Windows Autopilot testing with VMs

By August 24, 2023Windows AutoPilot

[ad_1]

Windows Autopilot

We all test with virtual machines whenever possible, right? I know I always have, and for expediency I typically went through this process:

  • Create a new VHDX file from the latest Windows 11 ISO downloaded from https://my.visualstudio.com, since these are fully-patched. You can use the Convert-WindowsImage.ps1 script on GitHub to do that.
  • Create a new VM with no attached disk. Tweak it to add a second processor and a TPM, and configure it to use standard checkpoints. Add a differencing disk that uses the VHDX file created in the previous step. Don’t attach the network adapter to a network (avoids the machine deciding that it is “not an Autopilot device,” a state that requires a reboot to fix).
  • Boot the device and wait until it gets to the first page of OOBE, but don’t navigate forward.
  • Create a checkpoint.

That gets the VM into a reusable state. You can then go through the device registration process:

  • While at the first page of OOBE, connect the network adapter to a network that has internet access.
  • Press Shift-F10 to open a command prompt.
  • Run “powershell.exe” to start PowerShell.
  • Execute “Set-ExecutionPolicy Bypass” to enable scripts.
  • Install the Autopilot registration script using “Install-Script Get-WindowsAutopilotInfo -force”. Then run “Get-WindowsAutopilotInfo.ps1 -online” and sign into AAD with an appropriate account that has rights to register the machine.
  • Make sure the computer object is added to an AAD group that gets an Autopilot profile assigned to the device.
  • Revert the machine to the checkpoint.

At this point, you should be able to walk through OOBE. It will prompt to have you connect to a network, so do that, and then it will download the Autopilot profile. When you want to do it again, revert back to the checkpoint and do it again.

At least that’s the process that I used to do. With a Windows 11 22H2 VHDX patched to the current August cumulative update, this process works fine — but only once. After that, the machine will be in a “Fix pending” state and it will never get an Autopilot profile again unless you effectively start over (deregister/re-register). That’s fairly time-consuming.

So what’s going on here? There’s some new logic in Windows Autopilot that Rudy Ooms explains in his blog, related to a UEFI variable named the AUTOPILOT_MARKER. In effect, the device is “permanently” tagged to indicate that it is an Autopilot device:

On “real” hardware, if that AUTOPILOT_MARKER were to disappear, it likely means that the motherboard has been replaced and the device needs to be re-registered, which is something that Autopilot can try to do automatically. But in the virtual machine case, reverting the VM to a previous checkpoint causes that marker to disappear, hence that same re-registration “repair” process tries to kick in. But we reverted the machine to a checkpoint, so that repair can never happen. And with the device stuck in that state, it will never get an Autopilot profile — it will just go through OOBE as a non-Autopilot device. (That just feels wrong/half-baked.)

So how do we work around this? Well, we need to make sure that marker is preserved. So we need to alter the process:

  • Create a new VHDX file from the latest Windows 11 ISO downloaded from https://my.visualstudio.com, since these are fully-patched. You can use the Convert-WindowsImage.ps1 script on GitHub to do that.
  • Create a new VM with no attached disk. Tweak it to add a second processor and a TPM, and configure it to use standard checkpoints. Add a differencing disk that uses the VHDX file created in the previous step. Attach the network adapter to a network with internet access.
  • Boot the device and wait until it gets to the first page of OOBE, but don’t navigate forward.
  • Press Shift-F10 to open a command prompt.
  • Run “powershell.exe” to start PowerShell.
  • Execute “Set-ExecutionPolicy Bypass” to enable scripts.
  • Install the Autopilot registration script using “Install-Script Get-WindowsAutopilotInfo -force”. Then run “Get-WindowsAutopilotInfo.ps1 -online” and sign into AAD with an appropriate account that has rights to register the machine.
  • Make sure the computer object is added to an AAD group that gets an Autopilot profile assigned to the device. Wait for the profile assignment to complete. (You could do this with the Get-WindowsAutopilotInfo script too.)
  • Run “c:windowssystem32sysprepsysprep.exe /generalize /oobe /shutdown”
  • Either disconnect the network adapter (if you want it to always prompt, e.g. to test internet vs. on-prem scenarios or if you plan to change the Autopilot profile at any point) or not; leave the machine powered off or boot it to the first screen of OOBE (your preference, but remember if you boot it to OOBE and have a network connection, it will have a cached Autopilot profile that won’t go away without a forced reboot). My preference: no network, booted to the start of OOBE.
  • Create a checkpoint.

Now we should be able to repeat the Autopilot process over and over again.



[ad_2]
Source link

Share this post via

Tags:

Leave a Reply