Autopilot randomly not working? Perhaps KB5033055 is to blame.

By January 27, 2024Windows AutoPilot

[ad_1]

I was doing some testing with Windows Autopilot on Windows 11 23H2 and couldn’t figure out why properly-registered machines with profiles assigned would “sometimes” behave like they weren’t registered with Autopilot. Instead of going to the Azure AD / work or school sign in page, it would display the OOBE license terms page:

Sure, you could keep going after that and you could still join the device to AAD, get it enrolled in Intune, track the progress with ESP, etc. But you will notice other things (those that Autopilot provides) that didn’t work:

  • Your device naming template will be ignored.
  • You’ll have to choose between “work/school” (AAD) and “personal” (MSA) when on Windows 11 Pro.
  • The user will always get admin rights.
  • You’ll get prompted for security/privacy settings, OEM device registration, and potentially other things (e.g. sign up for Xbox or Microsoft 365 subscriptions).
  • HAADJ, self-deploying, and pre-provisioning (white glove) scenarios won’t work at all.

So what’s going on here? If you watch carefully in OOBE, you’ll see that it is installing an update. There are a variety of messages displayed while that is happening, such as this one:

And after that completes, you’ll see the “Please review the License Agreement” screen. OK, so it installed some sort of OOBE update, but what exactly was it? If you look at the Windows Update log (which you can retrieve by opening a command prompt with Shift-F10 during OOBE, running PowerShell, and then executing the “Get-WindowsUpdateLog” cmdlet), you’ll see that it searched for and found an “OOBE ZDP” (zero-day patch):

What is KB5033055? There is a KB article for it, but it doesn’t really tell you much, just that it is indeed an OOBE update. If you look at the files involved, you can see that it’s updating pretty much the entire set of OOBE files. (Weirdly, if you scan that list you’ll see that there really were only two real updates, to msoobeplugins.dll and CloudExperienceHostCommon.dll, but that doesn’t really tell you anything of use.) There is one note of interest in the KB:

OK, but guess what OOBE didn’t do after installing the update? It didn’t restart the computer. There are indications that Autopilot went through the motions of downloading the Autopilot profile, but it just logged that the device wasn’t registered. Odd. But if we reboot the computer using “shutdown.exe /r /t 0” from that same Shift-F10 command prompt, we see the device start back up, reboot to apply the computer name as specified in the Autopilot profile that I’m using, and finally it ends up where you would expect it to:

So now everything is fine. That’s not too bad of a workaround for an IT person, but try explaining that to an end user who is trying to go through the process: ”If you see a screen that looks like this, then hold the power button until the machine turns off, then turn it back on again and you should end up at the proper screen.” Good luck with that.

The other oddity in this case: I’m using 23H2 media for this install (a VM created from an updated ISO) that was updated in December 2023; this OOBE ZDP was released on November 10, 2023. Why is this update not preinstalled in the OS? It’s quite possible that this OOBE ZDP was actually superseded by the December 2023 monthly update (KB5033375) because the two files I mentioned previously (msoobeplugins.dll and CloudExperienceHostCommon.dll) are more recent in that update.

It’s quite possible that these things are tied together: If you are using an OS image that has “later” versions of the files in question already preinstalled, the OOBE ZDP patch really isn’t necessary, so it may go through all the motions of installing the OOBE ZDP (detect, download, install) but not actually update any files since they are already newer. But that’s just an educated guess.

So how do you avoid this issue? Don’t use media updated after the release of KB5033055 (e.g. stick to November 2023 or earlier), or hope that at some point the targeting of KB5033055 will be fixed so that it’s not offered to devices already running a later patch.



[ad_2]
Source link

Share this post via

Leave a Reply