Windows Autopilot Error Code 0x800705b4 Preparing device for mobile management

Copper Contributor

We are implementing a number of Windows Autopilot via Lenovo Thinkbook 15-ITL. These are being deployed to authorised users whether they are at home connected to their home broadband or in the office connect to the Wide Area Network.  Despite lots of testing, we randomly see the the error (see attached).  If we wipe the device a couple of times, it seems to remedy the issue.  I've tried to look online about this about various posts talk about the TPM, which it is not. I've tried to look through the logs from the device - what a minefield of information that means something to someone.

 

Has anyone any ideas?

 

Thanks

Martin 

23 Replies
Just to add if I look in Endpoint Manager against the device, it has been assigned the same machine name for associated Intune device and Azure AD device and the enrollement state is Enrolled.

@martin_macf 

 

Hi,

 

This error could mean a Time Out error ... 

 

The error itself is normally due to a tpm error: 

 

Rudy_Ooms_0-1619785020593.png

Are you using Autopilot or Autopilot white glove?. If using white glove, make sure you have checked if the tpm also support attestation: Tpmtool getdeviceinformation

But just like you told us, after a few reinstalls it works.... Did you also tried to clear the tpm before a reinstall?

 

 

 

We are using Autopilot OOBE. The TPM is an odd thing because we have 100+ Lenovo laptops. Eventually it does go through but if it is connected to our Wide Area Network if tends to fail at this stage and there are no ports being blocked that we can see. When you say clear the TPM before a reinstall what do you mean by that?

Thanks
Martin
Hi,

I will place my money on the timeout problem... for now..
You could open tpm.msc and clear the tpm on the right side.. maybe it would trigger something
But if you are installing the same device multiple times and af the 4th time, its working... it looks like timeout/firewall settings

@martin_macf This has been happening to us and I've basically narrowed it down to our task sequence which installs the sccm client during the "existing autopilot devices" flow. When I disable "Setup windows and config manager" step, provisioning doesn't get hung up at "preparing your device for mobile management". When "setup windows and configmgr" is enabled in the task sequence, autopilot invariably gets stuck, even though I have implemented steps later to remove the client. In terms of the removal, I've tried both ccmsetup.exe /uninstall as well as the task sequence step "prepare configmgr client for capture" - neither seems to work. The "ccmsetup.exe /uninstall" was working just fine for us before, and it all of a sudden stopped working, so I can only imagine it's a code-change on the Intune side. 

@derekuoft we do not use SCCM for this setup. Does anyone really understand why it times out? This area of Autopilot does seem to be a bit hit and miss, which, when you are using this solution to rollout laptops to our user community, is not really what I expect. When the laptops have been sent out to the users, it is very difficult to break into the process as an administrator and clear the TPM that @Rudy_Ooms_MVP suggests. The only outcome seems to be keeping trying - wipe and start again and repeat until it completes it process.

@martin_macf 

 

Hi,

You could try to increase the time limit on the enrollment status page...What did you configured as time limit? Did you configured many apps as required?

 

Rudy_Ooms_0-1620115118209.png

 

 

https://oofhours.com/2019/08/21/why-does-preparing-your-device-for-mobile-management-take-longer-wit...

@Rudy_Ooms_MVP Hi, We have a 2 hour timeout.

martin_macf_0-1620118744890.png

Also we have 1 app to install during the process.  All others apps installed afterwards.

martin_macf_1-1620118814423.png

So really there is no reason for timing out  at all.  It should be a quick and simple process.

Hi,

Block device until these requried apps are installed, does not mean no other apps will be installed 🙂 .. It only makes sure the forticlient VPN client is installed
That's right, once the user logs in and authenticates - via the VPN client, it starts installing the other apps. However I think it has already started installing the apps in the background. So the only stipulation we have is that as long as the VPN client is installed - which is needed for users to authenticate against our onpremise domain controller - it should be a really easy autopilot setup.
Hi

yes, that's default behaviour. How many apps are configured as required? As an example the laptop could already be installing the office365 apps before it reaches the forticlient app.
OK we have 13 apps that require installing with one one app that actually needs installing before the user logs in. The timeout of 2 hours is very generous. The Autopilot routine seems very hit or miss. Some users successful other gets stuck. Some laptops for everyone. Incredibly frustrating as a solution.
Hi

Maybe some of these apps have some pre requirements and sometimes they are waiting before another app /requirement is installed? Just some random thought...

@derekuoft I am also experiencing this. I use the SCCM (MECM) "Deploy autopilot to existing devices" template and it seems to be broken (I'm deploying a 20H2 version of the image).  Same results here. When I disable the steps related to Setup windows and config manager, prepare Config Mgr client and prepare windows for Capture it seems to be fine (because the wim never boots into the OS phase and just remains in the WINPE applying wim stage of OSD).
But if you want to keep all the steps from that template, it seems those steps create something on the image that Intune doesn't agree with and then generates the Error Code 0x800705b4 during the Preparing device for mobile management autopilot step.
Maybe the ccm client isn't removed properly, maybe it isn't sysprepped cleanly. But I've tried letting it boot into the OS and then manually running steps to remove the ccm client and then runnning sysprep /generalize /oobe (various combinations). And yet it still gets the same error in intune.

Maybe a registry key is flagging something that Intune errors out on?



@i_ARQ Yes this is 100% what I'm seeing. I had a ticket open with Microsoft and they said they would reflect this to the technical team. I tried to make it as clear as possible to my support technician and summarized the problem in one sentence. "Prepare Windows and Configmgr" step in the SCCM task sequence breaks autopilot provisioning, no matter what method is used to remove the client.

 

I've had to move our autopilot for existing devices task sequence to the "faster" V2 method which doesn't install the SCCM client or sysprep the machine, and this involved basically rejigging the entire onboarding infrastructure, which we haven't touched in about two years. Having to cast my mind back and re-implement critical infrastructure from years ago was extremely annoying. I really hope Microsoft will acknowledge that this issue exists and provide some form of response. As it stands, their official docs for existing device flow for autopilot is broken. 

I also run the "faster" v2 method but it doesn't really allow me to customize things on the image because it bypasses installing the ccm client and I can't install other apps I want on the base.

But I think I may have found the registry key that might be causing the issue.
When it was at the autopilot "Preparing device for mobile management autopilot" step.. it tends to sit there untill the timeout reaches the limit and it gives that error. I opened a command prompt with Shift +F10 to view the registry and check for keys left by the ccm client.
I deleted some keys and forced a restart during autopilot.. and when it rebooted it finally got passed that step without any errors.
I now added a step in my sccm image to delete the keys at the end of the deployment. Hopefully that resolves the issue when it boots into autopilot.
keep you posted.

That sounds great, please keep me posted.

@derekuoft 
When I open a command prompt (SHIFT + F10) during autopilot,  I found that deleting the following reg keys seemed to help the device get past that error (needed to initiate a restart after deleting the keys though)

 

HKLM\software\microsoft\DeviceManageabilityCSP

HKLM\software\microsoft\ccmsetup

 

Maybe these leftover SCCM reg keys are being flagged by Autopilot and it generates the error we see?

 

Just wondering what version of OS you are using when you image your devices? I'm using 20H2. I know there were issues with 1903 and 1909 that required you to add extra steps to the task sequence. Might need extra steps to remove these reg keys, but I haven't found a way to do that successfully yet.

Another forum said this script https://github.com/robertomoir/remove-sccm  cleanly removes all traces of the SCCM client, which resets the MDM authority. Maybe Autopilot has issues with the SCCM remnants and still sees it as an MDM authority for that device?



@martin_macf 

Recently we're also experiencing this same intermittent error during our User-driven Autopilot profile on 20H2 HP laptops as well. Our scenario is we're early on in a migration from legacy AD-joined and MEMCM managed to Intune co-management with MEMCM. We wipe/reset the devices (either via Company portal or through Windows) to put the device into OOBE and into Autopilot. There isn't any CM Client stuff on there after this wipe or reset.

 

Get-AutopilotDiagnostics for these devices for which this error occurs seems to indicate the Autopilot issue happens very early in the 'Device Preparation' portion. Last event is "Download started" for Sidecar and is only the 4th event in the timeline.

 

Have looked at BIOS/UEFI time, and any profile and app changes we've made recently, also have tried clearing the TPM as part of our wipe (also tried during OOBE), and hasn't consistently helped. Again it's intermittent and some users might get this error, wipe/reset, then go through successfully on the same device.

 

I would agree with @Rudy_Ooms_MVP that it is a web filtering/firewall issue, that there are certain Intune services the device can only partially connect to? But having difficulty determining what they are specifically. Have gone through the required Intune URLs and all are open, including those for the TPM (infineon, etc).