Forum Discussion
Cannot Reseal Windows 11 device while pre-provisioning
Rudy_Ooms_MVP , Bruce S So now I have 2 devices to test with. 1 device that is just not able to download a profile what so ever (Windows 11) and another device, that will download a profile but the reseal option is not shown. That is how this threat started. Here's one final update:
The device that could not reseal:
First I tried to set the DMA and credential guard settings in the MDE security baseline to Not Configured on at a time and re-enrolled using pre-provisioning. That did not work. the Reseal option was still not showing. I ended up at the login screen like before. Strange enough though, when I reset the device from Intune, it would end up in the user flow like it would, after resealing.
I ended up with removing every policy assignment I had except for the update rings targeting users and still no reseal option.
Then I deleted the following registry key:
HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs\ManagePreviewBuild
started pre-provisioning again, and yes! A nice reseal button!
I'm somewhat disappointed that pre-provisioning is not working out of the box with Windows 11 and hope this will be fixed sometime soon.
Then for the device that can't find/load a profile:
Rudy_Ooms_MVP I did a fiddler trace and that one gave me a nice 807 - ZtdDeviceIsNotRegistered
The error description: The device being deleted or configured does not exist in the service.
Michael Niehaus has a nice https://oofhours.com/2019/07/07/what-happens-when-you-register-a-device-with-windows-autopilot/ explaining what might be the cause: This would typically only happen if Intune and the Windows Autopilot deployment service are out of sync (e.g. you removed a device from Microsoft Store for Business, and then tried to remove it via Intune before Intune had noticed it disappeared).
Off-course I checked the store, made sure all is in-sync, waited a long long time, deleted every trace I could find for this device, re-installed windows 10, and still no luck here. It really seems like this device is no longer able to pre-provision.
So I'm trying to enroll the device without pre-provisioning and then I see a nice "How would you like to set up?" question.. LoL Rudy_Ooms_MVP I ended up at https://call4cloud.nl/2022/05/the-41-year-old-hardware-hash-who-knocked-up-autopilot-and-felt-superbad-about-it/ again.
Up until now, I uploaded the hash using PowerShell -online from the OOBE. so I decided to give it one last try and upload the CSV manually. Still no luck... I did manage to collect the logs from the device again and will try to dive in again, but for today, I'm feeling beet-up by Autopilot 😄
thats some nice troubleshooting… glad to hear you have 1 working device even when its not working out of the box :)….
wondering if its possible for you to run these scripts on that device rhat refuses to download the profile?. Nice error btw you seen woth fiddler
Rudy_Ooms_MVP Here's a quick update on the device that does not download the AP profile:
- I deleted the AP device from tenant A (where it will not download AP profile)
- I did NOT reset the device
- I imported the same device in tenant B
- assigned a new AP profile to the device in tenant B
- checked Azure AD device record in in tenant B
- tried enrolling the device in tenant B and what do you think? It works!
The device enrolled in tenant B without any issues and is able to download the assigned AP profile. For now, it looks like it's an issue with a single device in one tenant. When enrolling with another tenant, everything works just fine and the device can download the AP profile.Still working with MS on this one so I'll give an update when there's something to share.- I am hoping the same thing.... and especially what could be causing this...
- opened a case with Microsoft. Hope to hear something and if I do, I'll give another update 😉
Thx for diving in Rudy_Ooms_MVP, Much appreciated! I'll send you a DM with the info 😉