Autopilot and the Sundance Device Preparation

Patch My Pc | install & update thousands of apps

In this blog, I will explore the wonders of Autopilot Device Preparation (AP-DPP), from the first step of signing in to the last step in the Autopilot Device Preparation flow. I will also show you a nice new kind of flow instead of that weird Rudy Paint flow.

1. Preparing for the Enrollment

Before enrolling our devices with Autopilot Device Preparation, we must configure the Autopilot Device Preparation profile (AP-DPP).

As you can see in the screenshot above, we must assign the Autopilot Profile to users, not devices! If we want to enroll a device with Autopilot Device Preparation, please ensure that you add the user to the dedicated Autopilot Device Preparation (AP-DPP) user group. In my case, apv2_users.

Please read Joost’s blog for more information about configuring Autopilot Device Preparation!

https://joostgelijsteen.com/autopilot-device-preparation/

Another thing we need to be aware of is that we need to make sure that the devices that you want to onboard with Device Preparation are NOT Autopilot registered.!!

Besides making sure the user is in the proper group and there aren’t any Autopilot leftovers, make sure the apps and scripts/policies are targeted to the ADP device group(This group must be the same as you also configured in the apv2 profiles)

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

This device group needs to have the service principle “Intune Provisioning client” configured as “Owner”

Once you have met all these requirements, you must start looking at the Corporate Identifiers! When blocking personal devices with an enrollment restriction, you must use a corporate identifier if you don’t want to be blocked!

Corporate Identifier Flow

Please Note: Currently, there is a known issue with the corporate identifier in combination with Device Preparation! For now, you can’t use the corporate identifier! Its listed on the known issue page

Windows Autopilot device preparation known issues | Microsoft Learn

2. The Device Preparation Flow

Before going into all sorts of weird and funny details, let’s look at what I think the Autopilot Device Preparation flow looks like!

Autopilot Device Preparation Technical Architecture Overview AP-DPP

Feel free to comment if you love this flow more than the MSPaint ones!

3. The Device Preparation Enrollment

If you have checked out the flow above, I guess it’s time to tell the whole story behind that “simple” flow.

Step 1: OOBE Questions

You can sign in with your corporate credentials once you have clicked through all the OOBE questions.

OOBE QUestions

Step 2: Please wait while we set up your device (Intune / Entra Enrollment)

After signing in, the Cloud Experience Web App will switch the page to “Please wait while we set up your device.”

Please wait while we set up your device

A lot of magic is happening at this step. Let me tell you what kind of magic

-The Device Joins Entra

-The device is added to the “Just in Time device group” you are targeting with apps/scripts/policies

-The device enrolls in Intune and receives all device-assigned policies (and keeps syncing with Intune)

-The device starts enrolling into MMP-C if you are using EPM.

-The device receives the Autopilot Device Preparation Profile. This profile will force the device into APV2 mode (Page Enabled/Page Settings and the DevicePrepHint). The cloudexperiencehost webapp will check if the device preparation page is enabled (pageenabled = 1 )

Checking if the ap-dpp page is enabled

If you want to know more about this step, please read the blog below, which contains way way more details.

https://call4cloud.nl/2024/06/autopilot-device-preparation-the-hardware-hash-voyage-home

Step 3: Installing Management Extension

After all the steps to enroll the device into Intune and Entra are completed, a CSP will be sent to the device. This CSP instructs the device to start installing the MSIs. It will begin with the most important one: the SideCar agent, AKA the Intune Management Extension.

The device preparation page will show you that it is Installing the (Intune) management extension

AP-DPP Device Preparation Installing management Extension (IME)
Afbeelding met tekst, schermopname, software, Computerpictogram  Automatisch gegenereerde beschrijving

Step 4: Checking if the device is in APv2 mode

Once the IME is installed, it will check if the device is in APV2 mode by checking out the autopilotdeviceprep hint value, and if the value is 2

When taking a look at the corresponding code, we will notice it will use the \\root\cimv2\\mdm\dmmap\ class to put and get that setting

Afbeelding met tekst, Lettertype, lijn, nummer  Automatisch gegenereerde beschrijving

If you want to know more about this beautiful deviceprephintvalue , please check out my first blog post about device preparation.

AutopilotDevicePrepHint

Step 5: Begin Initial provisioning

Once the IME determines if it is running in apv2 mode or not, it will begin the initial provisioning.

In this step, the bootstrapper contacts the service provider and launches the machine provisioning progress reporter.

begin initial provisioning

It will fetch the url from the hkcr\machineprovisioningreporter\shell\open\command and will use the intunewindowsagent.exe with the %1 parameter to reach out to the service.

Technical overview of the machineprovisioningreporterprogress

Step 6: Executing Standard User Provisioning Batch

Now comes the step that was missing in the IME logs. Once the initial provisioning (kicking off the progress reporter) is completed, the system knows which batch list to execute.

The first batch (batch 0) on the list is the Standard User Provisioning batch. This batch will detect if the user needs to be a standard user or administrator.

Afbeelding met tekst, Lettertype, schermopname, logo  Automatisch gegenereerde beschrijving

It will kick off the standarduserprovider entity and remove the user from the administrator’s group if necessary.

standarduserprovider batch checking if the user needs to be added to the local administrators group

And now you are probably wondering why it needs to be removed in the first place. We configured the standard user setting in the ADP profile, right? During the Entra join in step 2, the usersid will be returned, and the user will become a member of the local admin group

user is added to the local administrators group or not during this phase

The user will be a member for a few minutes until the IME is installed, and with it, the standard user provider batch kicks off.

I must also add a petit peu note here (or a big one). If you configured this shiny new Local Administrator setting in Entra to “None” or “some,” the Device Preparation enrollment will break!

Suppose this setting is configured to None or selected. In that case, no Apps will be installed, No progress will be reported, and your Autopilot Device Preparation will be marked as a success within a couple of seconds after the IME was installed (which it is not!)

If you want to know how I found this bug, please watch out for the corresponding blog. In that blog, I will show you that after swiftly deploying the Win32 apps with the new Patch My Pc Cloud platform, I encountered an issue with the Local Administrator Settings in Entra. This Local Administrator Setting In Entra, combined with WindowsAutopilot Device Preparation, caused the device not to install any apps during enrollment.

Step 7: Executing Stateless Device Management (SLDM) Batch

Once the standarduserprovider batch checked if the enrolling user needs to be kicked out of the administrator’s group, it will proceed with the following batch number (batchnumber 1)

This batch will set the SLDM (SL? Device Management) provider hint to execute provisioning hint

setting the SLDM provider hint to executing provisioning

Which, in fact, changes the autopilotdeviceprephint from 2 to 3

when the SLDM provider is being executed the autopilotdeviceprephint value is set to 3

Step 8: Is Reboot Required

Once the sldm provider hint is set and the IME checks which state it needs to be in, (deviceprephint with the value of 3) It will start executing the workloads (in progress). This step will Query the MDM_DevicePreparation_MDMProvider01 CSP for provisioning progress and reboot requirements. (IsCoalescedRebootRequired)

MDM_devicepreparation shows if the device needs to reboot

If a reboot is required because you configured exploit protection, the bootstrapper will update the progress to reboot required.

bootstrapperagent: updating progress state to: rebootrequired

Once the bootstrapper agent checks if the device requires a reboot, the device preparation page will change to “installing required apps and policies for your organization.”

Autopilot Device Prep page showing its installing required apps and policies for your organization

Once it switched over to this page, in the background, the PowerShell Script provisioning will start (batch3)

batchnumber 2 will be executed (scripts provisioning)

This batch number 2 would kick off the PowerShell scripts assigned to the device.

powershell script are being executed during ap-dpp

Step 9: Setting DevicePrepHintValue to 4 (Provisioning Complete)

Once the PowerShell scripts are executed and it is determined that “provisioning” is complete, the autopilotdeviceprephint will be changed to 4, which means provisioning is complete.

DevicePrephintvalue is changed to 4: Provisioning is complete
Afbeelding met tekst, lijn, Lettertype, schermopname  Automatisch gegenereerde beschrijving

Step 10 : Switch to APv2 Checkin Flow (Start installing Win32 and Store Apps)

Once the provisioning is complete, the IME will switch to the APV2 checkin mode

starting apv2 mode checkin flow

Device Preparation will finally start installing the required Win32Apps and Microsoft Store Apps in this check-in mode.

Afbeelding met tekst, schermopname, Lettertype  Automatisch gegenereerde beschrijving

With the win32apps and store apps installed, it will check if the PowerShell and App provisioning is complete.

provsioning complete

Once the Win32app and Powershell provisioning is complete, it will send the Win32 reports (results) to the service.

We can spot the same results in the “reporting” node of the intunemanagementextension\win32apps registry key.

reporting mode and detecting if the apps are installed vby checking the detectionstate

In this reporting registry node, we can easily spot if the Win32App is detected or not detected.

Step 11: Disabling APv2 Mode

If everything checked out and you didn’t run into any issues, Apv2 mode will be disabled, and with it, the deviceprephint value will be set to 0

successfully disabled apv2 mode

With Apv2 successfully disabled, the required setup is complete! This screen shows that the Device Preparation enrollment is finished! Hooray!!!

autopilot device preparation showing the required setup is complete

Conclusion

Hopefully, this Autopilot Device Preparation blog showed you what is happening in the background, which could be helpful when you encounter deployment issues in the future!

3 thoughts on “Autopilot and the Sundance Device Preparation

    1. Did you also tried downloading it, as it will give you a better version. please let me know if its still not visible on it

  1. Hello, how did you get this code please ?
    https://call4cloud.nl/wp-content/uploads/2024/05/afbeelding-met-tekst-lettertype-schermopname-au-2.png

    Which tool do you use ? Ida ? Fiddler ? Other ?

Leave a Reply

Your email address will not be published. Required fields are marked *

13  +    =  23

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.