After “finishing” (or maybe not yet) my WinDc blog series I am going to start looking at other stuff. One of the things that I am always interested in is Windows Autopilot.
This blog will show you some additional information about the wonderful Autopilot Marker. I will show you what you need to beware of when you want to update your BIOS after uploading the hardware hash (which isn’t a hash at all...) and before enrolling your device with Autopilot
1. Introduction
Some ago, I wrote a blog about the Autopilot Marker and why this Autopilot marker (which should fix things) could potentially also break your Autopilot enrollments when you are not using the latest Windows builds.
Autopilot Profile Fails to download | Hardware Hash Error (call4cloud.nl)
After posting that blog and delivering some sessions about Autopilot I received a lot of complaints about the Autopilot marker. When they were trying to enroll a new device, they ran into some nice problems. Let me explain a bit more about what issues they ran into with a simple screenshot
Fix pending! But why was it showing fix pending? They just uploaded the hardware hash from a device that had the latest Windows build installed and the hardware did NOT change. The only thing they did was making sure the device had the latest drivers and firmware installed; this is where the pain kicks in.
2. Autopilot Marker and Bios Update
One thing is for sure… the Autopilot Marker is NOT going to change when you update your BIOS… at least, that’s what we thought and what Microsoft told me.
Let me tell you a story about a guy who had a nice Lenovo ThinkCentre in possession and wanted to enroll his device into Autopilot.
He wanted to ensure the device had the latest drivers and firmware installed, so he uploaded the Autopilot hash. After the hash was uploaded, he upgraded the bios before enrolling the device into Autopilot. Let me tell you what happens if you do the same thing!
The Autopilot service would receive the request for the Autopilot profile and would send out the Autopilot profile IF all of the requirements are met:
- The hardware should match (isHardwareMatch:True)
- The Autopilot Marker should match (update)
If the Autopilot service thinks the hardware is a match and if the device sends over the correct Autopilot Marker, we are good to go. But, a big but: somehow, when you have updated the Lenovo bios, the Autopilot service will detect a change in the Autopilot Marker (even when you can NOT spot it on your device itself!).
Only Microsoft is noticing this Autopilot Marker change on their service side. Do I have proof to back up that story, yes…! Am I allowed to share it all???
Whoops, it’s almost an NDA breach, but let’s continue the story. If this issue happens, you will end up with a fix pending on your Autopilot device screen in Intune.
To fix the “fix pending message” (I needed to make that joke—a fix that requires a fix), the device must check in to Intune. Uhh, what? But how will we do that when our device can’t enroll into Intune because it is not recognized as an Autopilot device and is blocked from enrolling? If the device can’t enroll into Intune, the pending fix will be there indefinitely!
3. The Lenovo fix
I guess this picture below shows the look on the faces of all the other bios engineers when they read about how Lenovo is flashing the bios.
If we take a look at the latest release notes of the latest Lenovo bios that was posted on their website, we can spot something funny
https://download.lenovo.com/pccbbs/thinkcentre_bios/m47jy2busa.txt
Add a solution: Do not erase the Autopilot marker when flashing bios. So, will Lenovo erase the Autopilot marker when they update the bios?
I guess this changes the laws of physics because that shouldn’t be possible, right? I thought the firmware update process was more like backing up everything, updating it, and restoring it all. It seems that Lenovo forgot about the marker/tag or used a different approach to update the firmware.
So if you have Lenovo devices (ThinkCentre and ThinkStation) and you are upgrading the BIOS, make sure you get the latest and check if it has this fix mentioned in the release notes, otherwise, a fix will be pending and the autopilot tag will be lost in the process.
Conclusion
Even when you think or were told, that some things aren’t possible, does that really mean it shouldn’t be possible? In my opinion, nope…..
Besides Lenovo, I can pretty much assume that other vendors may also have the same issue. If so, feel free to reach out!