process. But imagine being offsite and have no connectivity with a domain controller, what is happening then? -Since some time, you can skip this step in the enrollment profile, which is also what I would do. This connectivity check is only useful, to guarantee that a user can later log on, after the enrollment, because the credentials will be checked against the domain controller, that obviously requires connection to the corporate network.
Check with event viewer on the server where Intune connector is installed, if there are any events during HAADJ. Therefore go to Applications and Services logs>ODJ Connector Service
Now create a filter to exclude events 30121 and 30150 to find the relevant ones faster. (on the left "Filter Current Log")
Now search for events 30130 and 30140 this two represent a successful ODJ request from Intune service.
Azure AD Connect sync
So if you are using HAADJ for your devices Intune will handle the enrollment into Intune and the domain join. But not the hybrid join to Azure and the subsequent issuance of a primary refresh token. (Learn more about this) For this we will need to wait for the next sync through AAD Connector to have the computer object in AAD too. There is a workaround for this:
Supercharge AAD Sync for new hybrid Azure AD joined Autopilot devices
Make sure the device is not domain joined before
It might sound logic, but definitely confirm that the device in HAADJ state is not domain joined through any component in the Windows image, task sequence or Windows Deployment Services (WDS). WDS can be deployed in standalone mode.
Other troubleshooting resources
- Microsoft Docs - Autopilot Troubleshooting overview
- Windows Autopilot - known issues
- Out of Office Hours - Troubleshooting reference