Windows Autopilot Enrollment Failures: A Structured Troubleshooting Guide
Most Autopilot enrollment failures follow a predictable pattern. The device sits at OOBE, throws an error code, and the temptation is to rebuild. Before you do that — this guide walks through every layer systematically, from hardware through to log analysis, so you find the actual root cause rather than masking it with a rebuild.
Everything in this post is verified against Microsoft's official Autopilot documentation. Where error codes and log paths are referenced, they come directly from Microsoft's published troubleshooting guidance.
Start here — collect device state before touching anything
Before stepping through the checklist, run two commands that give you the full picture of the device's current state. These are the commands Microsoft support will ask for first.
1. Hardware hash and Autopilot registration status — requires the Get-WindowsAutopilotInfo script published by Michael Niehaus (Microsoft) on the PowerShell Gallery:
# Install the script from PowerShell Gallery (run as Administrator)
Install-Script -Name Get-WindowsAutopilotInfo -Force
# Export hardware hash to CSV
Get-WindowsAutopilotInfo -OutputFile "C:\AutopilotHash.csv"2. Device join and MDM enrolment state — built-in Windows command, no installation required:
# Run from command prompt or PowerShell — no elevation needed
dsregcmd /statusKey fields to check in the dsregcmd /status output:
| Field | What you want to see | What a bad value means |
|---|---|---|
AzureAdJoined | YES | Device has not completed Entra ID join — profile or network issue |
MDMUrl | https://enrollment.manage.microsoft.com | Empty or wrong URL — MDM authority not set or licence not assigned |
TenantId | Your tenant GUID | Wrong tenant — device hash imported to the wrong tenant |
IsAutopilotEnrolled (if present) | YES | Device not in Autopilot service — hash not imported or sync pending |
1 Verify hardware requirements
Microsoft requires the following for all Autopilot scenarios. These are non-negotiable — if any are missing, the enrolment will fail regardless of profile or network configuration.
- TPM 2.0 is present and functional. TPM 1.2 is not supported. Confirm in Device Manager → Security Devices, or run
Get-Tpmin PowerShell and verifyTpmPresent: TrueandTpmReady: True. - Secure Boot is enabled. Check in BIOS/UEFI, or run
Confirm-SecureBootUEFIin PowerShell — returnsTrueif enabled. Required for User-Driven and Self-Deploying modes. - Hardware hash imported to Autopilot service. The device's hardware hash (4K hash) must exist in your Autopilot device list before OOBE starts. Devices not in the service will fail with
0x80180014. - Windows 10 1903 or later (Windows 11 recommended). Autopilot Self-Deploying requires 1903+; Pre-Provisioning requires 1903+. User-Driven supports earlier builds but Microsoft recommends current releases.
# TPM status
Get-Tpm
# Secure Boot status — returns True if enabled, False if disabled, error if Legacy BIOS
Confirm-SecureBootUEFI
# Check Autopilot registry key — populated after successful profile download
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Provisioning\AutoPilot"2 Confirm device is in the Autopilot service
The device must be registered in your Autopilot tenant before it reaches OOBE. Registration happens via hardware hash import — either manually via CSV, automatically via OEM direct enrolment, or via Configuration Manager co-management.
Check in the Intune admin center: Devices → Enrolment → Windows → Windows Autopilot devices. Search by serial number or hardware hash. The device should appear with a profile status.
If the device is not listed, import the hash. If it is listed but shows Not assigned for the profile, move to Step 3.
3 Verify deployment profile assignment
A device in the Autopilot service still needs a deployment profile assigned before it will receive the Autopilot OOBE experience. Profile assignment in Intune is group-based — the device or user must be a member of a group that the profile targets.
- Profile status must show “Assigned” in the Autopilot device list. “Not assigned” means the device is not in a targeted group, or the group has not yet synced.
- Check group membership. Autopilot profiles target Entra ID groups. Confirm the device object (for device-targeted groups) or the expected user (for user-targeted groups) is in the correct group.
- Dynamic group rules. If using dynamic membership (e.g.
device.devicePhysicalIds -any _ -contains "[ZTDId]"), verify the rule has evaluated and the device appears in group membership. Dynamic group evaluation can take up to 24 hours for large tenants. - OOBE deployment mode matches the profile. A device booted in Self-Deploying mode will fail if the profile is configured for User-Driven, and vice versa.
(device.devicePhysicalIds -any _ -contains "[ZTDId]") — this targets all devices registered in your Autopilot tenant, regardless of group tag.4 Validate network connectivity
Autopilot requires internet access from the moment OOBE begins. If the device cannot reach Microsoft endpoints, the profile download fails silently and the device falls through to a standard setup experience or throws a network error code.
The following endpoints must be reachable from the device at OOBE — verified against Microsoft's Autopilot networking requirements documentation:
| Endpoint | Purpose |
|---|---|
login.microsoftonline.com | Entra ID authentication |
login.live.com | Microsoft account sign-in (User-Driven) |
enterpriseregistration.windows.net | Device registration |
device.login.microsoftonline.com | Device authentication token |
ztd.dds.microsoft.com | Autopilot profile download |
cs.dds.microsoft.com | Autopilot profile download |
aadcdn.msftauth.net | Authentication CDN |
enrollment.manage.microsoft.com | MDM enrolment endpoint |
enterpriseenrollment.manage.microsoft.com | MDM enrolment redirect |
go.microsoft.com | Redirect resolution during setup |
To test connectivity from the OOBE environment (Shift+F10 to open a command prompt at OOBE):
# Test DNS resolution and connectivity to key Autopilot endpoints
ping login.microsoftonline.com
ping ztd.dds.microsoft.com
ping enrollment.manage.microsoft.com
# Check if a proxy is configured at system level
netsh winhttp show proxy5 OOBE error codes
When Autopilot fails during OOBE, it surfaces a hex error code. The following are the most common codes and their confirmed meanings from Microsoft's OOBE troubleshooting documentation:
| Error code | Meaning | Where to look |
|---|---|---|
0x80180014 |
Device not found in Autopilot service | Verify hardware hash is imported and the profile is assigned |
0x8018002b |
Network / connectivity failure during profile download | Check endpoint reachability, proxy bypass, and DNS |
0x80180026 |
TPM attestation failure | Check TPM 2.0 is present and enabled in BIOS; clear TPM if corrupted (back up BitLocker keys first) |
0x801c03ee |
Device registration failed in Entra ID | Check Entra ID device registration service, tenant join status, and licence assignment |
0x800705b4 |
ESP timeout — apps or policies did not complete within the timeout window | Increase ESP timeout, check app assignments, check Intune Management Extension logs |
0x80070774 |
Session expired during OOBE | Device sat idle too long — retry enrolment from the beginning |
0x80180026, ensure all BitLocker recovery keys are backed up to Entra ID or Active Directory first. Clearing the TPM destroys all TPM-protected secrets including BitLocker keys. This is irreversible.6 Log file locations
When error codes alone are not enough, the log files provide the detail. These paths are verified against Microsoft's Autopilot troubleshooting documentation.
| Log | Path | What to look for |
|---|---|---|
| Windows Setup (Panther) | C:\$WINDOWS.~BT\Sources\Panther\setupact.log |
Early setup errors before Windows fully loads; hardware compatibility issues |
| Autopilot / Provisioning | C:\ProgramData\Microsoft\Provisioning\Logs\ |
Autopilot profile download, CSP provisioning steps, MDM join events |
| Intune Management Extension | C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ |
Win32 app installs, PowerShell script execution, ESP app tracking |
| MDM Diagnostics | C:\Users\[user]\AppData\Local\Temp\mdmlogs-[date]\ or run mdmdiagnosticstool.exe -area Autopilot -cab C:\AutopilotDiag.cab |
Full MDM diagnostic export — the most complete single source |
Event Viewer path for MDM / Autopilot events:
Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider
Filter for Event IDs in the 1000–1999 range for MDM enrolment events, and 70000+ for Autopilot-specific events.
The fastest way to collect all Autopilot diagnostic data in one step:
# Export full Autopilot diagnostics to a CAB file (run as Administrator)
mdmdiagnosticstool.exe -area Autopilot -cab "C:\AutopilotDiag.cab"
# Extract and review
Expand-Archive -Path "C:\AutopilotDiag.cab" -DestinationPath "C:\AutopilotDiag\"Root cause summary
| Root cause | Symptom | Fix |
|---|---|---|
| Device not in Autopilot service | 0x80180014 at OOBE | Import hardware hash; wait 15–30 min for sync |
| Profile not assigned | Standard Windows setup experience — no Autopilot branding | Check group membership and dynamic group rules |
| Network / proxy blocking | 0x8018002b or silent fallthrough to standard setup | Bypass SSL inspection; confirm all endpoints are reachable |
| TPM not enabled or attestation failure | 0x80180026 — fails at TPM attestation step | Enable TPM 2.0 in BIOS; consider TPM clear as last resort |
| MDM enrolment blocked | 0x801c03ee or device joins Entra but not Intune | Check MDM authority setting, enrolment restrictions, licence assignment |
| ESP timeout | 0x800705b4 — stalls on app install or policy stage | Increase ESP timeout; check IME logs for the blocking app |
| Wrong tenant | Device appears in Autopilot but enrols to wrong tenant | Verify TenantId in dsregcmd /status; re-import hash to correct tenant |
Troubleshooting checklist
- Run
Get-WindowsAutopilotInfoanddsregcmd /statusbefore making any changes - Confirm TPM 2.0 is present (
Get-Tpm) and Secure Boot is enabled (Confirm-SecureBootUEFI) - Verify device appears in Autopilot service with profile status Assigned
- Confirm device or user is in the group targeted by the Autopilot profile
- Test network connectivity to all required Microsoft endpoints from the device at OOBE (Shift+F10)
- If on a corporate network, confirm SSL inspection is bypassed for Autopilot endpoints
- Note the exact error code shown in OOBE and cross-reference against the table above
- Run
mdmdiagnosticstool.exe -area Autopilotfor a full diagnostic export - Review
C:\ProgramData\Microsoft\Provisioning\Logs\for profile download and CSP provisioning detail - If clearing the TPM — back up all BitLocker recovery keys to Entra ID or AD first