Forum Discussion

Oktay Sari's avatar
Oktay Sari
Iron Contributor
May 17, 2022

Cannot Reseal Windows 11 device while pre-provisioning

Before I reinvent the wheel, I thought I’ll post the issue here. I have a AP profile configured as below.

 

Deployment mode                               User-Driven

Join to Azure AD as                              Azure AD joined

Language (Region)                               Dutch (Netherlands)

Automatically configure keyboard   Yes ( In know.. please read on)

Microsoft Software License Terms        Hide

Privacy settings                                     Hide

Hide change account options               Hide

User account type                                 Standard

Allow pre-provisioned deployment  Yes

Apply device name template                Yes

Enter a name                                         XXXX-%SERIAL%

 

I know I’ve set the auto keyboard to yes, but here me out. As far as I understood the previously known issue is fixed in Windows 11. Windows Autopilot for pre-provisioned deployment | Microsoft Docs

In Windows 10, version 2004 and later, if the Autopilot deployment profile Language/Region setting is not set to User Select, then OOBE will progress past the language/region/keyboard selection screens. This causes the pre-provisioning technician to arrive at the Azure AD login page, which is too late to enter pre-provisioning. This issue is fixed in Windows 11.

 

For the pre-provisioning part:

On Windows 10 21H2 (10.0.19044.1645) I can pre-provision the device successfully. The technician flow completes and I have a green screen giving me the option to reseal. After reboot, the normal user flow follows, and the device is ready to go before you know. AAD joined and MDM enrolled with user affinity.

 

However, on Windows 11 (10.0.22000.675) the technician flow starts OK. I’m presented with the AP profile that is selected, and I can continue pre-provisioning. But it never shows me the green screen and I’m not able to reseal the device. It also does not show any errors what so ever during pre-provisioning. The device simply reboots and ends up at the login screen. The user flow does not seem to start and from the login screen, I’m also not able to sign-in with any account.

 

At this stage, I checked the device in the AP portal. The interesting thing is, that the device seems to be AAD joined and MDM enrolled. And as expected, there is no primary user yet in Intune.

So I looked up the device in Azure AD and confirmed it is AAD joined. Although I don’t believe the info presented. I also looked up the device in MEM/Intune and collected the diagnostics logs from the device.

 

Still in the process of diving into the logfiles but here are some of my findings:

 

intunemanagementextension.log shows some interesting things:

  • GetAADJoinInfo - Failed to get Azure AD Join information using NetGetAadJoinInformation
  • ![LOG[AAD User check using device check in app is failed, now fallback to the Graph audience. ex = Intune Management Extension Error.Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.

The User Device Registration event log is playing tricks on me. Here are some of the events from the log

  • The get jAccount S-1-12-1-xxx-xxx was added to group Administrators.oin response operation callback was successful.
  • The post join tasks for the AAD Authentication Package completed successfully.
  • The registration status has been successfully flushed to disk.
    • Join type: 11 (DEVICE_AUTO_DDID)
  • The complete join response operation was successful.
  • The task \Microsoft\Windows\Workplace Join\Device-Sync was successfully enabled.
  • The initialization of the join request was successful. Inputs:
    •  JoinRequest: 8 (DEVICE_UNJOIN)
  •             Domain:xxx.onmicrosoft.com

 

If I had to guess, I’d say the device is AAD joined and MDM enrolled at first, but for some reason, it unjoins the device in AAD which explains the fact that I cannot sign-in with a AAD User account. The device however remains MDM enrolled.

 

What is going on here?

 

I will test the same setup with auto configure keyboards set to No and see what happens. But the fact that I can get to the pre-provisioning screen, see the selected AP profile and reseal the device with W10 tells me (or at least it looks like) this should work. 

 

Anyone else having the same experience with Windows 11?

 

Hope this makes some sense. Thx in advance!

Oktay

 

 

 

 

 

Autopilot
Intune
Mobile Device Management (MDM)
  • BH's avatar
    BH
    Brass Contributor
    Aug 23, 2022

    Any updates on this issue? My Microsoft support ticket was archived and was told that Microsoft is aware and working on the issue, but in the meanwhile I cannot pre-provision Windows 11. 

    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Aug 23, 2022
      Just switch to user targetting instead of devices… (as example the wufb) but also other policies could reboot the device during prepro… just wondering but did you also tested an insider preview build?
      • BH's avatar
        BH
        Brass Contributor
        Aug 23, 2022

        I have not tested any insider build yet. I did test excluding a group of dynamic devices from some of the policies, including wufb. It works once and then starts failing again. I was on a meeting this morning with our TAM and raised this again. Will see if that takes us anywhere.

        I see tthere is now an updated Windows 11 ( August 2022, 21h2.10) version. I am downlaoding the ISO now and will test and report.

  • jebuz's avatar
    jebuz
    Copper Contributor
    Aug 18, 2022
    Did some testing today with the new OS build released on the 9th of August (22000.856). I repeatedly did pre-provision a device successful without removing the DMA Guard required reboot registry key. I'm consequently getting the reseal button. Tomorow I will test it a couple of time more, I will keep you posted about the results.
    • BH's avatar
      BH
      Brass Contributor
      Aug 18, 2022

      I believe that is teh same version that I tested (21h2.9). (Nope - I just checked I have 22000.795, unless yours updated with latest CU Update as my primary laptop is on the .895 version as well). I will downlaod again next week and check again.

      Strange thing is on certain CPU model devices (Lenovo X1 9th gen), it works fine, other models (Lenovo T14 / P14s / X1 6th gen) it fails. Are your devices Intel or AMD?

      • jebuz's avatar
        jebuz
        Copper Contributor
        Aug 19, 2022
        Just checked the CPU generation, all devices are 11th generation.
    • Oktay Sari's avatar
      Oktay Sari
      Iron Contributor
      May 18, 2022

      Hi Rudy_Ooms_MVP, Yes, I'm using WUfB but I do target user groups. I have 3 rings configured. Ring 3 is targeting all users and I excluded users from ring 1 and ring 2. The servicing channel is GAC. the only difference in rings is the deferral period.

       

       

      The ESP is configured like below and targeting a device group:

       

      I did have a look at the event logs and searched for CloudExperienceHostBroker like you mention in your blog.  You did some great troubleshooting there! There are also some other events that caught my attention but I still have to look at other logs just to satisfy my curiosity.

       

      Guess I'll have to dig in a little deeper and see if I can solve this like you did in your blog, assuming WufB is the root cause. Event reasons like update/upgrade do make you wonder. Although I thought I was on the latest build before starting pre-provisioning. I'll doublecheck that too.

       

      I re-enrolled the devices without pre-provisioning because that worked before, and after deleting the device record in MEM, I was able to reset the device and enroll again without pre-provisioning. So I'll have to make some config changes in my test tenant and see what works.

       

      Thx again Rudy! I'll try to get back asap 😉

       

       

       

      LoL..Everybody knows what opnieuw opstarten means right? 😉 

       

      Event 1:

      The process C:\Windows\system32\winlogon.exe (DESKTOP-HTHM3BU) has initiated the uitschakelen of computer DESKTOP-HTHM3BU on behalf of user NT AUTHORITY\SYSTEM for the following reason: Er is geen titel voor deze reden gevonden (=there is no title for this event)
      Reason Code: 0x500ff
      Shutdown Type: uitschakelen (=shutdown)
      Comment:

       

      Event 2:

      The process C:\Windows\system32\winlogon.exe (MINWINPC) has initiated the opnieuw opstarten of computer WIN-T70I1KVU8HQ on behalf of user NT AUTHORITY\SYSTEM for the following reason: Besturingssysteem: upgrade (gepland)
      Reason Code: 0x80020003
      Shutdown Type: opnieuw opstarten (=reboot)
      Comment:

       

      Event 3:

      The process C:\Windows\System32\CloudExperienceHostBroker.exe (WIN-T70I1KVU8HQ) has initiated the opnieuw opstarten of computer DESKTOP-HTHM3BU on behalf of user NT AUTHORITY\SYSTEM for the following reason: Besturingssysteem: nieuwe configuratie (niet gepland)
      Reason Code: 0x20004
      Shutdown Type: opnieuw opstarten (=reboot)
      Comment:

       

      Event 4:
      The server could not bind to the transport \Device\NetBT_Tcpip_{} because another computer on the network has the same name. The server could not start.

      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP
        May 18, 2022
        Hi.. I know what it means 😛
        Did you also searched in the DeviceManagement-Enterprise-Diagnostics provider for event 2800
        as mentioned in the blog... so you know what caused that reboot.... because somehow it reboots (that's normal) but at that time it didn't finished the device phase successful.

Resources