Windows Autopilot - resolved issues
Applies to:
- Windows 11
- Windows 10
The following issues are resolved by installing Windows updates. For a list of issues that can be resolved through configuration changes, see Windows Autopilot - known issues.
| Applies to | Issues | KB |
|---|---|---|
| 18362.145 | Autopilot pre-provisioning fails for non-English builds. | KB4497935 |
| 18362.207 | BitLocker policies not enforced during Autopilot for non-default encryption options. | KB4501375 |
| 18362.267 | * Windows Autopilot pre-provisioning doesn't work for a non-English OS and you see a red screen that says "Success." * Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset, or other variations. This issue typically happens if you reset the OS or used a custom sysprepped image. * BitLocker encryption isn't correctly configured. Ex: BitLocker didn't get an expected notification after policies were applied to begin encryption. * You're unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you're deploying Company Portal as a blocking app during Windows Autopilot ESP, you've probably seen this error. * A user isn't granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. |
KB4505903 |
| 18362.329 | * The Windows Autopilot for existing devices feature doesn't properly suppress the Activities page during OOBE. Because of this issue, you'll see this extra page during OOBE. * TPM attestation state isn't cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn't a common issue, but you could run into it while testing if you're running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot pre-provisioning or self-deploying scenario). * TPM attestation may fail if the device has a valid AIK cert but no EK cert (this issue is related to the previous item). * If TPM attestation fails during the Windows Autopilot pre-provisioning process, the landing page appears to stop responding. (Basically, the pre-provisioning landing page, where you click "Provision" to start the pre-provisioning process, isn't reporting errors properly). * TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Before this fix, only a specific list of firmware versions was accepted). * Device naming templates may truncate the computer name at 14 characters instead of 15. * Assigned Access policies cause a reboot, which can interfere with the configuration of single-app kiosk devices. |
KB4512941 |
| 18362.387 | A missing AKI extension in EK certificate caused TPM attestation to fail on Windows 10 version 1903. This was due to an extra validation added in Windows 10 version 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications. The KB4517211 update removes this validation. | KB4517211 |
| 18362.449 | On self-deploying scenarios, the device is no longer AAD-joined after OOBE and cannot login with AAD credentials or access company resources. | KB4522355 |
| 18362.693, 18363.693 | For pre-provisioning scenarios, ESP is marked as required to show to ensure the technician flow completes successfully. | KB4535996 |
| 18362.752, 18363.752 | * For hybrid scenarios where the user should bean administrator, the user is forced to log off at the end of ESP so that user is part of the administrators group on the next logon. * Improves the timeout algorithm on ESP to use processor ticks instead of the system time, which can drift if the device has not been powered on after a long duration. |
KB4541335 |
| 18362.815, 18363.815 | * Autopilot Reset state not set to success on completion, causing the MEM portal to not show the correct status of the device after reset. * Enable additional log collection useful for support cases and investigations. |
KB4550945 |
| 18362.815, 18363.815, 19041.488 | * ESP takes a long time during the "Identifying" phase, especially in hybrid and pre-provisioning scenarios. * Autopilot Update disabled policy was not enforced during pre-provisioning scenarios. * Device setup category fails in self-deploying and pre-provisioning scenarios when the ESP policy is set to disabled. * Allows self-deploying and pre-provisioning scenarios to succeed even if multiple MDM providers are listed in AAD. * For self-deploying scenarios, a reboot causes the device to navigate to the pre-provisioning flow, even if the user did not select the pre-provisioning flow. |
KB4550945, KB4571744 |
| 18362.836, 18363.836 | Devices with incompatible TPM versions (before v2.0), attestation times out instead of notifying the user of an incompatible hardware version. | KB4556799 |
| 18362.1110, 18363.1110, 19041.488 | Microphone icon always shows in OOBE even on devices without audio/voiceover support. | KB4577062, KB4571744 |
| 18362.1237, 18363.1237, 19041.661, 19042.661 | * The Privacy page isn't skipped during OOBE for some policy configurations. * Fixes issues during ESP when multiple policy providers are registered (IME and co-management). * For pre-provisioning scenarios, addresses an issue where the ESP seems to stop responding during Device Preparation category if a reboot occurs. |
KB4586819, KB4586853 |
| 19041.661, 19042.661 | ESP does not use the configured timeout value. | KB4586853 |
| 20H2.2020.11C | ESP does not use the configured timeout value. | KB4586853 |
| 20H2.2020.11C | * The Privacy page isn't skipped during OOBE for some policy configurations. * Fixes issues during ESP when multiple policy providers are registered (IME and co-management). * For pre-provisioning scenarios, addresses an issue where the ESP seems to stop responding during Device Preparation category if a reboot occurs. |
KB4586819, KB4586853 |
| 20H2.2020.9C | Microphone icon always shows in OOBE even on devices without audio/voiceover support. | KB4577062, KB4571744 |
| 20H1.2020.5C | Devices with incompatible TPM versions (before v2.0), attestation times out instead of notifying the user of an incompatible hardware version. | KB4556799 |
| 20H2.2020.9C, 20H1.2020.4C | * ESP takes a long time during the "Identifying" phase, especially in hybrid and pre-provisioning scenarios. * Autopilot Update disabled policy was not enforced during pre-provisioning scenarios. * Device setup category fails in self-deploying and pre-provisioning scenarios when the ESP policy is set to disabled. * Allows self-deploying scenarios to succeed even if multiple MDM providers are listed in Azure AD. * For self-deploying scenarios, a reboot causes the device to navigate to the pre-provisioning flow, even if the user did not select the pre-provisioning flow. |
KB4550945, KB4571744 |
| 20H1.2020.4C | * Autopilot Reset state not set to success on completion, causing the MEM portal to not show the correct status of the device after reset. * Enable additional log collection useful for support cases and investigations. |
KB4550945 |
| 20H1.2020.3C | * For hybrid scenarios where the user should bean administrator, the user is forced to log off at the end of ESP so that user is part of the administrators group on the next logon. * Improves the timeout algorithm on ESP to use processor ticks instead of the system time, which can drift if the device has not been powered on after a long duration. |
KB4541335 |
| 20H1.2020.2C | For pre-provisioning scenarios, ESP is marked as required to show to ensure the technician flow completes successfully. | KB4535996 |
| 19H2.2019.10C | On self-deploying scenarios, the device is no longer Azure AD joined after OOBE and cannot login with Azure AD credentials or access company resources. | KB4522355 |
| 19H2.2019.9C | A missing AKI extension in EK certificate caused TPM attestation to fail on Windows 10 version 1903. This was due to an extra validation added in Windows 10 version 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications. The KB4517211 update removes this validation. | KB4517211 |
| 19H2.2019.8C | * The Windows Autopilot for existing devices feature doesn't properly suppress the Activities page during OOBE. Because of this issue, you'll see this extra page during OOBE. * TPM attestation state isn't cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn't a common issue, but you could run into it while testing if you're running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot pre-provisioning or self-deploying scenario). * TPM attestation may fail if the device has a valid AIK cert but no EK cert (this issue is related to the previous item). * If TPM attestation fails during the Windows Autopilot pre-provisioning process, the landing page appears to stop responding. (Basically, the pre-provisioning landing page, where you click "Provision" to start the pre-provisioning process, isn't reporting errors properly). * TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Before this fix, only a specific list of firmware versions was accepted). * Device naming templates may truncate the computer name at 14 characters instead of 15. * Assigned Access policies cause a reboot, which can interfere with the configuration of single-app kiosk devices. |
KB4512941 |
| 19H2.2019.7C | * Windows Autopilot pre-provisioning doesn't work for a non-English OS and you see a red screen that says "Success." * Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset, or other variations. This issue typically happens if you reset the OS or used a custom sysprepped image. * BitLocker encryption isn't correctly configured. Ex: BitLocker didn't get an expected notification after policies were applied to begin encryption. * You're unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you're deploying Company Portal as a blocking app during Windows Autopilot ESP, you've probably seen this error. * A user isn't granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. |
KB4505903 |
| 19H1.2019.6C | BitLocker policies not enforced during Autopilot for non-default encryption options. | KB4501375 |
| 19H1.2019.5C | Autopilot pre-provisioning fails for non-English builds. | KB4497935 |
Related topics
Windows Autopilot - known issues
Diagnose MDM failures in Windows 10
Troubleshooting Windows Autopilot
Feedback
Submit and view feedback for