cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Support tip: Recovering from Windows Autopilot error code 0x81039023 on Windows 11 SE
By
Liz_Cox
Published Apr 12 2022 01:21 PM 25.2K Views
Liz_Cox
Microsoft
‎Apr 12 2022 01:21 PM

Support tip: Recovering from Windows Autopilot error code 0x81039023 on Windows 11 SE

‎Apr 12 2022 01:21 PM

Updated 07/12/22: There is currently a known issue impacting Windows 11 SE devices that were updated to the Windows 11 May updates (KB5013943) or above, which prevents applications from being installed during the Windows Autopilot pre-provisioning technician flow. This causes the deployment process to fail once the Enrollment Status Page (ESP)timeout is reached (default is 60 minutes).

 

Screenshot of the Enrollment Status Page (ESP) with text reading "Something went wrong": Something happened, and we couldn't complete the provisioning process in the required time".Screenshot of the Enrollment Status Page (ESP) with text reading "Something went wrong": Something happened, and we couldn't complete the provisioning process in the required time".

There is currently no workaround for this error, but we're working to resolve the issue. In the meantime, we recommend using Windows Autopilot user-driven mode, Windows Autopilot self-deploying mode (for devices updated to the Windows 11 May updates or above) and Set up School PCs (see considerations below) enrollment.

 

Updated 06/22/22: The guidance provided below still stands for existing devices shipped prior to the fix. We recommend using Autopilot user-driven mode or Set up School PCs (provisioning package) for broader deployment. A few additional considerations:

  • If you plan to use DFCI management with Surface Laptop SE devices, you will need to enroll your devices using Autopilot user-driven mode. DFCI management is not supported with bulk enrollment using a provisioning package (refer to the DFCI documentation for more info).
  • There is no need to de-register the devices from Autopilot when using a provisioning package. Devices should not be assigned to an Autopilot profile to avoid conflict during the provisioning process. Once devices are enrolled into Microsoft Intune, they can then be updated to include the TPM attestation fix (KB5013943 or above). This will allow you to leverage Autopilot pre-provisioning and self-deploying enrollment methods if the device needs to be reset in the future.

If your OEM supports an OS recovery process for your Windows 11 SE devices and provides an updated recovery image that includes the TPM attestation fix, you can then apply the recovery image to existing devices to enable the Autopilot pre-provisioning and self-deploying enrollment options.

 

There is currently a known issue where some devices may fail TPM attestation on Windows 11 during the Windows Autopilot pre-provisioning technician flow or self-deploying mode with the error code 0x81039023. There is currently no workaround for this error code, but we are working to resolve the issue. In the meantime, we recommend not using self-deploying mode or pre-provisioned deployments on Windows 11 SE devices. Windows Autopilot user-driven mode is still supported. The below support tip provides recommendations for recovering a device that has received error code 0x81039023.

 

If you are using the Enrollment Status Page (ESP), ensure that users are allowed to reset the device if an installation error occurs.

 

Screenshot of the Microsoft Endpoint Manager admin center, on the 'Enrollment Status Page' > 'All users and all devices' > 'Edit profile' page. The image shows the setting 'Allow users to reset device if installation error occurs' which is toggled to 'Yes'.Screenshot of the Microsoft Endpoint Manager admin center, on the 'Enrollment Status Page' > 'All users and all devices' > 'Edit profile' page. The image shows the setting 'Allow users to reset device if installation error occurs' which is toggled to 'Yes'.

 

If your users are not allowed to reset device if installation error occurs, and they receive error code 0x81039023, you will need to work with your OEM to put a clean image on the device. We recommend always allowing users to reset devices if an installation error occurs on Windows 11 SE. If you can reset the device, then you can move forward with another enrollment method, such as Windows Autopilot user-driven mode or Set up School PCs.

 

To use Autopilot user-driven mode, convert your existing Windows Autopilot deployment profile to user-driven mode. Then, delete the device record in Intune by going to Devices > All devices > choose the device you want to delete > Delete. You can also do this on several devices as a bulk device action.

 

Important: Do not use the Intune for Education portal for this step because that will delete the Azure Active Directory (Azure AD) device record as well. Use the Microsoft Endpoint Manager admin center for this step.

 

Screenshot of the Microsoft Endpoint Manager admin center, on the 'Devices' page. This image shows the remote action 'Delete'.Screenshot of the Microsoft Endpoint Manager admin center, on the 'Devices' page. This image shows the remote action 'Delete'.

 

To use Set up School PCs, you must deregister the device from Windows Autopilot and then create and apply a provisioning package.

 

Lastly, reset the device and move forward with the new enrollment method.

 

More information:

If you have any feedback or questions reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

04/26/2022: The fix for this issue is currently in the public preview release: KB5012643 and should be available in future public builds in the coming weeks. Stay tuned!

0 Likes
Like
16 Comments
Co-Authors
Version history
Last update:
‎Dec 19 2023 01:29 PM
Updated by:
Labels