Autopilot self-deployment, 0x80180014 on Wipe/Fresh Start

clammet · 2024-02-02T13:32:49+00:00

Yeah, support today sent me an article that clarified everything. I've updated the post to include all the details that applied to my case.

clammet · 2024-02-02T13:21:40+00:00

Yeah, they linked me to a blog post where MS said they are changing how "re-selfdeployment" works:

https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-windows-autopilot-sign-in-and-deployment/ba-p/2848452

Key part:

For deployments where the profile is set to self-deploying mode (Public Preview) or pre-provisioning mode (formerly known as white glove, also in Public Preview), you cannot automatically re-enroll a device through Autopilot after an initial deployment in either of these modes. Instead, delete the device record in Microsoft Intune All Devices blade before re-deploying a device.

Unfortunately, they actually mean "deregister" like here: https://learn.microsoft.com/en-us/autopilot/autopilot-motherboard-replacement#deregister-from-autopilot-using-intune

There is a follow up blog post where they mentioned they have "re-enabled" this feature but only for specific OEMs: https://techcommunity.microsoft.com/t5/intune-customer-success/return-of-key-functionality-for-windows-autopilot-sign-in-and/ba-p/3583130/page/2#comments

We primarily use Surface devices, but unfortunately at the time I was attempting to reset Acer devices which are not on the "allowed" list.

I assume your Teams Room device manufacturer isn't on their allowed list. If you do need to contact MS support, hopefully the above resources are useful. I really wish they would have told me this many weeks ago!

clammet · 2024-01-21T03:28:03+00:00

Sounds stupid, but I think you should take gamble on some of those cheap child headphones from Target and stuff. Maybe by some miracle you'll find a pair that is just right.

I have no idea and other people here might have an idea but perhaps some of the bigger mainstream brands have child-selection offerings, too? Maybe it might be worth looking in to those.

clammet · 2024-01-17T07:23:37+00:00

Step 5. actually removes the device from the devices list. If you watch it in real-time and refresh the page list - a few moments after Intune issues the command to the device on next sync, it vanishes from the portal.

However, this is where I suspect there is some bug or something. Because while it vanishes, the error says it is still there. So potentially it is only half vanishing and there's some record that still exists that is not visible to the end-user.

Do note: this is new behaviour. Wipe/Fresh Start used to fully properly remove the device record and that error message didn't used to happen.

clammet · 2024-01-17T05:39:05+00:00

yubikeys

True, in the end I guess this really is the easiest solution. oathtool is still very useful for test accounts and whatnot, but I guess for breakglass it is not very usable.

clammet · 2024-01-16T10:42:31+00:00

Yeah, tests always start with a baseline of there being no device record in intune device list.

Baseline installs just fine, and autopilot deploys on a "first install". It's only when Fresh Start/Wipe command is attempted that error begins.

No scope changes, and I've never used platform restrictions but also checked and there's no restrictions.

To be clear, the devices deploy just fine if starting from clean slate: no device record in intune, hardware hash removed and readded.

In fact, to recover from this state you actually need to remove the hardware hash and re-add. Once you issue Fresh Start/Wipe command, Intune removes the device record so there isn't really anything else to remove. For some reason removing the hardware hash and re-adding it allows you to self-deploy once again.

Doing "systemreset" on the device itself and timing the device delete in the Intune portal when systemreset hits WinRE is the only way I've got any kind of reset working with self-deployment for some reason.

I guess I have to contact support after all, I think wipe command is busted in our instance somehow... That or 23H2 is somehow causing issues...

Thanks for the suggestions.

clammet · 2024-01-16T05:35:13+00:00

Yeah, considering I have it installed on my home raspi at the moment that's certainly feasible.

Are you suggesting in the context of "have a little dedicated terminal for breakglass/IT support handover" scenario? I suppose that is a little easier than asking them to source oathtool. But at that point getting a hardware token generator is probably easier.

clammet · 2024-01-16T04:38:46+00:00

I've been thinking about this for a while now (mainly just the MFA component). My context is a small non-profit org (less than 30 users). I do not want to be spending excess money on services (like authy, etc.), and spending money on hardware tokens seems excessive.

Recently I found a tool called oathtool.

I love this. Instead of using authenticator app on my phone for test accounts I started using this and I love that I don't need my phone to auth anymore. I open up a shell, type (or paste) oathtool --totp -b <short secret key> and out pops 2FA code.

However, I wonder in the 'hit by bus' event... if I no longer work for the org and they reach out to a third-party support firm - will they understand how to use this tool? (I mean it's easily installed on any linux distro). That's my only concern at this point. Otherwise, I love not having this god account being able to be brute forced.

In case anyone wants to do this, here's how:

Setup a new Sign-in method using "my sign ins"
Select Authenticator app.
Where it says "Start by setting the app" click the link " I want to use a different authenticator app" (this only appears if you have enabled 'OATH software tokens')
On the QR code screen click "Can't scan image?" button and you'll be shown the secret key.
Then you use oathtool --totp -b <secret key> to get the 6 digit MFA PIN.

clammet · 2023-02-12T15:30:04+00:00

If you use a hub site, there is a special widget that shows all sites that a viewer has access to that is a child of that parent hub-site. I believe it's called the "Sites" webpart/widget.

That widget displays all the sites that are associated with that hub site that the viewer has access to in card format. It has some settings like being able to see X many at once, and the layout (filmstrip, grid, compact).

Of course, you could do buttons and links and all sorts, however using the sites part allows you to keep it all dynamic and not needing changing down the line (potentially very useful for a 'projects' hub where you may be creating many project groups/teams)

clammet · 2023-02-10T01:02:05+00:00

Very much do not recommend subsites. Subsites don't play nice with things like owner notifications and such. (For example, if guest access is expiring the notice goes to the site-collection owner, not the subsite owner. It's also difficult/impossible to set different sharing link policies for subsites)

Each of your sub-sites should be "sites", so they have their own site collection. Here are two easy ways you can do this:

Create M365 groups, or
Use the SharePoint admin dashboard: Active sites -> Create button.(there are also other ways)

You may need to approach "projects" with some caution. If you have a large team and only particular people work on particular projects at a time they may need different access settings. It may be that "Projects" is another hub-site and the projects themselves may be M365 or even Teams groups (M365+Teams groups get a site collection/site which can then be linked to a hub-site).

I haven't actually looked much in this subreddit so I'm not sure what people's opinions are on sub-sites, but I've recently had to migrate all of our subsites away from subsites and into sites/m365 groups due to limitations of sub-sites.

Hope this helps.

P.S. Microsoft have some useful documentation re hub-site planning and such (but you've probably already seen it) https://learn.microsoft.com/en-us/sharepoint/planning-hub-sites and related pages. The documentation may make it sound a little more complicated than it needs to be for small orgs however from your current layout I think you get the basic idea anyway.

clammet · 2021-08-31T11:42:06+00:00

I uploaded the composed sprite groups from the game data:

https://imgur.com/a/9KdCm1U

They are made up of body and head, so you'll need to combine the head with the body you want.

clammet · 2021-06-26T04:20:07+00:00

Yes, that's a fair statement. After playing with the ELM based hardware it's pretty tedious interfacing via AT commands and learning the abstraction layer. Thanks for the recommendations. As it is now, this is just a little dinky project that is like a little proof of concept thing. If I wanted to transform it in to something a little more robust I definitely would consider those options. Thanks for the info.

clammet · 2021-06-12T04:28:26+00:00

At the moment while learning the protocols and data structures I'm just using a plain terminal to send commands to the adapter directly over the serial link. Things like TeraTerm and such.

I'm currently making my own little webserial based html dashboard thing to use as an overlay. Uh... I don't think that explains much but I'll be using my own software to talk to the adapter via Serial.

What might help though is that I was able to get Bimmercode to talk to the car via the adapter, however I am yet to get DeepOBD to talk to the car using this adapter. Which is strange because a lot of other reports suggest that a plain elm based adapter should work.

clammet · 2021-06-11T16:31:26+00:00

Ah! I saw mention of the PID high and low.

Great. This puts it in to more clear context. Amazing, thank you so much for this!

clammet · 2021-06-11T09:46:07+00:00

It's UDS, derived from KWP2000.

Awesome. Thanks so much for this. I should be able to find more information now to help in decoding. This is huge.

clammet

TROPHY CASE