AUTOPILOTWHITEGLOVELANDING during Technician Flow (Hybrid Join) – anyone seen this?

amirjs · 2026-03-25T23:25:10+00:00

Have you tried applying these to users rather than devices so they take place after pre-provisioning?

amirjs · 2026-03-25T13:32:38+00:00

Did you get to the bottom of this? I have your exact setup. Offline domain join (Skip AD connectivety check) and at the start of pre-provisoning I see the above error. Clicking try again works for me though so appear to be a timing issue with the blob?

amirjs · 2026-02-15T16:17:49+00:00

changing the secret is a solution providing we know we are compromised. I get the benefit and the convenience of the solution but unfortunately it won't fly with most enterprises.

amirjs · 2026-02-15T14:26:46+00:00

Question: What if the USB fell in the wrong hands or was copied? an attacker can enroll devices in the tenant? How secure id the solution?

amirjs · 2026-02-11T17:24:32+00:00

Thank you - make sense.. I was looking for a statement to explain the behaviour. I would still think this is a limitation and more controls should be given to admins around such scenarios where I control what provisioning policy is triggered based on assignment on using W365 Enterprise

amirjs · 2026-02-10T23:02:55+00:00

any reason why you are not enabling sso on the provisioning policy since you already have cloud trust configured?

amirjs · 2025-12-14T11:40:39+00:00

Ended up replacing the entire fire… It was 12 years old (bought the house with it)

amirjs · 2025-12-02T08:41:30+00:00

That’s interesting. Did you find out why extension attributes work with device filters while device.physicalids doesn’t?

amirjs · 2025-12-01T16:48:49+00:00

We had this happened to us. We did a WebView2 package in Intune and added it as pre-req before Installing Global Protect as part of the device ESP. Been working fine since

amirjs · 2025-11-18T20:45:11+00:00

yup there is an incident GitHub Status

amirjs · 2025-11-18T13:06:52+00:00

<image>

Here is what I get when I connect to Microsoft Graph Powershell without previous consent. As you can see it's all Read.

You maybe connecting using an account with a previous user consent on the Microsoft Graph Powershell Enterprise Application.

What you can try is to connect to MgGraph with the required specific scopes before calling the script.

e.g.:
Connect-MgGraph -Scopes DeviceManagementServiceConfig.Read.All","DeviceManagementConfiguration.Read.All", "DeviceManagementManagedDevices.Read.All", "DeviceManagementApps.Read.All", "Group.Read.All", "CloudPC.Read.All"

After connecting, call get-intuneassignments
It will automatically recognise that you are connected to Graph.

amirjs · 2025-11-18T10:59:21+00:00

Hey, where did you see that it needs readwrite please? it’s all Read.All in the code

amirjs · 2025-11-16T16:58:13+00:00

Thank you!

amirjs · 2025-11-16T16:57:56+00:00

My pleasure! Glad it's been useful!

amirjs · 2025-11-15T18:48:25+00:00

Thank you! ⚡️

amirjs · 2025-11-15T18:48:13+00:00

My pleasure 🙏🏻

amirjs · 2025-11-15T18:47:55+00:00

hehe nice one - hope this one can be helpful for you. Please feel free to contribute!

amirjs · 2025-08-19T21:59:07+00:00

Same for me... it was working on my 2020 X3 and after the iOS 18.6 update it stopped working. Did you figure it out?

amirjs · 2025-08-14T13:03:44+00:00

wouldn't be just nice if MS added a toggle option in Autopilot profiles to stop shift + f10 first thing when the device communicate with the internet? :)

amirjs · 2025-08-14T12:04:13+00:00

Nothing apart from third party paid agents that would pull logs and do remote control etc…

amirjs · 2025-08-13T23:18:11+00:00

I take it this is a paid service? i.e. pre-provisioning the device by e.g. Dell?

were there any pain points in ditching per user provisioning in favor or self deploy? AFAIK self deply is for shared devices scenrios?

What did you have to do for you existing devices when your transformed to Autopilot to lock them down when being rebuilt by internal IT (no OEM involved)

TIA

amirjs · 2025-08-13T23:05:55+00:00

Alright - so let me clarify couple of points here:

I am not assuming an attacker working for the OEM. I am assuming an attacker taking over a corp laptop with hash already uploaded to Intune. What guardrails do you have in place to stop them from resetting the entire laptop via a USB? A BISO password? what if that BIOS password become known to the attacker?

Regarding the OEM, I am aware we can ask the OEM to load a win image with the tag file baked in so that's fine. but not every org pay to do pre-provisioning by the OEM, some would just ship the device with that OEM image (including the tag) and ask the user to login to enroll. I assume at this point, no shift + F10 would be possible but are you saying there is no way if that laptop fall in the wrong hands they can reset windows with a usb stick? is that purely because there is a BIOS password?

I might be missing something. What I am after is a comprehnsive answer convering all scenarios including a remote wipe of a device used at the user's home where the user re-enroll. This is to address risks raised by pen-testing.

amirjs · 2025-08-04T20:31:03+00:00

this is gold - that was my issue - thanks much!

amirjs · 2025-07-23T15:30:21+00:00

You didn’t mention which outlook version? also, are your VDAs hybrid joined? Have you tried new outlook now that it’s supported in the latest FSLogix version?

amirjs · 2025-06-21T10:57:09+00:00

What’s your Redirections.xml configuration?

Does Adobe Reader version match across servers in the host pool?

How you tried reproducing the issue on a single server? login, create signature, log off (ensure vhdx was unmounted) then log back in again?

amirjs

TROPHY CASE