This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 17%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
Hello, posting for the first time here, hoping it will reach the right audience.
When we enroll a (for example 1909) system, during the ‘Setting up your device for work’, when it moves from Device Setup to Account setup the system is rebooted.
It ends up at a login screen where the user has to fill in their username and password, and after that has to confirm identity with MFA.
Trying to figure out how to troubleshoot what is casing this reboot.
In the System log I can see.
The process C:\Windows\System32\CloudExperienceHostBroker.exe (DESKTOP-2AB16JF) has initiated the restart of computer DESKTOP-2AB16JF on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Reconfiguration (Unplanned)
Reason Code: 0x20004
Shutdown Type: restart
Comment:
Digging a bit further in the Shell-Core - Operational log at the same time
CloudExperienceHost Web App Activity started. CXID: 'Reboot'.
A second earlier in the Shell-Core - Operational log
CloudExperienceHost Web App Event 1. Name: 'Autopilot device rename completed'.
Checked all possible other event logs but nothing is jumping out.
Also nothing in the IntuneManagementExtension.log
These event details don't get me many results on the WWW, besides CloudExperienceHostBroker.exe reboots is causing the same for others, no resolution though.
Any help would be appriciated.
Bas Hoog
Turned out to be caused by assigning the Windows 10 update rings policy to a device group. Don't think Microsoft has published this, but this is a known issue internally. We are advice to assign it to All Users instead. We have to redesign our setup now before we will be able to do this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Bas Hoog , Thanks for sharing the cause and workaround here. I appreciate it . It can help others who has the same issue. Thanks again for your time and have a nice day!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 24%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGA%3C/text%3E%3C/svg%3E)
Question for you did you have to exclude to feature updates profile? Or only the Update rings profiles? Currently we're seeing this exact same thing and are just opened a support case with Microsoft on this.
Thank you for posting the details on steps you took and the issue.
I was hoping Microsoft had resolved this by now. We have different 'Update rings for Windows 10 and later' policies and assigned them to a combination of All users and User based groups. We can still add devices to 'Feature updates for Windows 10 and later (Preview)' assigned groups in order to target Feature or Win11 upgrades. I don't think that when a device is in a Feature or Win11 upgrade targeted group it will cause enrollment issues, but I will test and confirm that later on...
They might have fixed this one actually was not able to reproduce with update rings policy removed however, we're still getting reboots. Seems related to Device Guard settings, DMA guard, or potentially the local policy settings listed in the following URL.
https://learn.microsoft.com/en-us/mem/autopilot/policy-conflicts
We're reaching out to Microsoft to try to find the root cause. I'll try to update this post with any updated information since, this was one of the few consistent topics I saw for this type of issue.
Thanks both of you. I will get the ticket raised now :)
Thank you Chrystal-MSFT. What we did is create a group and excluded all Win32 Apps from that, same result.
Ran this and nothing is jumping ot to me with these results. Thinking about opening a case with Microsoft for this now.
PS C:\WINDOWS\system32> Get-AutopilotDiagnostics
AUTOPILOT DIAGNOSTICS
OS version: 10.0.19041
Profile:
TenantDomain: xxxxxxxxx.onmicrosoft.com
TenantID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ZTDID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
EntDMID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OobeConfig: 1308
Skip keyboard: Yes 1 - - - - - - - - - -
Enable patch download: No - 0 - - - - - - - - -
Skip Windows upgrade UX: Yes - - 1 - - - - - - - -
AAD TPM Required: No - - - 0 - - - - - - -
AAD device auth: No - - - - 0 - - - - - -
TPM attestation: No - - - - - 0 - - - - -
Skip EULA: Yes - - - - - - 1 - - - -
Skip OEM registration: Yes - - - - - - - 1 - - -
Skip express settings: Yes - - - - - - - - 1 - -
Disallow admin: No - - - - - - - - - 0 -
Scenario: Azure AD Join
Enrollment status page:
Device ESP enabled: True
User ESP enabled: True
ESP timeout: 60
ESP blocking: No
Delivery Optimization statistics:
Total bytes downloaded: 0
From peers: 0% (0)
From Connected Cache: 0% (0)
DEVICE ESP:
2020-10-29 09:26:12Z
Policy ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/EntDMID : 1 (Processed)
2020-10-29 09:26:17Z
MSI Intune Management Extensions ({xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}) : 70 (Success / Enforcement Completed)
USER ESP for S-1-12-1-xxxxxxx-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:
2020-10-29 09:30:22Z
Policy ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/EntDMID : 1 (Processed)
2020-10-29 09:30:22Z
Cert ModelName_AC_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_LogicalName_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_Hash_-0000000 : 1 (Processed)
OBSERVED TIMELINE:
Date Status Detail
2020-10-29 01:21:51Z Profile downloaded Autopilot profile
2020-10-29 09:23:46Z SCP discovery successful. Device Registration
2020-10-29 09:24:09Z MDM Enroll: Succeeded MDM Enrollment
2020-10-29 09:24:27Z Download started Sidecar
2020-10-29 09:24:35Z Download finished Sidecar
2020-10-29 09:24:36Z Installation started Sidecar
2020-10-29 09:24:41Z Installation finished Sidecar
2020-10-29 09:26:12Z Processed Policy ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/EntDMID
2020-10-29 09:26:17Z Success / Enforcement Completed MSI Intune Management Extensions (xxxxxxxx-xxxx-xxxx-xxxx-xxxxx...
2020-10-29 09:30:22Z Processed Cert ModelName_AC_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_LogicalN...
@Bas Hoog , Thanks for the reply. From your description, I know the result is the same after excluding all Win32 Apps, If the unexpected reboot is still, I also suggested to open case.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 22%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Hi Bashoog,
I've had exact the same problem this week.
Yesterday I've opened a case with MS and today they told me there was "something wrong with the ESP". Now I've created a new ESP (as the support team told me to) with 120 minutes time-out and it works!
Don't waste too much time on it, if it doesn't work today I'd advise you to start a case.
@Crystal-MSFT . Sorry I was offline for a few days. Thank you very for this article. I will try to digest it, looks very interesting.
@Bas Hoog , Thanks for the reply. I notice you will take some time reading this article. We will wait here and if there's anything else we can help, feel free to let us know.
Searched a bit further for the word 'reboot' in all the Autopilot related event viewer logs
The Shell-Core - Operational log is jumping out still
No clue what might be causing the reboots still, if the user logs on and doesn't respond to the MFA prompt who knows what would happen in the background. There are many applications in line to be installed in 'User' mode after this step.
ProviderName: Microsoft-Windows-Shell-Core
TimeCreated Message
13/10/2020 14:36:51 CloudExperienceHost Web App Activity started. CXID: 'RebootZtd'.
13/10/2020 14:36:51 CloudExperienceHost Web App Event 1. Name: 'UnifiedEnrollment_ProvisioningProgressPage_CoalescedRebootRequired'.
13/10/2020 14:30:25 CloudExperienceHost Web App Activity started. CXID: 'OobeWirelessAfterRebootZtd'.
13/10/2020 14:30:25 CloudExperienceHost Web App Activity started. CXID: 'RebootZtd'.
13/10/2020 14:29:32 CloudExperienceHost Web App Activity started. CXID: 'OobeProvisioningRebootAfterConnectivity'.
13/10/2020 14:29:32 CloudExperienceHost Web App Activity started. CXID: 'OobeWirelessAfterZDPReboot'.
13/10/2020 14:29:32 CloudExperienceHost Web App Activity stopped. Result: 'OobeWirelessAfterZDPReboot'.
13/10/2020 14:29:32 CloudExperienceHost Web App Event 2. Name: 'Done', Value: 'OobeWirelessAfterZDPReboot'.
13/10/2020 14:29:31 CloudExperienceHost App Event 2. Name: 'AppResuming', Value: 'OobeWirelessAfterZDPReboot'.
13/10/2020 14:28:54 CloudExperienceHost Web App Activity started. CXID: 'Reboot'.
13/10/2020 14:28:50 CloudExperienceHost Web App Event 2. Name: 'NavigationSucceed', Value: '{"webErrorStatus":18,"uri":"ms-appx-web://microsoft.windows.cloudexperiencehost/webapps/inclusiveOobe/view/Oobeautopilotreboot-main.html"}'.
@Bas Hoog , After doing some more research, I find there's a normal reboot after the device recessive the ODJ blob. We can see more details in the following link:
https://oofhours.com/2020/07/12/windows-autopilot-diagnostics-digging-deeper/
Note: Non-Microsoft link, just for the reference.
In addition, if the MFA is not finished, the authentication will be failed, Then the Autopilot will not complete.
Hope it can help.