Getting past Autopilot on a second-hand machine
Posted by sunkencathedral@reddit | sysadmin | View on Reddit | 40 comments
Hi there! I volunteer at a local charity and do all sorts of work there. Recently they asked if I could help them with a donated Surface Pro (Windows 11) they were 'locked out' of. I haven't worked in the IT biz for a decade, but decided to give it a try. I don't have the machine with me now, but am hoping to ask for some suggestions I can try out tomorrow (albeit with apologies if I don't always get the current terminology right). To make matters more personally complicated, the charity is actually going to interview me for an paid job with them next week, which I hope to get. Even though it's not an IT job, I'm a bit nervous to be the candidate that tried to fix their Surface and failed!
Basically the machine was donated by a major national company, and the charity used it for several months. But one day their password stopped working, and it seems to have something to do with the machine still being on an Autopilot policy from the company that donated it. My first instinct was to reset Windows 11, which I did. In the OOBE installer, things proceed as normal until a login page with the old company logo icon on it (suggesting Autopilot is still there). On the login page, it actually seems to let me insert the email address of the old Microsoft account the charity 'think' they used to use with it (and with any password, too). But then on the next screen, it hangs on "Please wait while we set up your device" for hours. I've tried it several times now, with the longest being for 4 hours. After troubleshooting many of the possibilities that might be causing the installer to hang, the only likely remaining option is that things are failing to sync up with Autopilot - which is apparently a common problem.
Running on this theory, I've been given the green light to go ahead and remove Autopilot (since they don't need it) in order to get the Surface working again. Here are some of the things I've been trying and my thoughts and questions so far:
- First, I'm aware that there are a number of potential paths to removing Autopilot from within the Windows 11 desktop environment itself. However, these seemingly remain inaccessible as long as I can't get past the installer, even temporarily.
- A common suggestion is to use the oobe\bypassnro command in order to restart the OOBE and apparently gain an option to install Windows 11 in offline mode. From there, I could at least get into the desktop and perhaps work on other methods to disable Autopilot. This command doesn't seem to work, however (and I'm making sure to do it on the Autopilot login screen, and making sure to use the correct slash \). Although the command is processed and the machine immediately restarts, there is no option to install with a local account. I'm finding a lot of conflicting information online about whether this command still works, or whether it has been deprecated.
- I've prepared a Windows 11 Installer USB, but am saving that for a last resort. I'm aware it doesn't come with the Surface-specific drivers etc, and I really have no idea how to set those up after the fact (I've never even used a Surface before now). I'm aware that there is a Surface-specific recovery image available from Microsoft here, but it requires logging in with a Microsoft account and I'm not sure which Microsoft account they are expecting (?) I could log in with my own personal Microsoft account I guess, but I don't want this Surface to end up becoming 'attached' to that account; it belongs to the charity, not me. I've also heard that I'll eventually need to select the Surface model and/or serial number as part of the process, and I have no idea what those are. I am slotted at the charity tomorrow and can find out, but there is no other computer there for me to make the USB recovery disk on. If I prepared such a USB recovery disk, it would have to be on my home PC today.
- I've read about another command that might work where oobe\bypassnro didn't, and that is start ms-cxh:localonly. I can't find out today of course, but is that something worth trying?
- Is there anything else worth trying (aside from that) when it comes to simply getting Windows 11 installed and getting into the desktop?
- If I get that far, what other grief can I expect from Autopilot? Can I get away with just using the machine from that point? If it will continue to cause problems, what would be the best path to take from within the desktop to get rid of Autopilot for good?
Thanks for any help you can offer!
StatementNext682@reddit
No. Either that or reinstall Windows in offline mode.
Master-IT-All@reddit
If the install manages to complete by bypassing the Autopilot, is that install licensed valid?
StatementNext682@reddit
Yall not using keys from GitHub?
AutoModerator@reddit
Your submission in /r/sysadmin was automatically removed because it appears to be empty. Please add some content. A headline or title is not sufficient content. If you feel this action is incorrect, please message the moderators.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Puzzled-Hedgehog346@reddit
You wasted time no bypass it as long windows on they connect to net only solution is get it removed by it company that has on intune account
sunkencathedral@reddit (OP)
Thanks! There are seemingly a plethora of commands, tools and methods all over the Internet that supposedly remove Autopilot, and I was hoping for guidance on which paths to take. Do you think none of them work?
Puzzled-Hedgehog346@reddit
Alot things your say is about local account or passport account not the same
sunkencathedral@reddit (OP)
To clarify, I'm trying to install Windows 11 with a local account so I can simply get into the desktop environment. Once there, I can try out the various tools that remove Autopilot. Unfortunately I can't try those as long as the installer is stuck.
datec@reddit
You cannot remove autopilot from the local device. None of those scripts are going to work. They are likely malware.
The only way to remove it from autopilot is to have it removed from Microsoft's autopilot system which can only be done by Microsoft or the company who registered it with autopilot.
sunkencathedral@reddit (OP)
I'm admittedly a bit behind on the times, and haven't worked in IT in ages, but surely everyone is up in arms about this? Microsoft have the ability to brick machines in the second-hand market? And not even a format of the drive will fix it? It sounds like some kind of comically evil corporate move to kill the second-hand market and force everyone to have to buy new hardware. If this happened in the world of IT 25 years ago, everyone would have been giving Microsoft the middle finger and hacking around it.
datec@reddit
No, this is absolutely wanted and a huge benefit of Autopilot. This stops all kinds of shenanigans.
It really takes very little time and effort to remove the device from Autopilot. If the device was legitimately donated the original owner can remove it. I think I've seen where Microsoft will remove it if it was purchased from a legitimate reseller with proof of purchase.
You would be surprised how open/helpful IT departments are when dealing with external 3rd parties that have a legitimate request.
It is kind of weird how adamant you are about not contacting the original company.
sunkencathedral@reddit (OP)
It seems daunting to the point of impossible (?) The donating company is a massive retail chain and one of the largest companies in the country. They have a customer service number and a general inquiries number on their website, both which lead to voice interfaces where none of the options apply and you can't talk to a person. That's it.
Everyone keeps saying 'just call', but I'm not sure who they're talking about. It's not like I literally have a business card of a dude in the server room.
Master-IT-All@reddit
Well, they don't want to offend by pointing out that there is a high chance that this device is stolen and they don't want to be offensive by implying that you stole it.
Anyway, you've got stolen property. GLHF
sunkencathedral@reddit (OP)
I highly doubt any of these kindly old retired volunteers stole it. I was told it was donated to them by someone who set them up and showed them how to use it, and that tracks with the fact that one of the charity's own email addresses was registered and working as a login. Someone must have set that up. I'm not even sure what that means. Does that mean whoever set them up actually put them on the old company's autopilot policy?
Master-IT-All@reddit
Well it's not difficult to just remove the device from the Entra domain afterwards and return to a local user.
The problem is that doing that means that the next time someone tries to do a reset, boom Autopilot comes up as you have had. Windows Pro setup is always going to want to join that Entra org.
- Windows Home is a bit of a work around here, Windows Home cannot Entra Join, only Entra register so if you installed Windows Home edition (and never upgrade!) it will bypass autopilot.
-I have no idea what Microsoft considers this to be for validity of license.
datec@reddit
You just call the corporate HQ or if you can find any information about their charity/donations arm or HR or a receptionist and just explain what's going on and ask for help. I would start out with I don't know who to ask for help and I'm so sorry for bothering you but can you help me or point me in the right direction? They may transfer you to their IT help desk if it's a voicemail just leave a voicemail with the situation and hope they call you back. What's the worst that can happen?
greet_the_sun@reddit
> Microsoft have the ability to brick machines in the second-hand market? And not even a format of the drive will fix it?
It's not microsoft doing this but whatever company sold these computers, modern windows computers have what's called a TPM module onboard the motherboard that can do various security functions including phoning home back to microsoft 365. As long as this company has the hash ID of this pc setup in their 365 autopilot environment, whenever a windows OS is installed on this computer it's going to try and phone home and get that autopilot config tying it to this company.
If this business wants to sell or give away computers then they need to make sure that all of their security tooling is removed from it first, there's nothing microsoft can do because it's not their responsibility to make sure that this computer wasn't actually stolen from the business it's registered to.
moltencrystal1989@reddit
To be fair, this locking only applies to devices owned by organisations that are enrolling the hardware to their autopilot, and only becomes an issue for resale if the org fails to release the device when they retire it.
This won't prevent a personal device being resold, nor a device from an organisation that properly manages their devices.
It does however act as a deterrent for individuals reselling hardware without organisation permission.
Master-IT-All@reddit
You cannot remove autopilot, Autopilot is a hardware based connection to an organization that lives in the cloud, Windows 11 Professional on that system will always check on the Internet if this system is registered for Autopilot and find it in this org.
That device will never install Windows 11 Professional and not want to be joined to that Entra organization and managed by Intune. Until that org removes it.
So contact the organization and find out if this device is stolen (I suspect it is) and if it isn't stolen, can they remove it from their Autopilot devices.
Puzzled-Hedgehog346@reddit
They no removed with out it company do or who ever put on
nelsonslament@reddit
We had this problem as well, the purchaser bought a refurb off of Amazon, and it had win11 home, when we tried reinstalling with 11 pro, Intune took over trying to configure the machine with the previous organization. I ended up putting win 10 pro on, then upgrading to 11 pro from there, with out any issues with Intune
Master-IT-All@reddit
I don't know if Microsoft would consider your install a valid license use. I wonder.
MNmetalhead@reddit
Contact the old org that owned the decide and ask that they remove the device from their Azure tenant. Until this happens, you will continue to have problems.
Master-IT-All@reddit
That system will always be owned by that organization until it is removed from Intune/Autopilot by that organization.
Any 'work around' you find to install a copy of Windows that isn't in that org is likely also going to invalidate the licensing for that device.
There is no path forward.
Key_Pace_2496@reddit
Gonna have to call the organization it's from to get it removed from their Intune.
sunkencathedral@reddit (OP)
Thanks! I'm aware that this is hypothetically an option, but practically it's a huge corporation and it isn't clear how to 'just call' and get something like this sorted out. Unfortunately I can't find any support numbers to call that remotely have anything to do with an issue like this, and I've read that corporations are often unwilling to devote any time to sorting out Autopilot issues with hardware they don't own anymore. So when I'm next in the office, it seems like my best bet is to use those hours to get this sorted myself using the tools and commands available.
jimicus@reddit
Ah.
If they're that big, it seems very likely that someone locally pissed all over IT policy in doing your charity a "favour". Because I think it very unlikely they can just randomly hand hardware out without going through official channels, and official channels would likely include removing it from Intune.
sunkencathedral@reddit (OP)
Thanks, that's interesting. I really can't get much information about the machine's history, unfortunately.
I do find a lot of tools around the Internet that supposedly remove Autopilot, like a PowerShell script called AutopilotNuke and various command-line and registry hacks. This guide also often gets recommended on Reddit. Do none of these work anymore? I was hoping to give them all a try, but the problem is that I can't until I get into the Windows 11 desktop itself.
jimicus@reddit
You're asking in the wrong sub really.
Our job is to do things properly. Which means we set things up to use Autopilot and InTune.
Yeah, sure, it might be possible to hack around Windows to stop it. But it's not something any of us would ever even think of doing in our professional lives - and considering how much it'd enable theft, you shouldn't be too surprised if a future update re-enrolls the device.
sunkencathedral@reddit (OP)
OK, thanks for the info. Apologies for asking in the wrong sub; I saw people here seemed knowledgeable about Autopilot from previous threads so it seemed worth a try.
The IT world seems to have changed a lot. If Microsoft announced 25 years ago that they were initiating the ability to brick second-hand hardware (in a way that seems this unethical and possibly unlawful), it would have been controversial and everyone would have been angry and giving them the middle finger. The prevailing attitudes among It professionals were much more maverick, countercultural and anti-corporate. I genuinely expected replies here to be along the lines of 'fuck microsoft'.
jimicus@reddit
Oh crikey, yeah, the stuff we did back then would never fly today.
It’s not that Microsoft have bricked the device; it’s that their management system needs to be explicitly disabled by the owner. It’s no different to “find my iPhone”.
statikuz@reddit
None of them, it's the same reason there are all kinds of "remove Apple ID from phone" or "turn off find my iphone without password" etc.
OttoCheyFen@reddit
It's less of an option, and actually the only real solution.
duncansmydog@reddit
You have a brick until it’s removed from autopilot 100%. Do not waste your time.
statikuz@reddit
Not a direct comparison but think of it like an iPhone that is enrolled in an organization's management, or hell, even locked to someone's Apple ID.
The point is basically to prevent exactly what you're doing - the device leaving the organization's hands and then being of use to someone else. They should have released it but obviously they did not.
I totally get this, you want to be like look I solved your problem! But I would stick with explaining why it isn't a problem to be "fixed" and more just a limitation of the device they received. Unfortunately they might equate "it worked for awhile" to "it can be fixed" but that's not the case. Kind of like "well we used this car that we had no keys for, until someone turned it off and now we can't turn it on again."
sunkencathedral@reddit (OP)
Thanks for the advice. And yeah, maybe it will come to just explaining the situation. Mostly I'm dealing with elderly retired volunteers who genuinely just don't know about computers, but the hiring manager I think would understand if it came up.
MacTwistee@reddit
You can get around this. Find a similar laptop, put in the hdd and install Windows on it. Once past oobe switch it back. Change pc name and your good. Closer the hardware match the better chance it works. This also gets around bios boot passwords. Cheers
sunkencathedral@reddit (OP)
Thanks! Noted, will think on what I might be able to use for this.
VG30ET@reddit
Contact the organization or install Linux
JwCS8pjrh3QBWfL@reddit
The only proper way forward in this situation is to contact the company that donated the device and have them remove the AP hash from their tenant. You can try contacting Microsoft if you have some kind of bill of sale with the device's serial number on it, but they're also going to ask if you have contacted the original organization first.