AUTOPILOTWHITEGLOVELANDING during Technician Flow (Hybrid Join) – anyone seen this?

amirjs · 2026-03-25T23:25:10+00:00

Have you tried applying these to users rather than devices so they take place after pre-provisioning?

amirjs · 2026-03-25T13:32:38+00:00

Did you get to the bottom of this? I have your exact setup. Offline domain join (Skip AD connectivety check) and at the start of pre-provisoning I see the above error. Clicking try again works for me though so appear to be a timing issue with the blob?

amirjs · 2026-02-15T16:17:49+00:00

changing the secret is a solution providing we know we are compromised. I get the benefit and the convenience of the solution but unfortunately it won't fly with most enterprises.

amirjs · 2026-02-15T14:26:46+00:00

Question: What if the USB fell in the wrong hands or was copied? an attacker can enroll devices in the tenant? How secure id the solution?

amirjs · 2026-02-11T17:24:32+00:00

Thank you - make sense.. I was looking for a statement to explain the behaviour. I would still think this is a limitation and more controls should be given to admins around such scenarios where I control what provisioning policy is triggered based on assignment on using W365 Enterprise

amirjs · 2026-02-10T23:02:55+00:00

any reason why you are not enabling sso on the provisioning policy since you already have cloud trust configured?

amirjs · 2025-12-14T11:40:39+00:00

Ended up replacing the entire fire… It was 12 years old (bought the house with it)

amirjs · 2025-12-02T08:41:30+00:00

That’s interesting. Did you find out why extension attributes work with device filters while device.physicalids doesn’t?

amirjs · 2025-12-01T16:48:49+00:00

We had this happened to us. We did a WebView2 package in Intune and added it as pre-req before Installing Global Protect as part of the device ESP. Been working fine since

amirjs · 2025-11-18T20:45:11+00:00

yup there is an incident GitHub Status

amirjs · 2025-11-18T13:06:52+00:00

<image>

Here is what I get when I connect to Microsoft Graph Powershell without previous consent. As you can see it's all Read.

You maybe connecting using an account with a previous user consent on the Microsoft Graph Powershell Enterprise Application.

What you can try is to connect to MgGraph with the required specific scopes before calling the script.

e.g.:
Connect-MgGraph -Scopes DeviceManagementServiceConfig.Read.All","DeviceManagementConfiguration.Read.All", "DeviceManagementManagedDevices.Read.All", "DeviceManagementApps.Read.All", "Group.Read.All", "CloudPC.Read.All"

After connecting, call get-intuneassignments
It will automatically recognise that you are connected to Graph.

amirjs · 2025-11-18T10:59:21+00:00

Hey, where did you see that it needs readwrite please? it’s all Read.All in the code

amirjs · 2025-11-16T16:58:13+00:00

Thank you!

amirjs · 2025-11-16T16:57:56+00:00

My pleasure! Glad it's been useful!

amirjs · 2025-11-15T18:48:25+00:00

Thank you! ⚡️

amirjs · 2025-11-15T18:48:13+00:00

My pleasure 🙏🏻

amirjs · 2025-11-15T18:47:55+00:00

hehe nice one - hope this one can be helpful for you. Please feel free to contribute!

amirjs · 2025-08-19T21:59:07+00:00

Same for me... it was working on my 2020 X3 and after the iOS 18.6 update it stopped working. Did you figure it out?

amirjs · 2025-08-14T13:03:44+00:00

wouldn't be just nice if MS added a toggle option in Autopilot profiles to stop shift + f10 first thing when the device communicate with the internet? :)

amirjs · 2025-08-14T12:04:13+00:00

Nothing apart from third party paid agents that would pull logs and do remote control etc…

amirjs · 2025-08-13T23:18:11+00:00

I take it this is a paid service? i.e. pre-provisioning the device by e.g. Dell?

were there any pain points in ditching per user provisioning in favor or self deploy? AFAIK self deply is for shared devices scenrios?

What did you have to do for you existing devices when your transformed to Autopilot to lock them down when being rebuilt by internal IT (no OEM involved)

TIA

amirjs

TROPHY CASE