Featured Intune Enterprise Mobility Autopilot Hybrid Windows

Autopilot Troubleshooting

by Niklas Tinner 7 min read

Introduction

I have already created a post about Autopilot Troubleshooting nearly 2 years ago, but I wanted to update it and make it a little more structured and straight-forward.

What is Microsoft Intune Endpoint Management?

Essentially Microsoft Intune uses the capability of Windows Autopilot to enroll Windows 10 and 11 devices.

At a glance: Common issues and error codes

  • Internet connectivity and firewall/proxy restrictions - first of all make sure the device has Internet connection and all the network endpoints are reachable
  • Intune/Azure AD device restrictions - Platform or device count limits may be exceeded or a deployment profile or enrollment status page (ESP) may be configured incorrect or not assigned.
  • Intune license make sure the user who sets up the device/signs-in in the out of the box experience (OOBE) has an appropriate Intune license assigned.
  • Hardware: TPM version - Windows 11 requires TPM 2.0. Especially for self-deploying devices, this requires TPM attestation too and is never possible on a VM.
  • Application installation issues - some Applications may not install during OOBE, usually the application needs some type of user input or too many applications are targeted to be installed during the ESP. I recommend a maximum of 5 applications for a smooth deployment.
  • Hybrid - when attempting to use Hybrid Azure AD join, you will need an Intune connector to perform an offline domain join (ODJ), this offers a lot of potential issues.
Error code Reason What to do
801C0003 User reaches the device limit Check Intune configuration for enrollment device limit restrictions
80180018 No Intune license assigned to the user Assign an Intune license to the user
0x800705B4 TPM version issues Verify and update TPM
0x801c03ea TPM attestation failed Verify and update TPM
0xc1036501 The device can't do an automatic MDM enrollment because there are multiple MDM configurations in Azure AD Target one single MDM configuration (check Intune configuration)
0x81039023 Pre-provisioning technician flow or self-deployment mode failed due to TPM attestation Verify and update TPM
0x81039024 Known vulnerabilities detected with the TPM Update TPM firmware
0x80180014 Trying to redeploy an pre-provisioned or self-deployment device Delete the device record in Intune, and then redeploy the profile
0x801C03F3 Device is not present in Azure AD Try to re-enroll the device
0x80070002 Hybrid Azure AD Join (HAADJ) only - device is already joined to Active Directory Verify the hybrid components
0x801c0003 Azure AD Join failure Check AAD device configuration and retry
0x80180018 MDM enrollment failure Check Intune configurations and retry

Autopilot enrollment

Microsoft published a document about all Windows Autopilot deployment processes. (It is from 2019 but still has good value)

Troubleshooting in Intune portal/service

This section will give an overview of potential Intune/Azure AD portal settings that are misconfigured. You will always see a little description, likely (impacting) settings, a navigation or link where to find it and a sample image.

MDM & MAM scope

The MDM and MAM scope defines the set of users that are eligible to use Microsoft Intune for device management through Azure AD. Verify if the corresponding user is part of the MDM user scope selected group or switch it to all.

Devices>Enroll devices>Automatic Enrollment
mdmmamscope-1

Device join

It is key, that the setting Users may join the device to Azure AD is enabled for the Autopilot users. You may also check the Maximum number of devices per user if a non-Intune/device administrator sets up the device and joins it to AAD.

Azure AD>Devices
devicesettingsaad

Enrollment device limit restrictions

There may be a device limit restriction applied to a non-Intune/device administrator.

Devices>Enroll devices>Enrollment device limit restrictions (at the side)
enrollmentdevicelimitrestrictions

Enrollment device platform restrictions

Check the platform restriction and the blocked manufacturers.

Devices>Enroll devices>Enrollment device platform restrictions (at the side)
enrollmentdeviceplatformrestrictions

Deployment profile

Make sure the deployment profile is in the right Deployment method and has all settings configured as desired. (can mostly left to default). Make sure it is assigned to the right group, where your device hash or user is a member of.

Devices>Enroll devices>Deployment profile
deploymentprofile

Enrollment status page (ESP)

ESP can be completely skipped (Show app and profile configuration progress) or configured. Usually it is Block device use until required apps are installed if they are assigned to the user/device that makes problems during Autopilot, specify less than 5 apps. Make sure it is assigned to the right group, where your device hash or user is a member of.

Devices>Enroll devices>Enrollment status page
esp

Monitor Autopilot deployments

In the Endpoint Manager admin center, naviagate to devices>Monitor.

devicemonitor-1

Here you can find a (preview) report about Autopilot deployments and other useful monitoring subjects. For the enrollment, you can see the following information:

deploymentautopilotmonitoring

Troubleshooting on the device

How to open a command prompt in OOBE

Press Shift + (FN) F10 to open a cmd

Enter "powershell" in cmd to switch to a PowerShell session

These acronyms might be helpful to type into command prompt to open a Windows built-in system application:

  • taskmgr - Task Manager
  • explorer - File Explorer
  • control - Control Panel
  • devmgmt - Device Manager

Press Win + R and type "ms-settings:" to open the Windows Settings App

MDMDiagnostics

MDMDiagnostics is to dig deeper - please visit Michael Niehaus reference.

Troubleshooting in hybrid scenarios (Hybrid Azure AD Join)

I once made a complete blog post about Autopilot White Glove Hybrid AzureAD Join that explains the concept and process about it.

Additional component list

Component name Use
Intune Connector This service is installed on a domain server. It will handle the offline domain join (ODJ) request from the Intune cloud service. When a device starts Autopilot and is in the Hybrid Azure AD Join (HAADJ) scenario, it will always attempt the domain join through the internet over the Intune connector.
Azure AD Connect Sync This service is installed on a domain server. It synchronizes Active Directory (AD) identities and our Autopilot HAADJ device object and other objects to Azure Active Directory (AAD).
Domain controller As soon as the Autopilot process is finished, a user can logon in the Windows lockscreen. These credentials are always verified against the domain controller in HAADJ. This means the device must have line of sight to it through a direct network connection or VPN.

How it works

The Intune connector is responsible for doing the offline join most known as ODJ blob. This blob will be requested from the Intune cloud for a new device and generated through the Intune connector, uploaded back to the Intune cloud and the device will download the blob and (hopefully) apply it.

One more part is the connectivity check, which basically tries to communicate with the domain controller. This is usually the last step before rebooting and finishing the process. But imagine being offsite and have no connectivity with a domain controller, what is happening then? -Since some time, you can skip this step in the enrollment profile, which is also what I would do. This connectivity check is only useful, to guarantee that a user can later log on, after the enrollment, because the credentials will be checked against the domain controller, that obviously requires connection to the corporate network.

skipadconnectivitycheck-haadj

Event viewer

Check with event viewer on the server where Intune connector is installed, if there are any events during HAADJ. Therefore go to Applications and Services logs>ODJ Connector Service
odjeventviewer

Now create a filter to exclude events 30121 and 30150 to find the relevant ones faster. (on the left "Filter Current Log")

odjevents

Now search for events 30130 and 30140 this two represent a successful ODJ request from Intune service.

Azure AD Connect sync

So if you are using HAADJ for your devices Intune will handle the enrollment into Intune and the domain join. But not the hybrid join to Azure and the subsequent issuance of a primary refresh token. (Learn more about this) For this we will need to wait for the next sync through AAD Connector to have the computer object in AAD too. There is a workaround for this:
Supercharge AAD Sync for new hybrid Azure AD joined Autopilot devices

Make sure the device is not domain joined before

It might sound logic, but definitely confirm that the device in HAADJ state is not domain joined through any component in the Windows image, task sequence or Windows Deployment Services (WDS). WDS can be deployed in standalone mode.

Other troubleshooting resources

Find more on my blog:

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
OceanleafNiklas Tinner
Security
Fundamentals Microsoft security concepts V2Learn about Microsoft’s cloud security concepts to secure your organization with Microsoft 365 and Azure built-in products and features. The way to secure your digital assets such as identities, infrastructures, platforms, apps and data. These are the offic…
OceanleafNiklas Tinner
Defender Suite
Enterprise security solutions, cloud-based, intelligent and automated security responses for Endpoint, Identity, Office 365 and Cloud Apps. A full protection stack. Defender for EndpointHandle threat and vulnerability events on endpoints to prevent malicious and harmful contents. Microsoft Defender:…
OceanleafNiklas Tinner
Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.