Again a small post about Windows Autopilot, like my last post, to share some information we noticed in the field.
This week my colleague André and I set up a Dev tenant which also involved deploying devices into Azure AD and Microsoft Intune. During our testing we applied and changed a lot of settings in the configuration profiles applied to Windows 10 devices. During some device enrollment testing my colleague noticed a message during the enrollment phase (we enabled the Enrollment Status Page in Intune) of one of the Windows 10 machines. After a few minutes he received a pop-up with the message: You`re about to be signed out. Windows will shutdown in 10 minutes.
And indeed, while apps were being installed the device was rebooted and than returned back in the deployment stage.
When this happens during the installation of apps, this could result in app install failures and in the worst case the enrollment got timed out and fails. Or when the enrollment is successful within these 10 minutes, the user is signed out and the device rebooted a few minutes after his first logon.
It took quite some time for my colleague (all credits to him 🙂 ) to notice the setting which caused this behavior. This behavior is caused by enabling Windows Defender Application Control in the endpoint protection policy in Intune. We enabled Application Control in audit mode which caused this behavior.
After setting this setting back to Not configured, the message was not shown anymore during Autopilot enrollment.
The reason for the reboot is that Windows Defender Application Control needs Hyper-V to function and as soon as Hyper-V is enabled, a reboot is scheduled.
This behavior is confirmed by Microsoft as a known issue, the solution (or workaround) is to use a custom policy which is described here.
18 Comments
Thnak you for this!
Any update on this? I’m still seeing this behaviour, is it only with Audit Mode enabled?
I don`t know of any update this.
The MS engineer said whether it’s on Audit Mode or Enabled fully, it will cause reboots! If no need to use it he said leave it as not configured
This is an incredible find. I can tell you it’s still an issue in April of 2020. Thank you!
still an issue in October 2020 haha
September 2022 checking in and still happening!
Great article, this is was helpful, after dealing with several engineers at Microsoft no one had a clue why our devices were restarting every time it was enrolled onto this policy or we made a policy change.
Microsoft support is ridiculous. The first engineer claimed Intune does not cause this and the second engineer on the escalation team claimed it wasn’t his expertise and doesn’t see why Intune would do this. It took a third engineer to confirm this was causing a reboot and still no fix a year later from this article! This seemed to resolve our issue too.
The solution (or workaround) is to use a custom policy as described here https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune#using-a-custom-oma-uri-profile
We also had this same issue!
Support said no ETA for this fix but can submit here https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/40576504-configuration-profile-for-endpoint-protection-forc
The Deploying Policies section of the workaround for 1903+ devices states:
“Know a generated policy’s GUID, which can be found in the policy xml as ”
Where do you get info policy GUID / info from Intune?
A word of warning, when you apply this policy it will force all of your users to reboot in 10min
Also enabled this months ago and all 400+ laptops rebooted while users was in teams meetings. Bad day at the office.
Since then we have had to live with the forced reboot during Autopilot leaving us in endless loop for selecting region and language. Only a hard reboot gets us out of the loop and Autopilot can continue. Waste of time. But I just tested something and seems to work during autopilot: When the 10 min reboot message pops up during autopilot then press SHIFT+F10 to bring up command prompt. Then run the command SHUTDOWN -a and the reboot will be aborted.
Thanks Peter! Now I know where this is coming from!
I do not know about this, today I found out through your post. Thank you very much for the detailed analysis and step-by-step instructions.
how did you found this out?
Can you elaborate? I had the same issue today..
Took me ages to find out what was what, in the end I found out why due to your blog (thanks for that)
Are there any go to log files to consult or did you guys did a trace back of changes ?
It was more thinking of which policy settings we added recently and discussing which type of policy could cause the reboot and than do some testing on these policy settings. It also took us quite some time. To avoid this for others I shared it in this post 🙂
Any new information on this issue? I do not have the above config for Endpoint protection in my device config profile – but I still have the signing off in 10 minutes message. I would like to make it go away so that I could auto-install more on first login without worrying about interrupting installations.