Last Updated on October 6, 2023 by rudyooms
After “finishing” (or maybe not yet) my WinDc blog series I am going to start looking at other stuff. One of the things that I am always interested in, is Windows Autopilot.
This blog will show you some additional information about the wonderful Autopilot Marker. I will show you what you need to beware of when you want to update your BIOS after uploading the hardware hash (which isn’t a hash at all...) and before enrolling your device with Autopilot
I will divide this blog into multiple parts
1. Introduction
Some ago, I wrote a blog about the Autopilot Marker and why this Autopilot marker (which should fix things) could potentially also break your Autopilot enrollments when you are not using the latest Windows builds.
Autopilot Profile Fails to download | Hardware Hash Error (call4cloud.nl)
After posting that blog and delivering some sessions about Autopilot I received a lot of complaints about the Autopilot marker. When they were trying to enroll a new device, they ran into some nice problems. Let me explain a bit more about what issues they ran into with a simple screenshot
Fix pending! But why was it showing fix pending? They just uploaded the hardware hash from a device that had the latest Windows build installed and the hardware did NOT change. The only thing they did was making sure the device had the latest drivers and firmware installed; this is where the pain kicks in.
2. Autopilot Marker and Bios Update
One thing is was for sure… the Autopilot Marker is NOT going to change when you update your BIOS… at least that’s what we thought and what Microsoft told me.
Let me tell you a story about a guy who had a nice Lenovo ThinkCentre in possession and wanted to enroll his device into Autopilot.
He wanted to make sure that the device had the latest drivers and firmware installed, so he made sure the Autopilot hash was uploaded. After the hash was uploaded, he upgraded the bios before enrolling the device into Autopilot. If you are doing the same thing, let me tell you what happens!
The Autopilot service would receive the request for the Autopilot profile and would send out the Autopilot profile IF all of the requirements are met:
- The hardware should match (isHardwareMatch:True)
- The Autopilot Marker should match (update)
If the Autopilot service thinks the hardware is a match and if the device sends over the correct Autopilot Marker we are good to go. But, a big but, somehow when you have updated the Lenovo bios, the Autopilot service will detect a change in the Autopilot Marker (Even when you can NOT spot it on your device itself!)
Only Microsoft is noticing this Autopilot Marker change on their service side. Do I have proof to back up that story, yes…! Am I allowed to share it all???
Whooop.. almost an NDA breach.. but let’s continue the story. If this issue is happening you will end up with a fix pending in your Autopilot devices screen in Intune.
To fix the “fix pending message”. (needed to make that joke.. a fix that requires a fix) the device needs to check in to Intune… uhh what? But how are we going to do that when our device can’t enroll into Intune because the device is not recognized as an Autopilot device and with it it’s blocked from enrolling? If the device can’t enroll into Intune the fix pending will be there indefinitely!
3. The Lenovo fix
I guess this picture below shows the look of all the other bios engineers on their faces when they read about how Lenovo is flashing the bios.
If we take a look at the latest release notes of the latest Lenovo bios, that was posted on their website we can spot something funny
https://download.lenovo.com/pccbbs/thinkcentre_bios/m47jy2busa.txt
Add a solution of Do not erase Autopilot (hehe polit) marker when flashing bios. So Lenovo will erase the Autopilot marker when they are updating the bios?
I guess this changes the laws of physics because that shouldn’t be possible, right? I thought the firmware update process was more like backing up everything, updating it, and restoring it all. It seems that Lenovo forgot about the marker/tag or used a different approach to update the firmware.
So if you have Lenovo devices (ThinkCentre and ThinkStation) and you are upgrading the BIOS, make sure you get the latest and check if it has this fix mentioned in the release notes, otherwise, a fix will be pending and the autopilot tag will be lost in the process.
Conclusion
Even when you think or were told, that some things aren’t possible, does that really mean it shouldn’t be possible? In my opinion, nope…..
Besides Lenovo, I could pretty much assume that other vendors also could have the same issue… If so feel free to reach out!