Many methods are available for enrolling Windows devices into Microsoft Intune, but the most common method for corporate devices is using Windows Autopilot.
Windows Autopilot is a Microsoft cloud service that simplifies the setup and pre-configuration of new devices to prepare them for end users. It removes the need for imaging and re-imaging devices, as it builds on the existing preinstalled operating system and allows IT to distribute any required configurations, scripts and apps during the out-of-box-experience (OOBE).
With that, it takes away the time spent on imaging, reduces the need for on-premises infrastructure, and further simplifies the user experience. For all the simplicity, issues can still arise, and Intune administrators need to be ready to troubleshoot them and resolve them quickly.
IT administrators should be familiar with the flow of the Windows Autopilot enrollment process because it is essential to understanding the troubleshooting process.
Windows Autopilot enrollment process
The high-level flow of the Windows Autopilot enrollment process is pretty straightforward. It starts with connectivity and ends with Autopilot applying the actual settings. Figure 1 shows an overview of that process.
Figure 1. The steps that IT needs to take during Autopilot enrollment.
Network connection. Autopilot initiates a network connection by relying on either the existing wired connection or the specified wireless connection.
Profile downloaded. The Windows Autopilot profile for the device is downloaded as soon as the network connection is available.
User authentication. This step is optional. In a user-driven Windows Autopilot deployment, the user must provide their Microsoft Entra credentials, and then Autopilot validates them.
Microsoft Entra join. When performing a user-drivern Windows Autopilot deployment, the device is joined to Microsoft Entra by relying on the provided credentials. When performing a self-deploying Windows Autopilot, the device is joined without user credentials.
Automatic MDM enrollment. The device is automatically enrolled into the mobile device management (MDM) provider -- in this case, Microsoft Intune -- as part of the Microsoft Entra join.
Settings applied. Autopilot applies the appropriate settings to the device and user during the enrollment status page (ESP) -- when configured or after sign-in.
Troubleshooting Intune enrollment during the out-of-box-experience
Troubleshooting issues during OOBE is critical because it is the foundation of the enrollment. During OOBE, the IT administrator can use the Shift + F10 key combination to start a Command Prompt dialog box. That box provides the IT administrator with direct access to the device with high privileges. The IT administrator can use that box to directly access the event logs, registry keys, and more. It's a great place for the IT administrator to start the troubleshooting process.
It's worth noting that the Shift + F10 key combination is available for every user during OOBE.
Any issues related to Windows Autopilot are logged in the Event Viewer at Application and Services Logs > Microsoft > Windows > Modern Deployment-Diagnostics-Provider > Autopilot. Profile settings for Windows Autopilot are stored in the registry at the following location:
Windows 11 even has a special Windows Autopilot diagnostics page available during OOBE that the IT administrator can use. To enable that diagnostics page, the administrator must make sure that the correct configuration is in place for the ESP with the following steps:
Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Enrollment > Enrollment Status Page.
On the Enrollment Status Page, select the desired profile and click Edit in the Settings section.
On the Edit profile page, ensure the following settings are in place and click Review + save (Figure 2).
Show app and profile configuration progress should be set to Yes.
Turn on log collection and diagnostics page for end users should be set to Yes.
On the Review + Savepage, verify the changes and click Save.
Figure 2. The Intune Edit profile page with the necessary settings to change highlighted.
In addition to the local options, Windows Autopilot also automatically collects logs after a failure during the process. Admins can find the collected logs within Microsoft Intune in the Device diagnostics sectionof the device. The action itself will be listed as a Collect diagnostics action within the Device actions status.
7 Intune deployment errors that can happen with Windows Autopilot
Certain error messages are more frequent, not because Windows Autopilot is error-prone or sensitive, but simply because errors are bound to occur with bulk enrollment. A small percentage of Windows Autopilot deployments always cause problems. Here is a quick-start guide to addressing common Windows Autopilot deployment errors.
Certain error messages are more frequent, not because Windows Autopilot is error prone or sensitive, but simply because errors are bound to occur with bulk enrollment.
1. There was an error with your license
A frequent error message when starting with Microsoft Intune is server error code 80180018 "There was an error with your license." This error message can have multiple root causes, but they all relate to the user license. In most cases, the user doesn't have the right license available or already has too many devices enrolled. The latter is something that often happens to IT administrators who are testing different deployments with the same account. To fix this, make sure that the user has the right license assigned or clean up the device objects for the user.
2. This feature is not supported
A common error message is server error code 80180014 "This feature is not supported." This error message can have many different causes. When starting with Windows MDM enrollments, the most common reason is that Windows MDM enrollment is blocked within the enrollment restrictions. To fix this make sure that Windows (MDM) is set to allow within the enrollment restrictions.
Also, this error often occurs when using Windows Autopilot self-deployment mode or Windows Autopilot pre-provisioning. In that case, when reusing a device, IT must delete the device object first. To fix this, make sure that the device object is deleted before starting the new deployment.
3. Your device cannot be enrolled right now
Another common error message is server error code 80180032 "Your device cannot be enrolled right now." Enrollment restrictions cause this error message as well. To fix it, make sure that the user is familiar with the requirements for enrolling the device using Windows Autopilot.
4. The device is already enrolled
In rarer cases, the IT administrator might run into the server error 8018000a "The device is already enrolled." This means that something went wrong during the initial deployment of the device. To fix it, remove the device object from Microsoft Intune and Microsoft Entra and re-register the device with the Windows Autopilot service.
5. Securing your hardware -- Failed: 0x800705b4
A failure to secure the hardware is a common issue during the Windows Autopilot device preparation stage. This error message is often related to the trusted platform module (TPM) when relying on Windows Autopilot self-deploying mode.
In most cases, this error happens when IT administrators try to simulate the whole process on a VM. For self-deploying mode, however, that is not supported. In some rare cases, this error occurs when the TPM vendor does not provide the required certificate on the chip. In that case, the device must go online to get the certificate. To fix this, make sure to use a physical device that is capable of reaching out to the vendor.
6. Registering your device for mobile management -- Failed: 3, 0x801C03EA
On some older devices, often in combination with Windows Autopilot self-deploying mode, IT administrators might have registration issues due to error 0x801C03EA. That error message is related to the device's TPM. The device is TPM 2.0 capable, but admins need to upgrade the TPM from 1.2 to 2.0. To fix this, upgrade the TPM to version 2.0.
7. We couldn't finish MDM enrollment -- Error: 0x80180022
Sometimes MDM enrollment doesn't complete due to error 0x80180022, which relates to the Windows edition on the device. Windows 10 or 11 Home Edition is not supported. To fix this, make sure to use a supported edition of Windows in combination with Windows Autopilot.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.
