Apr 30 2021 03:30 AM
Apr 30 2021 03:30 AM
We are implementing a number of Windows Autopilot via Lenovo Thinkbook 15-ITL. These are being deployed to authorised users whether they are at home connected to their home broadband or in the office connect to the Wide Area Network. Despite lots of testing, we randomly see the the error (see attached). If we wipe the device a couple of times, it seems to remedy the issue. I've tried to look online about this about various posts talk about the TPM, which it is not. I've tried to look through the logs from the device - what a minefield of information that means something to someone.
Has anyone any ideas?
Apr 30 2021 03:33 AM
Apr 30 2021 05:20 AM - edited Apr 30 2021 05:23 AM
This error could mean a Time Out error ...
The error itself is normally due to a tpm error:
Are you using Autopilot or Autopilot white glove?. If using white glove, make sure you have checked if the tpm also support attestation: Tpmtool getdeviceinformation
But just like you told us, after a few reinstalls it works.... Did you also tried to clear the tpm before a reinstall?
Apr 30 2021 09:28 AM
Apr 30 2021 10:35 AM
May 03 2021 11:59 AM
@martin_macf This has been happening to us and I've basically narrowed it down to our task sequence which installs the sccm client during the "existing autopilot devices" flow. When I disable "Setup windows and config manager" step, provisioning doesn't get hung up at "preparing your device for mobile management". When "setup windows and configmgr" is enabled in the task sequence, autopilot invariably gets stuck, even though I have implemented steps later to remove the client. In terms of the removal, I've tried both ccmsetup.exe /uninstall as well as the task sequence step "prepare configmgr client for capture" - neither seems to work. The "ccmsetup.exe /uninstall" was working just fine for us before, and it all of a sudden stopped working, so I can only imagine it's a code-change on the Intune side.
May 04 2021 12:25 AM
May 04 2021 12:59 AM - edited May 04 2021 01:02 AM
You could try to increase the time limit on the enrollment status page...What did you configured as time limit? Did you configured many apps as required?
May 04 2021 02:00 AM
@Rudy_Ooms Hi, We have a 2 hour timeout.
Also we have 1 app to install during the process. All others apps installed afterwards.
So really there is no reason for timing out at all. It should be a quick and simple process.
May 04 2021 02:06 AM
May 04 2021 02:17 AM
May 04 2021 02:34 AM
May 04 2021 07:58 AM
May 05 2021 02:30 AM
May 14 2021 10:04 AM
@derekuoft I am also experiencing this. I use the SCCM (MECM) "Deploy autopilot to existing devices" template and it seems to be broken (I'm deploying a 20H2 version of the image). Same results here. When I disable the steps related to Setup windows and config manager, prepare Config Mgr client and prepare windows for Capture it seems to be fine (because the wim never boots into the OS phase and just remains in the WINPE applying wim stage of OSD).
But if you want to keep all the steps from that template, it seems those steps create something on the image that Intune doesn't agree with and then generates the
May 14 2021 10:17 AM
@i_ARQ Yes this is 100% what I'm seeing. I had a ticket open with Microsoft and they said they would reflect this to the technical team. I tried to make it as clear as possible to my support technician and summarized the problem in one sentence. "Prepare Windows and Configmgr" step in the SCCM task sequence breaks autopilot provisioning, no matter what method is used to remove the client.
I've had to move our autopilot for existing devices task sequence to the "faster" V2 method which doesn't install the SCCM client or sysprep the machine, and this involved basically rejigging the entire onboarding infrastructure, which we haven't touched in about two years. Having to cast my mind back and re-implement critical infrastructure from years ago was extremely annoying. I really hope Microsoft will acknowledge that this issue exists and provide some form of response. As it stands, their official docs for existing device flow for autopilot is broken.
May 14 2021 10:44 AM - edited May 14 2021 10:46 AM
I also run the "faster" v2 method but it doesn't really allow me to customize things on the image because it bypasses installing the ccm client and I can't install other apps I want on the base.
But I think I may have found the registry key that might be causing the issue.
When it was at the autopilot "Preparing device for mobile management autopilot" step.. it tends to sit there untill the timeout reaches the limit and it gives that error. I opened a command prompt with Shift +F10 to view the registry and check for keys left by the ccm client.
I deleted some keys and forced a restart during autopilot.. and when it rebooted it finally got passed that step without any errors.
I now added a step in my sccm image to delete the keys at the end of the deployment. Hopefully that resolves the issue when it boots into autopilot.
keep you posted.
May 17 2021 11:09 AM
When I open a command prompt (SHIFT + F10) during autopilot, I found that deleting the following reg keys seemed to help the device get past that error (needed to initiate a restart after deleting the keys though)
Maybe these leftover SCCM reg keys are being flagged by Autopilot and it generates the error we see?
Just wondering what version of OS you are using when you image your devices? I'm using 20H2. I know there were issues with 1903 and 1909 that required you to add extra steps to the task sequence. Might need extra steps to remove these reg keys, but I haven't found a way to do that successfully yet.
Another forum said this script https://github.com/robertomoir/remove-sccm cleanly removes all traces of the SCCM client, which resets the MDM authority. Maybe Autopilot has issues with the SCCM remnants and still sees it as an MDM authority for that device?
May 19 2021 12:23 PM
Recently we're also experiencing this same intermittent error during our User-driven Autopilot profile on 20H2 HP laptops as well. Our scenario is we're early on in a migration from legacy AD-joined and MEMCM managed to Intune co-management with MEMCM. We wipe/reset the devices (either via Company portal or through Windows) to put the device into OOBE and into Autopilot. There isn't any CM Client stuff on there after this wipe or reset.
Get-AutopilotDiagnostics for these devices for which this error occurs seems to indicate the Autopilot issue happens very early in the 'Device Preparation' portion. Last event is "Download started" for Sidecar and is only the 4th event in the timeline.
Have looked at BIOS/UEFI time, and any profile and app changes we've made recently, also have tried clearing the TPM as part of our wipe (also tried during OOBE), and hasn't consistently helped. Again it's intermittent and some users might get this error, wipe/reset, then go through successfully on the same device.
I would agree with @Rudy_Ooms that it is a web filtering/firewall issue, that there are certain Intune services the device can only partially connect to? But having difficulty determining what they are specifically. Have gone through the required Intune URLs and all are open, including those for the TPM (infineon, etc).