Forum Discussion

Oktay Sari's avatar
Oktay Sari
Iron Contributor
May 17, 2022

Cannot Reseal Windows 11 device while pre-provisioning

Before I reinvent the wheel, I thought I’ll post the issue here. I have a AP profile configured as below.   Deployment mode                               User-Driven Join to Azure AD as           ...
Autopilot
Intune
Mobile Device Management (MDM)
Oktay Sari's avatar
Oktay Sari
Iron Contributor
May 18, 2022

Hi Rudy_Ooms_MVP, Yes, I'm using WUfB but I do target user groups. I have 3 rings configured. Ring 3 is targeting all users and I excluded users from ring 1 and ring 2. The servicing channel is GAC. the only difference in rings is the deferral period.

 

 

The ESP is configured like below and targeting a device group:

 

I did have a look at the event logs and searched for CloudExperienceHostBroker like you mention in your blog.  You did some great troubleshooting there! There are also some other events that caught my attention but I still have to look at other logs just to satisfy my curiosity.

 

Guess I'll have to dig in a little deeper and see if I can solve this like you did in your blog, assuming WufB is the root cause. Event reasons like update/upgrade do make you wonder. Although I thought I was on the latest build before starting pre-provisioning. I'll doublecheck that too.

 

I re-enrolled the devices without pre-provisioning because that worked before, and after deleting the device record in MEM, I was able to reset the device and enroll again without pre-provisioning. So I'll have to make some config changes in my test tenant and see what works.

 

Thx again Rudy! I'll try to get back asap 😉

 

 

 

LoL..Everybody knows what opnieuw opstarten means right? 😉 

 

Event 1:

The process C:\Windows\system32\winlogon.exe (DESKTOP-HTHM3BU) has initiated the uitschakelen of computer DESKTOP-HTHM3BU on behalf of user NT AUTHORITY\SYSTEM for the following reason: Er is geen titel voor deze reden gevonden (=there is no title for this event)
Reason Code: 0x500ff
Shutdown Type: uitschakelen (=shutdown)
Comment:

 

Event 2:

The process C:\Windows\system32\winlogon.exe (MINWINPC) has initiated the opnieuw opstarten of computer WIN-T70I1KVU8HQ on behalf of user NT AUTHORITY\SYSTEM for the following reason: Besturingssysteem: upgrade (gepland)
Reason Code: 0x80020003
Shutdown Type: opnieuw opstarten (=reboot)
Comment:

 

Event 3:

The process C:\Windows\System32\CloudExperienceHostBroker.exe (WIN-T70I1KVU8HQ) has initiated the opnieuw opstarten of computer DESKTOP-HTHM3BU on behalf of user NT AUTHORITY\SYSTEM for the following reason: Besturingssysteem: nieuwe configuratie (niet gepland)
Reason Code: 0x20004
Shutdown Type: opnieuw opstarten (=reboot)
Comment:

 

Event 4:
The server could not bind to the transport \Device\NetBT_Tcpip_{} because another computer on the network has the same name. The server could not start.

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    May 18, 2022
    Hi.. I know what it means 😛
    Did you also searched in the DeviceManagement-Enterprise-Diagnostics provider for event 2800
    as mentioned in the blog... so you know what caused that reboot.... because somehow it reboots (that's normal) but at that time it didn't finished the device phase successful.
    • Oktay Sari's avatar
      Oktay Sari
      Iron Contributor
      May 18, 2022

      Hi Rudy, First I looked at the Shell-core event log:

       

      Shell-core event log: Filtered for Event 62407 . There are many events that have something to do with CloudExperienceHost. and the one you mention is also there:


      CloudExperienceHost Web App Event 2. Name: 'CommercialOOBE_ESP_Subcategory_RebootRequiredBySubcategory_DeviceSetup.RebootCoalescing', Value: '{"message":"BootstrapStatus: Reboot required by subcategory DeviceSetup.RebootCoalescing.","errorCode":0}'.

       

      Then I searched for 2800 in the devicemanagement-enterprise-diagnostics-provider-admin event log.
      that gave me the following reboot trigger:


      The following URI has triggered a reboot: (./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy).

       

      That was the only event I could find with a search for reboot. Google returned nada. But I did check out the CSP: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dmaguard and I'm trying to figure out the logics here.. 😄

       

      I'll update again when I know more 😉

       

      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP
        May 18, 2022
        Ahhh DMA Guard.... are you pushing some VB security stuff (wdac/mdac stuff?)

Resources