Windows Autopilot - Policy Conflicts

Applies to:

  • Windows 11
  • Windows 10

There are a significant number of policy settings available for Windows, including:

  • Native MDM policies
  • Group policy (ADMX-backed) settings

Some policy settings can cause issues in some Windows Autopilot scenarios. These issues can arise because of how the policies change Windows behavior. If you find any of these issues, remove the policy in question to resolve the issue.

Policy More information
AppLocker CSP The AppLocker CSP is not supported in the Enrollment Status Page as it triggers a reboot when a policy is applied or a deletion occurs.
Device restriction / Password Policy The out-of-box experience (OOBE) or user desktop autologon can fail when a device reboots during the device Enrollment Status Page (ESP). This failure can occur when certain DeviceLock policies are applied to a device. Such policies can include:
  • Minimum password length and password complexity
  • Any similar group policy settings (including any that disable autologon)
This possible failure is especially true for kiosk scenarios where passwords are automatically generated.
Windows Security Baseline / Administrator elevation prompt behavior

Windows Security Baseline / Require admin approval mode for administrators

Windows Security Baseline / Enable virtualization based security
These policies require a reboot, as a result more prompts may appear when modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP). Increased prompts are more likely if the device reboots after policies are applied. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.
Device restrictions / Cloud and Storage / Microsoft Account sign-in assistant Setting this policy to "disabled" will disable the Microsoft Sign-in Assistant service (wlidsvc). This service is required by Windows Autopilot to obtain the Windows Autopilot profile.
Registry keys that affect Windows Autopilot for pre-provisioned deployment

Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Automatic logon
Registry key:
If the AutoAdminLogon registry key is set to 0 (disabled), this breaks Windows Autopilot pre-provisioning.
MDM wins over Group Policy This policy allows the IT admin to control which policy will be used when both the MDM policy and its equivalent Group Policy (GP) are set on the device.
Group Policy Objects (GPOs) that affect Windows Autopilot for pre-provisioned deployment

GPO path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Interactive logon: Message title for users attempting to log on

Interactive logon: Message text for users attempting to log on

Interactive logon: Require Windows Hello for Business or smart card

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for credentials on the secure desktop
Windows Autopilot pre-provisioning does not work when any of the four GPO policy settings listed here are enabled.

For more information, see Troubleshooting Windows Autopilot.