Windows Autopilot - Policy Conflicts

There are a significant number of policy settings available for Windows, including:

  • Native MDM policies
  • Group policy (ADMX-backed) settings

Some policy settings can cause issues in some Windows Autopilot scenarios. These issues can arise because of how the policies change Windows behavior. If you find any of these issues, remove the policy in question to resolve the issue.

Policy More information
Disallow changing of language/region/keyboard This GPO isn't supported during the OOBE flow as it impacts the autologon experience. If you need to set this policy for users, you should select to hide these pages in the Autopilot profile to prevent users from making changes.
AppLocker CSP The AppLocker CSP isn't supported in the Enrollment Status Page as it triggers a reboot when a policy is applied or a deletion occurs.
Device restriction / Password Policy The out-of-box experience (OOBE) or user desktop autologon can fail when a device reboots during the device Enrollment Status Page (ESP). This failure can occur when certain DeviceLock policies are applied to a device. Such policies can include:
  • Minimum password length and password complexity
  • Any similar group policy settings (including any that disable autologon)
This possible failure is especially true for kiosk scenarios where passwords are automatically generated.
Windows Security Baseline / Administrator elevation prompt behavior

Windows Security Baseline / Require admin approval mode for administrators

Windows Security Baseline / Enable virtualization based security
These policies require a reboot, as a result more prompts may appear when modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP). Increased prompts are more likely if the device reboots after policies are applied. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.
Device restrictions / Cloud and Storage / Microsoft Account sign-in assistant Setting this policy to "disabled" turns off the Microsoft Sign-in Assistant service (wlidsvc). Windows Autopilot requires this service to get the Windows Autopilot profile.
Registry keys that affect Windows Autopilot if a device setting requires a reboot during device ESP

Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Automatic logon
Registry key:
If the AutoAdminLogon registry key is set to 0 (disabled), this breaks Windows Autopilot.
MDM wins over Group Policy This policy allows you to control which policy is used when both the MDM policy and its equivalent Group Policy (GP) are set on the device.
Group Policy Objects (GPOs) that affect Windows Autopilot for pre-provisioned deployment

GPO path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Interactive logon: Message title for users attempting to log on

Interactive logon: Message text for users attempting to log on

Interactive logon: Require Windows Hello for Business or smart card

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for credentials on the secure desktop
Windows Autopilot pre-provisioning doesn't work when any of the four GPO policy settings listed here are enabled.
PreferredAadTenantDomainName When this policy is enabled, it will add to DefaultUser0, which will cause autologon to fail.

For more information, see Troubleshooting Windows Autopilot.