This will be the fourth post on the “Autopilot Device Preparation” series.
During this post we will continue the “Autopilot Device Preparation Device Provisioning” flow
On the previous post we completed the registeration and enrollment part after the user enter his credential.
During This post we will continue what should be expected to happen after device enrollment complete
delves into the steps and technologies to deploy all payloads assigned to the device.
Join us as we unpack the key components of this provisioning flow.
For the previous articles on “Autopilot Device Preparation” series please check the previous posts
Autopilot Device Preparation – Overview
Autopilot Device Preparation – 3 steps to configure
Autopilot Device Preparation Device Provisioning
Table of Contents
Autopilot Device Preparation Device provisioning
For the previous post on the “Autopilot Device Preparation Device Provisioning” we stopped when the user enters his credential and device completed:
- Entra AD registration
- Intune Enrollment
- Device added to the “Device group” added to the Autopilot device preparation profile
What should happen next?
The device needs to get all payload assigned as required to the device security grouop and selected in the Autopilot device preparation profile
Payloads could include any LoB Apps, policies, Scripts, Win32 Apps and Store Apps “Winget App”
How this can happen and how we can mix Lob and Win32 apps, this what we will try to deep into it …. Are you Ready?
Autopilot Device Preparation – Provisioning flow
SideCar “IME” deployement
The first step during the provisioning flow will be to install the sidecar agent “IME”
We can track from the shell-core log file “microsoft-windows-shell-core-operational.evtx”
CloudExperienceHost Web App Event 2. Name: ‘DevicePrepPage_ProgressPercentage_CounterStarted’, Value: ‘{“message”:”DevicePrepPage: Starting page progress counter at 1 percent with 0 ms completed using interval 18181.81818181818 ms.”,”errorCode”:0}’.
CloudExperienceHost Web App Event 2. Name: ‘DevicePrepPage_AgentDownloadAndInstall_Starting’, Value: ‘{“message”:”DevicePrepPage: Starting to download and install the provisioning agent, with max timeout of 900000 ms.”,”errorCode”:0}’.
Hint: Timeout for Sidecar to install is 900000 ms = 15 mins
Sidecar deployment completed
CloudExperienceHost Web App Event 2. Name: ‘DevicePrepPage_AgentDownloadAndInstall_Succeeded’, Value: ‘{“message”:”DevicePrepPage: Provisioning agent download and installation succeeded.”,”errorCode”:0}’.
AutopilotDevicePrepHint
During the deployment if we monitor the registry for the Autopilotsettings path
[HKEY_LOCAL_MACHINE\software\microsoft\provisioning\AutopilotSettings]
We will find a new key called “AutopilotDevicePrepHint” and it is taking different value during the process
If we check the registry at the beginning of the process, the key is not there
Once device enrolled the key will be added, and it will get value of 2 during the sidecar installation
Also, from IntuneManagementExtension log once IME installed, we can see the following events, for the IME to confirm which flow is currently running normal Autopilot or Autopilot device preparation, and to check the hint to confirm which payload is currently installing
[APv2] Checking if device is in APv2 mode.
[APv2] Found DevicePrepHintValue = 2.
[APv2] Device is in APv2 mode: True.
EMS Agent APv2 check returned = True
Providers
Back to the registry, once the Sidecar agent begin installation we can see the following keys added under AutopilotSettings
[HKEY_LOCAL_MACHINE\software\microsoft\provisioning\AutopilotSettings\DevicePreparation\BootstrapperAgent], which has the following value “I took part of it”
providers”:[
{“providerId”:”ID”,”providerFriendlyName”:”Standard User Provider”},
{“providerId”:”ID”,”providerFriendlyName”:”SLDM Provider”},
{“providerId”:”ID”,”providerFriendlyName”:”PowerShell Scripts Provider”},
{“providerId”:”ID”,”providerFriendlyName”:”Win32Apps}]
So, we have 4 providers that will be managed by Sidecar agent during deployment process
- Standard user provider: removes the user from the Administrators group during OOBE (if device preparation profile specified user should be a standard user).
- SLDM provider: Deploy LoB apps and policies.
- PowerShell Scripts provider: Deploy PowerShell scripts
- Win32Apps provider: Deploy Win32 apps and store apps.
Standard User Provider
From IME
[AutopilotV2-StandardUserProvider](ExecuteAsync) {“Message”:”Operation completed successfully”)
SLDM Provider
During this step, the LOB apps assigned to the device as required and added to the Autopilot device preparation profile, also policies assigned as required to the device will be deployed
From IME
[APv2] Setting SLDM provider hint to ExecutingProvisioningHint.
And we will notice that the hint will be updated to value “3”, which indicate that the SLDM provider is running to deploy the LOB apps and policies
[APv2] Checking if device is in APv2 mode.
[APv2] Found DevicePrepHintValue = 3.
[APv2] Device is in APv2 mode: True.
[AutopilotV2-SldmProvider](ExecuteAsync) {“Message”:”Operation completed successfully
[AutopilotV2-Orchestrator](BeginProvisioningAsync) {“Message”:”Operation completed successfully
[AutopilotV2-BootstrapperAgent](BeginInitialProvisioningInternalAsync) {“Message”:”Operation completed successfully
PowerShell Scripts and Win32 Apps Providers
During this step, All scripts, Win32 Apps and store apps assigned as required and added to the Autopilot device preparation profile will be deployed ot the device
From IME
[APv2] Setting SLDM provider hint to ProvisioningCompleteHint.
[AutopilotV2-SldmProvider](ExecuteAsync) {“Message”:”Operation completed successfully”,”
[PowerShell] Provider ExecuteAsync invoked.
[APv2] Checking if device is in APv2 mode.
[APv2] Found DevicePrepHintValue = 4.
[APv2] Device is in APv2 mode: True.
Hint updated to “4”
From Shell-core
CloudExperienceHost Web App Event 2. Name: ‘DevicePrepPage_ProgressPercentage_Success’, Value: ‘{“message”:”DevicePrepPage: Page progress percentage incremented to: 28″,”errorCode”:0}’.
Finishing deployment
Then, once all payloads deployement completed, the hint will be back to value “0”
From Shell-core
CloudExperienceHost Web App Event 2. Name: ‘DevicePrepPage_AgentProvisioningProgress_ExitingWithinTimeout’, Value: ‘{“message”:”DevicePrepPage: Agent completed with AgentProgressState of 5.”,”errorCode”:0}’.
Here is MS document about Autopilot Device Preparation Device workflow
For more posts about Autopilot in IntuneBytes please check IntuneBytes/Autopilot
Leave a Reply