How to analyze Captured Auto Pilot cab file

Boopathi S 3,806 Reputation points
2024-01-10T16:34:10.7833333+00:00

Hello,

I read the https://oofhours.com/2020/02/17/what-happened-during-windows-autopilot-esp-decode-it/

Install-Script Get-AutopilotESPStatus

Install-Script -Name Get-AutopilotDiagnostics

"Autopilot.cab" is captured using the command “MDMDiagnosticsTool.exe -area Autopilot -cab C:\Autopilot.cab”

How can I use the "Autopilot.cab" with below command to get the analysis.

Get-AutopilotESPStatus

Get-AutopilotDiagnostics

Please help

Microsoft Security | Windows Autopilot
Microsoft Security | Intune | Enrollment
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2024-01-11T02:06:44.8+00:00

    @Boopathi Subramaniam, Thanks for posting in Q&A. Based as I know, there are many log files in Autopilot.cab. To analyze the log, we can firstly set "Show app and profile configuration progress" to yes in ESP to show the status during ESP.

    Then you can do Autopilot enrollment and find which phase the issue occurs. For example, if the issue occurs in "Register your device for mobile management" in Device preparation, then you can look into the "microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx" log.

    https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-status#esp-tracking

    Here are some logs we generally check for your reference:

    AutopilotDDSZTDFile.json: This file contains the Autopilot profile settings being used for the device.

    IntuneManagementExtension.log : This log will capture excruciating detail about the installation of Win32 apps being deployed via Intune. (Use one of the ConfigMgr log viewing tools, e.g. CMTrace.exe, to view this.)

    microsoft-windows-aad-operational.evtx : This event log shows Azure AD join and Hybrid Azure AD Join-related info.

    microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx : This event log covers MDM enrollment (including failure reasons) and other pertinent MDM activities.

    microsoft-windows-moderndeployment-diagnostics-provider-autopilot.evtx : This is the key event log used by Autopilot, and one that you’ll almost always want to look at.

    TpmHliInfo_Output.txt : This log (which is created even when not specifying the TPM area) contains basic details about the TPM in the device: the manufacturer, the firmware level of that TPM, whether it has a required EK cert, etc.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.