Troubleshooting Windows Autopilot

Applies to: Windows 10

Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise. Review the following information to assist with troubleshooting efforts.

Troubleshooting process

Whether you are performing user-driven or self-deploying device deployments, the troubleshooting process is about the same. It's always useful to understand the flow for a specific device:

  • A network connection is established. The connection can be a wireless (Wi-fi) or wired (Ethernet) connection.
  • The Windows Autopilot profile is downloaded. When using a wired connection, or manually establishing a wireless connection, the Windows Autopilot profile is downloaded from the Autopilot deployment service as soon as the network connection is in place.
  • User authentication occurs. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
  • Azure Active Directory join occurs. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
  • Automatic MDM enrollment occurs. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (for example, Microsoft Intune).
  • Settings are applied. If the enrollment status page is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.

For troubleshooting, key activities to perform are:

  • Configuration: Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in Windows Autopilot configuration requirements?
  • Network connectivity: Can the device access the services described in Windows Autopilot networking requirements?
  • Autopilot out-of-box (OOBE) behavior: Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
  • Azure AD join issues: Was the device able to join Azure Active Directory?
  • MDM enrollment issues: Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?

Troubleshooting Autopilot Device Import

Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body "Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"

This error points to the device hash being incorrectly formatted. This error can be caused by anything that corrupts the collected hash, but one possibility is that the hash itself (even if it's completely valid) fails to be decoded.

The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, the payload does not require padding and the process works. However, sometimes the payload doesn't line up cleanly and padding is necessary. This is when you get the error displayed above. PowerShell's Base64 decoder also expects padded Base64, so we can use this decoder to validate that the hash is properly padded.

The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding A's at the end doesn't change the actual payload data.

To fix this, we'll need to modify the hash, then test the new value, until PowerShell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string".

To test the base64, you can use the following:

[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("DEVICE HASH"))

So, as an example (this is not a device hash, but it's misaligned unpadded Base64 so it's good for testing):

[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("Q29udG9zbwAAA"))

Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.

  • Does decoding the hash fail?
    • Yes: Are the last two characters "="?
      • Yes: Replace both "=" with a single "A" character, then try again
      • No: Add another "=" character at the end, then try again
    • No: That hash is valid

Looping the logic above on the previous example hash, we get the following permutations:

  • Q29udG9zbwAAA
  • Q29udG9zbwAAA=
  • Q29udG9zbwAAA==
  • Q29udG9zbwAAAA
  • Q29udG9zbwAAAA=
  • Q29udG9zbwAAAA== (This one has valid padding)

Replace the collected hash with this new padded hash then try to import again.

Troubleshooting Autopilot OOBE issues

If the expected Autopilot behavior does not occur during the OOBE, it's useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that.

Windows 10 version 1803 and above

To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer. Review the information at Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> Autopilot for versions before 1903. For version 1903 and later, see Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> Autopilot. The following events may be recorded, depending on the scenario and profile configuration:

Event ID Type Description
100 Warning “Autopilot policy [name] not found.” This error is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded.
101 Info “AutopilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value = [value].” This message shows Autopilot retrieving and processing numeric OOBE settings.
103 Info “AutopilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This message shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name.
109 Info “AutopilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This message shows Autopilot retrieving and processing state-related OOBE settings.
111 Info “AutopilotRetrieveSettings succeeded.” This message means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully.
153 Info “AutopilotManager reported the state changed from [original state] to [new state].” Typically this message should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot.
160 Info “AutopilotRetrieveSettings beginning acquisition.” This message shows that Autopilot is getting ready to download the needed Autopilot profile settings.
161 Info “AutopilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded.
163 Info “AutopilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the Sysprep /Generalize process.
164 Info “AutopilotManager determined Internet is available to attempt policy download.”
171 Error “AutopilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process.
172 Error “AutopilotManager failed to set Autopilot profile as available. HRESULT=[error code].” This error is typically related to event ID 171.

In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above.

Windows 10 version 1709 and above

On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\Autopilot. Available registry entries include:

Value Description
AadTenantId The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error.
CloudAssignedTenantDomain The Azure AD tenant the device has been registered with, for example, “” If the device is not registered with Autopilot, this value will be blank.
CloudAssignedTenantId The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.
IsAutopilotDisabled If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded because of network connectivity or firewall issues, or network timeouts.
TenantMatched This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over.
CloudAssignedOobeConfig This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16

Windows 10 semi-annual channel supported versions

On devices running a supported version of Windows 10 semi-annual channel, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See the advanced troubleshooting blog for more information.

Troubleshooting Azure AD Join issues

The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure the correct configuration is in place to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.

An Azure AD device is created upon import - it's important that this object is not deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.

Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed.

Troubleshooting Intune enrollment issues

See this knowledge base article for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user.

Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed.

If Autopilot Reset fails immediately with an error Ran into trouble. Please sign in with an administrator account to see why and reset manually, see Troubleshoot Autopilot Reset for more help.

Profile download

When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It's important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it's necessary to re-generalize the OS using sysprep /generalize /oobe, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC.

When a profile is downloaded depends upon the version of Windows 10 that is running on the PC. See the following table.

Windows 10 version Profile download behavior
1709 The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen.
1803 The profile is downloaded as soon as possible. If wired, it's downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page.
1809 The profile is downloaded as soon as possible (same as 1803), and again after each reboot.

If you need to reboot a computer during OOBE:

  • Press Shift-F10 to open a command prompt.
  • Enter shutdown /r /t 0 to restart immediately, or shutdown /s /t 0 to shutdown immediately.

For more information, see Windows Setup Command-Line Options.

Windows Autopilot - known issues
Diagnose MDM failures in Windows 10