Edit

Share via


Windows Autopilot device preparation troubleshooting FAQ

Applies to:

This article provides troubleshooting for common Windows Autopilot device preparation issues.

Device isn't being added to the device group specified in the Windows Autopilot device preparation policy.

Priority column in the list of device preparation policies is grayed out.

Device preparation policies in automatic mode don't honor priority as they're assigned directly within the Cloud PC provisioning policy.

Windows Autopilot device preparation experience never launches during the out-of-box experience (OOBE).

  • Verify that the minimum version of Windows is being used as documented in Software requirements. This requirement includes that the minimum required update is installed before starting the device for the first time:

    • Verify with OEMs that devices shipped from the OEM have the minimum required update installed.

    • If installing Windows from installation media, verify that the media has the minimum required update installed. Updated Windows installation media with the latest cumulative update already installed is available in the Microsoft Microsoft 365 admin center.

  • Windows Autopilot device preparation doesn't use the Enrollment Status Page (ESP). Since Windows Autopilot device preparation doesn't use the ESP, the ESP shouldn't display during a Windows Autopilot device preparation deployment. If the ESP displays during the deployment, then the device isn't running a Windows Autopilot device preparation deployment. Instead, the device might be:

    • A Windows Autopilot registered device.
    • A Windows Autopilot profile is assigned to the device.

    Verify that the device isn't registered as a Windows Autopilot device and that a Windows Autopilot profile isn't assigned to the device. Windows Autopilot profiles take precedence over Windows Autopilot device preparation policies.

    If a device needs to be removed as a Windows Autopilot device, see Deregister a device.

  • Verify that the user signing into the device during OOBE is a member of the user group specified in the Windows Autopilot device preparation policy. For more information, see Create a Windows Autopilot device preparation policy and Create a user group.

  • Verify that a device group is selected in the Windows Autopilot device preparation policy. A Windows Autopilot device preparation policy can be created without selecting a device group. For more information, see Create a Windows Autopilot device preparation policy and Create an assigned device group.

  • If using corporate identifiers in Intune, make sure that a corporate identifier is added for the device. For more information, see Add Windows corporate identifiers.

  • Verify that Windows automatic Intune enrollment is configured.

  • Verify that users are allowed to join device to Microsoft Entra ID.

Applications or PowerShell scripts aren't getting installed.

  • If the applications or PowerShell scripts are showing Skipped in the details of the Windows Autopilot device preparation deployment report, verify that they're assigned to the device group specified in the Windows Autopilot device preparation policy. For more information, see Windows Autopilot device preparation policy configuration settings and Create an assigned device group.

  • Verify that the application or PowerShell script is configured to install in the System context. During OOBE, applications are installed and PowerShell scripts run when no user is signed in. For this reason, they must be configured to install in the System context.

Device security group isn't saving in Windows Autopilot device preparation policy.

This issue usually occurs if Intune Provisioning Client with AppID of f1346770-5b25-470b-88bd-d5744ab7952c isn't the owner of the device group specified in the Windows Autopilot device preparation policy. When the issue occurs, one of the following error messages might display when saving the Windows Autopilot device preparation policy:

  • There was a problem with the device security group for <policy_name>. Check the group meets the requirements.

  • Failed to update security group device preparation setting: Updating security group for device preparation setting <policy_name> failed. Something went wrong.

Additionally, Device group in the Windows Autopilot device preparation policy shows 0 groups assigned.

To fix the issue, add the Intune Provisioning Client service principal with AppID of f1346770-5b25-470b-88bd-d5744ab7952c as the owner of the device security group specified in the Windows Autopilot device preparation policy. For more information, see Create an assigned device group.

Unable to find Intune Provisioning Client with AppID of f1346770-5b25-470b-88bd-d5744ab7952c when trying to set the owner of the Windows Autopilot device preparation policy device group.

  • In some tenants, the service principal might have the name of Intune Autopilot ConfidentialClient instead of Intune Provisioning Client. As long as the AppID of the service principal is f1346770-5b25-470b-88bd-d5744ab7952c, it's the correct service principal.

  • If either Intune Provisioning Client or Intune Autopilot ConfidentialClient with AppID of f1346770-5b25-470b-88bd-d5744ab7952c doesn't exist in the tenant, it must be added via PowerShell commands. For more information, see Adding the Intune Provisioning Client service principal.

Multiple Windows Autopilot device preparation policies exist and the device is getting the wrong policy.

If multiple Windows Autopilot device preparation policies are deployed to a user, the policy with the highest priority gets priority. Policy priorities are displayed at the Home > Enroll devices | Windows enrollment > Device preparation policies screen. The policy with the highest priority is higher in the list and has the smallest number under the Priority column. To change a policy's priority, move it in the list by dragging the policy within the list.