Last Updated on August 17, 2023 by rudyooms
In this blog, I am going back to my “roots” and I am going to take another look at Autopilot. To be a bit more precise, I am going to take a look at how the Autopilot profile is downloaded and why the system time is very important
I will divide this blog into multiple parts
1. Introduction
As we all know, is that having a proper time set on your device would improve the possibility to get your Autopilot profile a lot! Having a mismatch in your timing could even lead to devices not having the proper name prefix you configured in the Autopilot profile
Besides issues when fetching the Autopilot profile itself, having time issues could also cause some funny TPM (maybe not so funny) attestation issues.
Windows Autopilot known issues | Microsoft Learn
As shown above, Microsoft was recommending to run the w32tm /resync /force command to sync the time. Now let’s move forth! Every month Microsoft releases some new fancy updates, this month (2023-08) something caught my eye.
As shown below in this update there is an update to make sure that downloading the Windows Autopilot profile got more resilient! That sounds like fun, right?
When looking back at all the blogs I have written about Autopilot, I have written a lot about the first few steps before the Autopilot profile will be downloaded. I guess it’s now time, to zoom into step 6 of the process.
Fetch the Autopilot Profile with PowerShell and a token (call4cloud.nl)
2. The Autopilot Profile Download flow
In the flow below, I am explaining what actually happens when the device reaches out to the Autopilot service to download/request its Autopilot profile/policy
3. What can we make of it
If we take a closer look at the flow, we will learn a few things. If we don’t zoom into the MSA Ticket stuff (which I find more interesting… but … who am I?) we will notice that when downloading the Autopilot profile, the DownloadProfile function is checking the filetime/systemtime almost at each single step
But besides these time checks, there is a big difference when comparing the autopilot.dll from the 2023-08 update with older versions.
In the picture below, I am showing what happens with Autopilot Profile and the pre 2023-08 update. It is missing the setsystemtime function.
So it looks like the Autopilot Team, added a function to make sure that when the Autopilot profile is downloaded, it will check the PolicyDownloadDate. If the UTC time defers from the device it’s system time, the system time of the device will be set to the timestamp as shown below
Of course, when somehow this function is not enabled (KIR) it will instantly go down the old path to force the networktimesync.
So when I get back from vacation, I am going to play around with it to check if it’s indeed more resilient!
Conclusion
Time, Time, it’s always about time, especially with MSA tickets and downloading the Autopilot profile! If the time is off, you can get into trouble fetching the Autopilot profile. Luckily Microsoft is continuously improving the service and the corresponding flow
