Autopilot and ESP policy issues

I recently dealt with an Autopilot issue which prompted me to capture my experience in this blog. Now issues during Autopilot provisioning is fairly common. Especially when Microsoft introduces changes in the backend that affects the Autopilot provisioning process. Now I am not sure if the issue I experienced was a result of some changes made by Microsoft or not, but it certainly affected some tenants as many others reported similar issues on Twitter.


Let me explain the issue in detail. In my case it started with AP timing out with the infamous 0x800705b4 error. Running Get-AutopilotDiagnostics led me to believe that something was wrong with how policies were getting evaluated as ESP showed as not assigned.


This is odd. Why would ESP not show assigned when the very same policy had been running for weeks without any issues? What is even more strange that the diagnostics showed ESP as blocking. That would explain the timeout error I was seeing. To test my theory of a possible issue with the policy assignments, I deployed the ESP to a custom group. On doing so, the provisioning process no longer timed out, but ESP got skipped altogether. Apparently the device was receiving the policy of the Default ESP and not the custom ESP which was setup higher in the priority. This was also evident in the Autopilot monitoring logs in Intune.


Solution? I removed the assignments for the existing ESP, created another ESP policy (like v2 of the existing ESP as-is) and assigned that to the dynamic Autopilot group. Once I did that, I was able to provision devices again. All was good again with the world. :-)


Conclusion

To be honest, I don't know what caused the issue in the first place. Microsoft have not acknowledged the issue till date, but since it impacted multiple tenants, I can only assume that Microsoft introduced some change mid of August 2022 that resulted in evaluation issues of ESP policy. This is not the first time Autopilot provisioning process got impacted and it will certainly not be the last so running diagnostics scripts to gather data on status and policies is the best way to troubleshoot such issues. If you are unfamiliar with the Autopilot troubleshooting process, then you can refer to the official guide over here. Also there is an excellent piece written by Michael Niehaus on Autopilot troubleshooting which is highly recommend.

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune