Windows Autopilot - Policy Conflicts
There are a significant number of policy settings available for Windows, including:
- Native MDM policies
- Group policy (ADMX-backed) settings
Some policy settings can cause issues in some Windows Autopilot scenarios. These issues can arise because of how the policies change Windows behavior. If you find any of these issues, remove the policy in question to resolve the issue.
Policy | More information |
---|---|
Disallow changing of language/region/keyboard | This GPO isn't supported during the OOBE flow as it impacts the autologon experience. If you need to set this policy for users, you should select to hide these pages in the Autopilot profile to prevent users from making changes. |
AppLocker CSP | The AppLocker CSP isn't supported in the Enrollment Status Page as it triggers a reboot when a policy is applied or a deletion occurs. |
Device restriction / Password Policy | The out-of-box experience (OOBE) or user desktop autologon can fail when a device reboots during the device Enrollment Status Page (ESP). This failure can occur when certain DeviceLock policies are applied to a device. Such policies can include:
|
Windows Security Baseline / Administrator elevation prompt behavior Windows Security Baseline / Require admin approval mode for administrators Windows Security Baseline / Enable virtualization based security |
These policies require a reboot, as a result more prompts may appear when modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP). Increased prompts are more likely if the device reboots after policies are applied. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process. |
Device restrictions / Cloud and Storage / Microsoft Account sign-in assistant | Setting this policy to "disabled" turns off the Microsoft Sign-in Assistant service (wlidsvc). Windows Autopilot requires this service to get the Windows Autopilot profile. |
Registry keys that affect Windows Autopilot if a device setting requires a reboot during device ESP Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Automatic logon |
Registry key: If the AutoAdminLogon registry key is set to 0 (disabled), this breaks Windows Autopilot. |
MDM wins over Group Policy | This policy allows you to control which policy is used when both the MDM policy and its equivalent Group Policy (GP) are set on the device. |
Group Policy Objects (GPOs) that affect Windows Autopilot for pre-provisioned deployment GPO path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Policies: Interactive logon: Message title for users attempting to log on Interactive logon: Message text for users attempting to log on Interactive logon: Require Windows Hello for Business or smart card User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for credentials on the secure desktop |
Windows Autopilot pre-provisioning doesn't work when any of the four GPO policy settings listed here are enabled. |
PreferredAadTenantDomainName | When this policy is enabled, it will add to DefaultUser0, which will cause autologon to fail. |
For more information, see Troubleshooting Windows Autopilot.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for