Autopilot Error Troubleshooting

autopilot Jul 24, 2020

The last weeks in my life as a Modern Workplace Architect were pretty hard. I had to deal with major Autopilot errors while building a new environment. In this post I will write about common problems and how to solve them.

One thing in advance; Autopilot Azure AD is the best and easiest scenario. But when making the transition to the cloud, for most companies it is best to go hybrid first. See the deployment profile:
autopilotdeploymentmode-1

Hybrid Autopilot White Glove Process

First lets discuss the whole flow and whats exactly happening.

  1. registration of hardware hash to the tenant
  2. White Glove process gets started - TPM attestation
  3. device requests deployment profile from the tenant (containing tenant information, scenario and other relevant details)
  4. Intune is looking for an assigned Domain Join Profile (device configuration profile) preparing the Hybrid scenario and requests an Offline Domain Join
  5. the installed Intune Connector (ODJ Connector) is polling Intune every 3 min
  6. Intune Connector creates a computer object in the Active Directory representing that computer
  7. Intune Connector uploads a Offline Domain Join blob to Intune
  8. device applies this Offline Domain Join blob, performs ping check to domain controller and reboots then (skip connectivity check is possible with Win10 2004 or 1903/1909 with December update)

At this point the device is Active Directory (on-prem) joined with all configured settings from deployment profile. (name prefix, specified OU and domain)

Troubleshooting on the device

First I would always try to understand the exact problem on the device. Often an error code will help you to continue. The two I encountered where 0x801C03F3 and 0x80070002. The first one was my fault. I accidentally deleted the computer object in AzureAD>devices. To resolve this it is the best to reregister the device hash to Intune services. For the second error check "Troubleshooting in configuration".

Get-AutopilotDiagnostics

If the error codes don't help you, there are still some options to get more information. For example Michael Niehaus Script Get-AutopilotDiagnostics.
Install the Powershell script for a visual overview and more log information for the whole Autopilot process.
get-autopilotdiagnostics

MDMDiagnostics

Microsoft also provides a built-in solution for collecting logs. Executable with:
Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\temp\autopilot.cab. To do an analysis of the logs I can also recommend Michael Niehaus reference.

Troubleshooting in configuration

Deployment Profile

For best practice target the deployment profile to "All Devices". This will help against endless waiting for the ODJ Blob and Intune Connector won't ever receive anything. You can check this with event viewer on the server, therefore navigate to "Applications and Services logs>ODJ Connector Service"
eventviewer-1
Now create a filter to exclude events 30121 and 30150. (on the left "Filter Current Log")
eventlogfilter-1
Now search for events 30130 and 30140 this two represent a successful ODJ request from Intune service.

One more thing to mention is that after the Azure AD join Intune will convert the device into a Hybrid Azure AD object. This means if you just target the deployment profile to a group where the device is currently member of (in AAD state), after successful enrollment of HAAD it will not know which profile to take for redeployments. The AAD computer object is not anymore in that specified group. Sounds hard to understand but keep in mind that assignment to "All Devices" is the best.

Connectivity to a domain controller

This refers to point 8. where the device will attempt to ping a domain controller after applying the ODJ blob. This was initially thought to prevent unsuccessful user login attempts in the Win10 lockscreen, because credentials are checked against on-prem domain controller. Now with Windows version 2004 or 1903/1909 with December updates you can skip this connectivity check in the deployment profile so the device will reboot immediately. To this point a complete over-the-internet enrollment would be possible. (later on VPN would also make it possible)

Domain Join issues

I was struggling with this for a while. We have following environment: Windows Deployment Server (WDS) with AD integration to enroll our devices with Win10 2004. Then let Autopilot take over with White Glove. The problem was that WDS already joined the computer to the Active Directory and Autopilot would always fail with error 0x80070002. So make sure to check if the device obscurely joined AD already. If yes its likely that this happened into the default computers OU. To prevent WDS from doing this, you should set up WDS as a standalone server not integrated to the domain. Do this in this step:
wdsstandaloneinstallation-2
when the installation is finished, configure it:
wdsproperties
and enable the checkbox to disable Active Directory Joins triggered by WDS
wdsnodomainjoin-1

Niklas Tinner

Young IT Nerd.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.