Applies to

Issue

More information

Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP. The services responsible for determining the list of apps that should be blocking during device ESP aren't able to determine the correct ESP profile containing the list of apps because they don't know the user identity. As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there. In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue.

That username looks like it belongs to another organization. Try signing in again or start over with a different account. Confirm that all of your information is correct at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot. For more information, see Troubleshooting Windows Autopilot.

Windows Autopilot user-driven Hybrid Azure AD deployments don't grant users Administrator rights even when specified in the Windows Autopilot profile. This issue will occur when there's another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, don't create an additional account until after the Windows Autopilot process has completed.

Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (for example, several minutes or more). To fix this issue: Boot the device to the start of the out-of-box experience (OOBE). Establish a network connection (wired or wireless). Run the command w32tm /resync /force to sync the time with the default time server (time.windows.com).

Windows Autopilot for existing devices doesn't work for Windows 10, version 1903 or 1909; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.



This issue happens because Windows 10, version 1903 and 1909 deletes the AutopilotConfigurationFile.json file. To fix this issue: Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot. More information

TPM attestation fails on Windows 10 1903 because of missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed). Download and install the KB4517211 update.

The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329): Windows Autopilot for existing devices feature doesn't properly suppress “Activities” page during OOBE. (Because of this issue, you’ll see that extra page during OOBE).

TPM attestation state isn't cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn’t a particularly common issue, but you could run into it while testing if you're running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot white glove or self-deploying scenario).

TPM attestation may fail if the device has a valid AIK cert but no EK cert. (This issue is related to the previous item).

If TPM attestation fails during the Windows Autopilot white glove process, the landing page appears to be hung. (Basically, the white glove landing page, where you click “Provision” to start the white glove process, isn’t reporting errors properly).

TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Before this fix, only a specific list of firmware versions was accepted).

Device naming templates may truncate the computer name at 14 characters instead of 15.

Assigned Access policies cause a reboot, which can interfere with the configuration of single-app kiosk devices. Download and install the KB4512941 update.



See the section: How to get this update for information on specific release channels you can use to obtain the update.

The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267): Windows Autopilot white glove doesn't work for a non-English OS and you see a red screen that says "Success."

Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset, or other variations. This issue typically happens if you reset the OS or used a custom sysprepped image.

BitLocker encryption isn't correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption.

You're unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you're deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error.

A user isn't granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. Download and install the KB4505903 update.



See the section: How to get this update for information on specific release channels you can use to obtain the update.

Windows Autopilot self-deploying mode fails with an error code: 0x800705B4 This is a general error indicating a timeout. A common cause of this error in self-deploying mode is that the device isn't TPM 2.0 capable (ex: a virtual machine). Devices that aren't TPM 2.0 capable can't be used with self-deploying mode. 0x801c03ea This error indicates that TPM attestation failed, causing a failure to join Azure Active Directory with a device token. 0xc1036501 The device can't do an automatic MDM enrollment because there are multiple MDM configurations in Azure AD. See Inside Windows Autopilot self-deploying mode.

White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3 This issue can happen if Azure AD can’t find an Azure AD device object for the device that you're trying to deploy. This issue will occur if you manually delete the object. To fix it, remove the device from Azure AD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the Azure AD device object.



To obtain troubleshooting logs, use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab

White glove gives a red screen White glove isn't supported on a VM.

Error importing Windows Autopilot devices from a .csv file Ensure that you haven't edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.

Windows Autopilot for existing devices doesn't follow the Autopilot OOBE experience. Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.

Something went wrong is displayed page during OOBE. The client is likely unable to access all the required Azure AD/MSA-related URLs. For more information, see [Networking requirements](networking-requirements.md).