Windows Autopilot - Policy Conflicts

Applies to

  • Windows 10

There are a significant number of policy settings available for Windows 10, including:

  • Native MDM policies
  • Group policy (ADMX-backed) settings

Some policy settings can cause issues in some Windows Autopilot scenarios. These issues can arise because of how the policies change Windows 10 behavior. If you find any of these issues, remove the policy in question to resolve the issue.

Policy More information
Device restriction / Password Policy The out-of-box experience (OOBE) or user desktop autologon can fail when a device reboots during the device Enrollment Status Page (ESP). This failure can occur when certain DeviceLock policies are applied to a device. Such policies can include:
  • Minimum password length and password complexity
  • Any similar group policy settings (including any that disable autologon)
This possible failure is especially true for kiosk scenarios where passwords are automatically generated.
Windows 10 Security Baseline / Administrator elevation prompt behavior

Windows 10 Security Baseline / Require admin approval mode for administrators
More prompts may appear when modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP). Increased prompts are more likely if the device reboots after policies are applied. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.
Device restrictions / Cloud and Storage / Microsoft Account sign-in assistant Setting this policy to "disabled" will disable the Microsoft Sign-in Assistant service (wlidsvc). This service is required by Windows Autopilot to obtain the Windows Autopilot profile.
Registry keys that affect Windows Autopilot for pre-provisioned deployment

Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Automatic logon
Registry key:
If the AutoAdminLogon registry key is set to 0 (disabled), this breaks Windows Autopilot pre-provisioning.
Group Policy Objects (GPOs) that affect Windows Autopilot for pre-provisioned deployment

GPO path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Policies:
Interactive logon: Message title for users attempting to log on

Interactive logon: Message text for users attempting to log on

Interactive logon: Require Windows Hello for Business or smart card

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for credentials on the secure desktop
Windows Autopilot pre-provisioning does not work when any of the four GPO policy settings listed here are enabled.

Troubleshooting Windows Autopilot