Forum Discussion
Cannot Reseal Windows 11 device while pre-provisioning
Yeahh, Thx Rudy_Ooms_MVP, I'm gonna change the security baselines and try to pre-provision a device to see what happens. The SBs are targeting a device group, so that could be the issue here too. Not sure if I can manage to test today, but I'll let you know.
Another Update. Microsoft got back to me and are achiving my support ticket. This issue is under "High Level" investigation by MS Engineers and as soon as a solution is available, I will be notified. In the meanwhile there are no further troubleshooting options available and either I autopilot enroll windows 11 devices without pre-provisioning or go back to Windows 10. My query as to why this is not noted as an "outage" on the admin portal, was not answered.
Update on this saga. I successfully resealed a couple of Windows 11 devices, but now the issue has returned - same thing - device reboots and does not return to reseal screen, Very weird.
Microsoft have notified me that they are still reviewing the diag logs I sent them.
What I dont understand is how come Microsoft have not announced a "Health notification - under investigation" on this issue as they usually do in ther service alerts. Are we in this forum the only few actually pre-provisioning Windows 11?
- Wooop Wooop 🙂
- before you install the image, You will need to mount your image file with Dism and then load the registry hive and take ownership of the permissions. Rudy has a very good step by step explanation in his blog: https://call4cloud.nl/2022/04/dont-be-a-menace-to-autopilot-while-configuring-your-wufb-in-the-hood/
Hi,
We are facing same problems.
How can you remove that regkey from the client machine?
When I'm opening regedit in client machine (before going to pre-provisioning) i cannot remove or edit anything under HKLM\Software\Microsoft\Provisioning\SyncML\RebootRequiredURIs
- Today I saw a bitlocker recovery on a Surface Latop 4 (AMD). There was a event id 4122: "The following DMA capable devices are not declared as protected from external acces,, which can block features such as BitLocker automatic drive encryption:..."
And only the Surfaces 4 (AMD) had the Pre Prov issues. Rudy_Ooms_MVP I tested by removing the regkey ./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy and have succesfully arrived at reseal screen. Obviously this is not a full time solution, but an easy workaround. I have updated my Microsoft Case # with this information. Thank you for your blog on that.
- Nope we dont, but it helps to give them as much information as possible…
- Msft has to solve the issue. Not we as Customers. 🫤
- Hehe i am not saying “all users” just a test group with your test user in it :)… if you know what is causing it, the informstion you could share with ms is better
- I have not tried that as this is testing on production environment. Changing wufb to "all Users" is probably not a good idea. I will test it on my test lab when I have a chance - was hoping that Microsoft would provide a "fix" before I got to that
- And when assinging that config to users instead of devices?
- Having the same issue with Windows 11 (Currently using latest Windows 11 release 21h2.9) Windows 10 on same device gets to reseal screen. I have tried all options mentioned except for key delete. ./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy . I will test that shortly. I do have an open ticket with MS Support, still waiting on them to offer some suggestion. Really dont want to have to go back to deploying Windows 10.
- Most of the times you could resolve this issue by changing the assignment to users instead of devices.. just the same as with WUFB targetted at devices... it caused a reboot back in the win 11 days that would give you a nice login screen with no ability to login ;)...
The same goes for device config profiles that could trigger such weird behavior..,. The cause of this issue is not very clear te me. At one customer I had this issue and changed all the assignments (including security baselines and update ring policy) from "all devices" to a device group instead. But this didn't work when I tested at another customer.
One test I did there is to remove all the configuration profiles en security baselines, including the update ring policy. So nothing was applied to the device but still I did not get the reseal button.
On other forums I also see that people are having different results. Maybe this could be when testing with different update levels of Windows, I am not sure.
So the only thing I can be sure of is that Microsoft told me it is a know bug and they are working on it. I can not get with 100% certainty a configuration which will always work. Microsoft also told me that they cannot provide me with a workarround, because they just don't have one.
They also told me that removing the mentioned register key(s) also do not work (always) as expected so that is also not a good workarround.
I guess we can only wait to make sure that the issue is resolved by Microsoft. I will not advice to use Pre-Provisioning with Windows 11 for now, because I cannot find a working (workarround) solution which I am sure it will keep working and not have to worry that it stops working with different conditions.
I also tested with a colleague and we did have just good results with the latest insider build of Windows 11. Not something to use in a production environment for our customers, but at least we have good fate that Microsoft will be able to help us soon.
As mentioned before, as soon as I get a confirmed ETA for the fix from Microsoft, I will let you all know.
- For me it is a security baseline conflict with Autopilot pre-provisioning, DMA-Guard specifically.
- We're affected too.
Is it really a general bug in Win 11? Or has it to do with config policies/baselines? - Thanks for the info Ronald, hoping Microsoft will provide a ETA for releasing the fix asap.
- The bug is related to Windows 11 en Pre-provisioning and that the reseal button will not appear.
- Hi,
Could you share the information about which bug exactly? to be sure we are talking about the same issue 🙂 - Hello all,
last week I have opened a premier case at Microsoft. They engineer who is helping me could directly tell me that this is a know bug in Windows 11. He is also aware about a possible fix in the latest Windows 11 insider build and is trying to get a possible ETA for the fix so we will know when the issue is going te be resolved. As soon as I have a confirmation about the ETA, I will post it here. - “They “ are aware as those keys are definied in the reboot required section :).
Using security baselines is great, but in my humble opinion split them up with your own policies… so you know what you are configuring on thise devices…
Enabling virtual based securitu with the sec baselines is almost 99% an issue with prepro..
But it also depends on the windows build as the wufb managebuild i mentioned was fixed and with win11 it was introduced again 🙂 - Did some testing on the following OS versions:
Windows 11 (build: 10.0.22000.795)
Windows 11 (build: 10.0.22000.832)
All the devices (2 different types from HP, 7 in total), went to the pre-provisioning fase successfully when I delete the ./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy key.
I don't have to delete the ManagedPreviewBuild key...
On 1 device I installed the Windows 11 Insider Preview Build 22621, that one didn't came through the pre-provisioning fase, I failed on another part, didn't got time to troubleshoot this.
So, it looks I have a workaround to delete the "DeviceEnumerationPolicy" regkey before pre-provisioning, and I could remove it from the WIM file before I roll out the OS via MDT.
But I'm wondering if Microsoft is already aware of the conflicts between the RebootRequired regkeys and using Security Baselines with Pre-Provisioning. - As the /DeviceEnumerationPolicy is one of the rebootrequired uris that's the one that will trigger the reboot.. that's for sure.. so what happens when you "remove" that one from the HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs\
We are experiencing the same issue as described above.
The configuration that is giving errors is as following:Windows 11 (build: 10.0.22000.795)
Autopilot pre-provisioningWhen we apply the security baseline, we are getting the exact same reboot issue. Device is Intune manged and AAD joined after the reboot, only it is just showing the local login screen. A second reboot after the device gets the unexpected reboot never works.
In the IME log first we see the reboot trigger caused bij the CloudExperienceHostBroker.exe:
[datasensor] skipping boot event before first enrollment, bootid = 3-8-2022 08:44:00, CoreBootTimeInMilliseconds = 9290, GPTimeInMilliseconds = 0, TotalBootTimeInMilliseconds = 9290, UpdateTimeInMilliseconds = 0, EventDataXml = <BootReason><EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event" SystemPowerOffTime="2022-08-03T08:43:42.3470465Z"> <Data Name="param1">C:\Windows\System32\CloudExperienceHostBroker.exe (PP5CD20337HS)</Data> <Data Name="param2">PP5CD20337HS</Data> <Data Name="param3">Besturingssysteem: nieuwe configuratie (niet gepland)</Data> <Data Name="param4">0x20004</Data> <Data Name="param5">opnieuw opstarten</Data> <Data Name="param6"></Data> <Data Name="param7">NT AUTHORITY\SYSTEM</Data> </EventData> <CustomData> <FullPath>C:\Windows\System32\CloudExperienceHostBroker.exe</FullPath> </CustomData></BootReason>, BootReason = 1074, BootDiskMediaType = 4In the shell-core-operational eventlog I subfrequently seeing the reboot required from DeviceSetup.RebootCoalescing.
CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_RebootCoalescing_Initiated’, Value: ‘{"message":"BootstrapStatus: Non-parallelizable batch of 1 subcategories requires a reboot.","errorCode":0}’.And last but not least in the DeviceManagement-Enterprise-Diagnostics eventlog we are seeing the DmaGuard URI is the cause of the reboot that has been triggered.
The following URI has triggered a reboot: (./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy).Also, the deletion of the HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs\ManagePreviewBuild regkey doesn't always work (sometimes is does).
Next thing I''m going to try if it all works with the Windows 11 Insider preview build, just like Rudy_Ooms_MVP is mentioning in his blog.
Anyone knows if there is already any news from Microsoft about this particular problem?
