Windows Autopilot - known issues

Applies to

  • Windows 10
IssueMore information
Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP. The services responsible for determining the list of apps that should be blocking during device ESP are not able to determine the correct ESP profile containing the list of apps because they do not know the user identity. As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there. In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue.
That username looks like it belongs to another organization. Try signing in again or start over with a different account. Confirm that all of your information is correct at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot. See Troubleshooting Windows Autopilot for more details.
Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile. This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.
Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more). To fix this issue:
  1. Boot the device to the start of the out-of-box experience (OOBE).
  2. Establish a network connection (wired or wireless).
  3. Run the command w32tm /resync /force to sync the time with the default time server (
Windows Autopilot for existing devices does not work for Windows 10, version 1903 or 1909; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConfigurationFile.json file.
To fix this issue:
  1. Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step.
  2. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.
More information
TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed). Download and install the KB4517211 update.
The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329):
  • Windows Autopilot for existing devices feature does not properly suppress “Activities” page during OOBE. (Because of this, you’ll see that extra page during OOBE).
  • TPM attestation state is not cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn’t a particularly common issue, but you could run into it while testing if you are running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot white glove or self-deploying scenario).
  • TPM attestation may fail if the device has a valid AIK cert but no EK cert. (This is related to the previous item).
  • If TPM attestation fails during the Windows Autopilot white glove process, the landing page appears to be hung. (Basically, the white glove landing page, where you click “Provision” to start the white glove process, isn’t reporting errors properly).
  • TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Prior to this fix, only a specific list of firmware versions was accepted).
  • Device naming templates may truncate the computer name at 14 characters instead of 15.
  • Assigned Access policies cause a reboot which can interfere with the configuration of single-app kiosk devices.
Download and install the KB4512941 update.

See the section: How to get this update for information on specific release channels you can use to obtain the update.
The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267):
  • Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success."
  • Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image.
  • BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption.
  • You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error.
  • A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue.
Download and install the KB4505903 update.

See the section: How to get this update for information on specific release channels you can use to obtain the update.
Windows Autopilot self-deploying mode fails with an error code:
0x800705B4This is a general error indicating a timeout. A common cause of this error in self-deploying mode is that the device is not TPM 2.0 capable (ex: a virtual machine). Devices that are not TPM 2.0 capable cannot be used with self-deploying mode.
0x801c03eaThis error indicates that TPM attestation failed, causing a failure to join Azure Active Directory with a device token.
0xc1036501The device cannot do an automatic MDM enrollment because there are multiple MDM configurations in Azure AD. See Inside Windows Autopilot self-deploying mode.
White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.

To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\
White glove gives a red screenWhite glove is not supported on a VM.
Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.
Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements.
Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.Using PPKGs in combination with Windows Autopilot is not recommended.

Diagnose MDM failures in Windows 10
Troubleshooting Windows Autopilot