Call4Cloud | MMP-C | Autopilot | Device Preparation

The Time Traveler’s Autopilot Profile

Patch My Pc | install & update thousands of apps

In this blog, I am going back to my “roots” and taking another look at Autopilot. To be a bit more precise, I am going to look at how the Autopilot profile is downloaded and why system time is an important part of the puzzle.

1. Introduction

As we all know, having a proper time set on your device would greatly improve the possibility of getting your Autopilot profile! A mismatch in your timing could even lead to devices not having the proper name prefix you configured in the Autopilot profile.

Besides issues when fetching the Autopilot profile itself, having time issues could also cause some funny TPM (maybe not so funny) attestation issues.

Windows Autopilot known issues | Microsoft Learn

As shown above, Microsoft recommended running the w32tm /resync /force command to sync the time. Now, let’s move forward! Microsoft releases some new fancy updates every month. This month (2023-08), something caught my eye.

As shown below, this update makes sure that downloading the Windows Autopilot profile is more resilient! That sounds like fun, right?

Autopilot Profile Resiliency: Downloading the autopilot policy just got more resilient

Looking back at all the blogs I have written about Autopilot, I have written a lot about the first few steps before the Autopilot profile is downloaded. I guess it’s now time to zoom into step 6 of the process.

Fetch the Autopilot Profile with PowerShell and a token (call4cloud.nl)

2. The Autopilot Profile Download flow

In the flow below, I am explaining what actually happens when the device reaches out to the Autopilot service to download/request its Autopilot profile/policy

3. What can we make of it

If we take a closer look at the flow, we will learn a few things. If we don’t zoom into the MSA Ticket stuff (which I find more interesting… but … who am I?), we will notice that when downloading the Autopilot profile, the DownloadProfile function is checking the filetime/systemtime almost at each single step

But besides these time checks, there is a big difference between the autopilot.dll from the 2023-08 update and older versions.

In the picture below, I am showing what happens with Autopilot Profile and the pre 2023-08 update. It is missing the setsystemtime function.

So it looks like the Autopilot Team added a function to ensure that when the Autopilot profile is downloaded, it will check the PolicyDownloadDate. If the UTC time defers from the device it’s system time, the system time of the device will be set to the timestamp as shown below

Of course, when somehow this function is not enabled (KIR) it will instantly go down the old path to force the networktimesync.

When I get back from vacation, I will play around with it to see if it’s indeed more resilient!

Conclusion

Time, Time, it’s always about time, especially with MSA tickets and downloading the Autopilot profile! If the time is off, you can get into trouble fetching the Autopilot profile. Luckily Microsoft is continuously improving the service and the corresponding flow.

Aliceinwonderland Madhatter GIF - Aliceinwonderland Madhatter Badwatch -  Discover & Share GIFs

Leave a Reply

Your email address will not be published. Required fields are marked *

2  +  3  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.