Windows Autopilot Troubleshooting Guide: Fixing the 5 Most Common Failures

Windows Autopilot is supposed to make device provisioning hands-off. Ship a laptop to an employee, they open the lid, sign in, and everything configures itself. That is the promise, and when it works, it is excellent. But when it fails, you are staring at a spinning screen with no obvious error message and a user waiting for their new device.

Here are the five Autopilot failures we troubleshoot most often, what causes them, and how to fix each one.

1. Enrollment Status Page (ESP) timeout

The ESP shows progress as Intune applies device configuration, installs apps, and sets up security policies. If any step takes too long, the ESP times out and the deployment fails. The default timeout is 60 minutes.

Symptoms: The ESP stalls on "Identifying" or "Installing apps" for an extended period, then shows an error or prompts the user to retry.

Root causes and fixes:

• Too many required apps in the ESP. Every app marked as "required" and assigned to the device or user must install before the ESP completes. If you have 20 required apps, each averaging 3 minutes to install, you are already at the timeout limit. Reduce the number of ESP-tracked apps to essentials only (security tools, VPN client, core LOB apps). Deploy everything else after the ESP completes.
• Slow network at the deployment site. Autopilot downloads everything from the internet. If the employee is provisioning the device on a slow home Wi-Fi connection, large app packages will take much longer. Consider pre-provisioning (White Glove) for large deployments, where IT provisions the device on the corporate network before shipping.
• An app installer is hanging. Check the Intune Management Extension logs at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs to identify which app is stalling. Common culprits are apps that require a reboot mid-install or display a hidden dialog box waiting for user input.

2. "Something went wrong" with no error code

This is the most frustrating Autopilot failure because it gives you almost nothing to work with. The OOBE shows a generic error page with a "Try again" button.

Root causes and fixes:

• No Autopilot profile assigned. The device hardware hash was imported, but no Autopilot deployment profile is assigned to the device or its group. Check the Autopilot devices list in Intune and verify a profile is assigned and the assignment status shows "Assigned" (not "Pending").
• DNS resolution failure. During OOBE, the device needs to resolve several Microsoft endpoints. If DNS is misconfigured on the network, enrollment cannot start. Test by connecting the device to a different network (mobile hotspot works well for diagnosis).
• Stale device object in Entra ID. If the device was previously enrolled and not properly cleaned up, the old device object can conflict. Delete the stale object from both Entra ID and Intune, wait 15 minutes for sync, and retry.

3. TPM attestation failure

Autopilot self-deploying mode and pre-provisioning both require TPM 2.0 attestation. If the TPM cannot attest, enrollment fails immediately.

Symptoms: Error code 0x800705B4 or a message about TPM attestation during the device setup phase.

Root causes and fixes:

• TPM firmware is outdated. Some OEM devices ship with TPM firmware that does not support attestation correctly. Check the manufacturer's support site for TPM firmware updates. This is especially common with older Lenovo ThinkPad and HP EliteBook models.
• TPM is in reduced functionality mode. A previous OS installation may have left the TPM in a locked or reduced state. Clear the TPM from the BIOS/UEFI settings (this requires physical access to the device). After clearing, the TPM will reinitialize on next boot.
• Clock skew. TPM attestation is time-sensitive. If the device BIOS clock is significantly wrong, attestation will fail. Correct the time in BIOS settings before retrying.

4. Hybrid Entra join fails during Autopilot

If you are using Autopilot with hybrid Entra ID join (for environments that still require on-premises Active Directory), the domain join step can fail, especially for remote users.

Symptoms: The ESP stalls at "Joining your organization's network" or shows a domain join error.

Root causes and fixes:

• No line of sight to a domain controller. Hybrid join requires the device to reach a domain controller. Remote users need a VPN that connects before user sign-in. Configure the Intune VPN profile as a "device tunnel" that establishes connectivity during OOBE.
• Intune Connector for Active Directory is offline. The Intune Connector service must be running on a server with network access to your domain controllers. Check the connector status in the Intune admin center under Devices > Enrollment > Windows > Intune Connector for Active Directory.
• OU is not specified or inaccessible. The Autopilot profile must specify which OU to create the computer object in. If the connector service account does not have permission to create objects in that OU, the join will fail silently.

5. Apps install but are not usable after ESP completes

The ESP shows everything as completed successfully, the user reaches the desktop, but some applications do not work correctly. They may crash on launch, show licensing errors, or appear to be missing entirely.

Root causes and fixes:

• Apps installed in system context but need user context. Some applications (especially those that write to HKCU or AppData) need to install in the user context. If they were deployed as system-context Win32 apps, they install but the per-user components are missing. Redeploy as user-context installations.
• App requires a reboot that has not happened yet. The ESP may mark an app as installed before the required post-install reboot. Add a reboot step to the app's post-install behavior or configure the ESP to require a reboot after app installation completes.
• Detection rule reports success prematurely. If your detection rule checks for a file or registry key that exists before the installer fully completes, Intune marks the app as installed while it is still setting up. Tighten your detection rules to check for a file or version number that only exists after a complete installation.

General Autopilot troubleshooting tips

1. Collect diagnostics from the device. During the ESP, press Shift+F10 to open a command prompt. Run mdmdiagnosticstool.exe -area Autopilot -cab c:\temp\autopilot.cab to collect diagnostic logs.
2. Check the Autopilot deployment status in Intune. The Intune admin center shows detailed deployment status for each device, including which phase failed and any error codes.
3. Use LogLens for faster diagnosis. Parsing Autopilot logs manually is tedious. Our LogLens tool can ingest Autopilot diagnostic cabs and surface the root cause in seconds, saving significant troubleshooting time.