X LinkedIn Facebook Reddit Threads Email

How to Fix Intune Policies Causing Unexpected Reboots During Windows Autopilot OOBE

Troubleshoot and resolve unexpected device restarts during Windows Autopilot setup caused by security policies. Learn to identify problematic policies, implement workarounds, and control application reboots during enrollment.

April 4, 2026 18 min —

hardintune 8 steps 18 min

Why Do Intune Policies Cause Unexpected Reboots During Windows Autopilot OOBE?

Unexpected reboots during Windows Autopilot Out-of-Box Experience (OOBE) remain one of the most frustrating issues for IT administrators in 2026. These interruptions occur when security policies assigned to device groups trigger what Microsoft calls "coalesced reboots" during the Enrollment Status Page (ESP) phase. The most common culprits include Device Guard, Credential Guard, Virtualization-Based Security (VBS), Attack Surface Reduction rules, and misconfigured Windows Update rings.

The root cause lies in the timing of policy application. When security policies are assigned to device groups, they apply immediately during the device setup phase of Autopilot, before the user has even signed in. These policies often require system-level changes that mandate a restart, interrupting the smooth OOBE experience and potentially causing user confusion or deployment failures.

What Makes This Issue Particularly Challenging in 2026?

Despite Microsoft's ongoing efforts to address this issue, including service updates in 2111 and beyond, the problem persists due to the fundamental architecture of how Intune applies policies during Autopilot. Windows 11 24H2 deployments have shown heightened sensitivity to Endpoint Security policies, making proper policy assignment even more critical.

The challenge is compounded by the fact that many organizations unknowingly assign security policies to device groups for easier management, not realizing the impact on the Autopilot experience. Additionally, newer security features and compliance requirements often introduce policies that require system restarts, making this an ongoing concern rather than a one-time fix.

This tutorial provides a comprehensive approach to identifying, troubleshooting, and preventing these unexpected reboots, ensuring your Autopilot deployments complete smoothly while maintaining your security posture.

Implementation Guide

Full Procedure

Identify the Root Cause Using Event Viewer

After an unexpected reboot during Autopilot OOBE, log into the affected device with the auto-created local admin account. The first step is identifying which policies triggered the coalesced reboot.

Open Event Viewer and navigate to the Intune-specific logs:

eventvwr.msc

Navigate to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

Filter for Event ID 2800 which indicates a coalesced reboot. Look for entries containing policy URIs like:

./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
./Device/Vendor/MSFT/Policy/Config/CredentialGuard/ConfigureSystemGuard
./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules

Also check the System log for CloudExperienceHostBroker.exe errors and examine Intune Management Extension logs:

Get-ChildItem "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs" | Sort-Object LastWriteTime -Descending | Select-Object -First 5

Verification: You should see specific policy URIs in the event logs that correlate with the reboot timing. Note these URIs for the next step.

Pro tip: Export the relevant event logs to a file for easier analysis: Right-click the log > Save All Events As > Choose .evtx format.

Audit Reboot-Triggering Policies in Registry

Cross-reference the Event Viewer findings with the registry to identify exactly which policies are causing reboots. Open Registry Editor and examine the reboot tracking keys:

regedit

Navigate to: HKLM\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs

Document all URIs listed here. Then run this PowerShell script to compare against current device policies:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

# Collect RebootRequiredURIs from registry
$rebootURIs = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs" -ErrorAction SilentlyContinue

# Get current device policies
$policyURIs = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device" | ForEach-Object { $_.PSChildName }

# Compare and identify problematic policies
$problematicPolicies = Compare-Object $rebootURIs.PSObject.Properties.Name $policyURIs | Where-Object SideIndicator -eq "<="

Write-Host "Policies causing reboots:" -ForegroundColor Red
$problematicPolicies | ForEach-Object { Write-Host $_.InputObject -ForegroundColor Yellow }

Verification: The script output will show specific policy URIs that are triggering reboots. Common culprits include Device Guard, Credential Guard, and Attack Surface Reduction policies.

Warning: Don't delete registry entries manually. These are managed by Intune and will be recreated. Focus on policy assignment changes instead.

Reassign Security Policies from Device Groups to User Groups

The most effective solution is moving problematic security policies from device group assignments to user group assignments. This delays policy application until after the Enrollment Status Page completes.

In the Microsoft Intune admin center, navigate to Endpoint security and review these policy types:

Device Guard policies
Credential Guard policies
Virtualization-Based Security (VBS)
Attack Surface Reduction rules

For each problematic policy identified in previous steps:

Click on the policy name
Go to Assignments
Remove any Device groups (especially Autopilot device groups)
Add equivalent User groups instead
Click Save

Use this PowerShell script to audit current assignments:

# Get all device configuration policies
$policies = Get-MgDeviceManagementDeviceConfiguration

foreach ($policy in $policies) {
    $assignments = Get-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $policy.Id
    
    foreach ($assignment in $assignments) {
        if ($assignment.Target.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.groupAssignmentTarget") {
            $group = Get-MgGroup -GroupId $assignment.Target.AdditionalProperties.groupId
            Write-Host "Policy: $($policy.DisplayName)" -ForegroundColor Cyan
            Write-Host "Assigned to group: $($group.DisplayName)" -ForegroundColor Yellow
            Write-Host "Group type: $($group.GroupTypes)" -ForegroundColor White
            Write-Host "---"
        }
    }
}

Verification: Run the audit script to confirm no security policies are assigned to device groups. All assignments should target user groups or "All Users" scope.

Fix Windows Update Ring Preview Build Issues

Windows Update rings with preview build settings can trigger unexpected reboots during Autopilot. This is a known issue that persists even after Microsoft's 2111 service update.

Navigate to Devices > Windows > Windows Update rings in the Intune admin center. For each update ring assigned to Autopilot devices:

Click on the update ring name
Go to Settings
Find Enable pre-release builds
Change it to Enabled
Click Save
Wait 5 minutes, then change it back to Not Configured
Click Save again

This toggle sequence clears the problematic ./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds setting that causes reboots during ESP.

Alternatively, use PowerShell to check and fix update rings:

# Get all Windows Update rings
$updateRings = Get-MgDeviceManagementDeviceConfiguration | Where-Object { $_.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.windowsUpdateForBusinessConfiguration" }

foreach ($ring in $updateRings) {
    Write-Host "Update Ring: $($ring.DisplayName)" -ForegroundColor Cyan
    
    # Check preview build setting
    $previewSetting = $ring.AdditionalProperties.previewBuildSetting
    if ($previewSetting -ne "notConfigured") {
        Write-Host "Preview builds setting: $previewSetting - NEEDS FIX" -ForegroundColor Red
    } else {
        Write-Host "Preview builds setting: Not Configured - OK" -ForegroundColor Green
    }
}

Verification: Check that all update rings show "Not Configured" for preview builds. Test with a fresh Autopilot deployment to confirm no reboot occurs.

Create OOBE Reboot Prevention Profile

Deploy a custom configuration profile that prevents automatic reboots during the OOBE phase. This profile sets active hours and disables auto-restart notifications.

Use this PowerShell script to create the prevention profile via Microsoft Graph:

# Ensure you're connected to Graph with proper permissions
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

# Define the OOBE Reboot Prevention profile
$oobeProfile = @{
    "@odata.type" = "#microsoft.graph.windows10CustomConfiguration"
    displayName = "OOBE Reboot Prevention - Autopilot"
    description = "Prevents unexpected reboots during Windows OOBE and Autopilot enrollment"
    omaSettings = @(
        @{ 
            "@odata.type" = "#microsoft.graph.omaSettingString"
            displayName = "Disable Auto Restart Required Notification"
            omaUri = "./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartRequiredNotificationDismissal"
            value = "1"
        },
        @{ 
            "@odata.type" = "#microsoft.graph.omaSettingString"
            displayName = "Set Active Hours Start"
            omaUri = "./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursStart"
            value = "8"
        },
        @{ 
            "@odata.type" = "#microsoft.graph.omaSettingString"
            displayName = "Set Active Hours End"
            omaUri = "./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursEnd"
            value = "18"
        },
        @{ 
            "@odata.type" = "#microsoft.graph.omaSettingString"
            displayName = "Configure Restart Notifications"
            omaUri = "./Device/Vendor/MSFT/Policy/Config/Update/ScheduleRestartWarning"
            value = "4"
        }
    )
}

# Create the profile
$newProfile = New-MgDeviceManagementDeviceConfiguration -BodyParameter $oobeProfile
Write-Host "Created profile with ID: $($newProfile.Id)" -ForegroundColor Green

After creating the profile, assign it to your Autopilot device group with high priority (order 1).

Verification: Check the profile appears in Devices > Configuration profiles and is assigned to the correct device group. The profile should deploy before any security policies.

Configure Win32 Apps to Suppress Reboots

Win32 applications deployed during Autopilot can trigger unexpected reboots if not properly configured. Modify your Win32 app packages to suppress reboot prompts and handle restart requirements gracefully.

For each Win32 app that might require a reboot:

Navigate to Apps > Windows apps in Intune
Select your Win32 app
Go to Program settings
Modify the Install command to include reboot suppression parameters

Common reboot suppression parameters:

# For MSI installers
msiexec /i "package.msi" /quiet /norestart REBOOT=ReallySuppress

# For EXE installers (varies by vendor)
setup.exe /S /norestart
setup.exe /quiet /noreboot
setup.exe /silent /suppressmsgboxes

Configure return codes to handle reboot requirements:

In the app's Program settings
Set Return codes:
Add return code 3010 with type Soft reboot
Add return code 1641 with type Hard reboot
Set Device restart behavior to Determine behavior based on return codes

Use this PowerShell script to audit Win32 app configurations:

# Get all Win32 apps
$win32Apps = Get-MgDeviceAppManagementMobileApp | Where-Object { $_.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.win32LobApp" }

foreach ($app in $win32Apps) {
    Write-Host "App: $($app.DisplayName)" -ForegroundColor Cyan
    
    # Get detailed app info
    $appDetails = Get-MgDeviceAppManagementMobileApp -MobileAppId $app.Id
    $installCommand = $appDetails.AdditionalProperties.installCommandLine
    
    Write-Host "Install Command: $installCommand" -ForegroundColor Yellow
    
    # Check for reboot suppression parameters
    if ($installCommand -match "/norestart|/noreboot|REBOOT=ReallySuppress") {
        Write-Host "Reboot suppression: CONFIGURED" -ForegroundColor Green
    } else {
        Write-Host "Reboot suppression: MISSING - NEEDS FIX" -ForegroundColor Red
    }
    Write-Host "---"
}

Verification: Test app installations on a test device to confirm no unexpected reboot prompts appear. Check Intune app installation logs for proper return code handling.

Pro tip: Use the Win32 Content Prep Tool v1.12.2 to repackage existing apps with proper reboot suppression. Always test on non-production devices first.

Test and Monitor Autopilot Deployment

After implementing the fixes, thoroughly test the Autopilot experience to ensure no unexpected reboots occur. Reset a test device and monitor the entire OOBE process.

Reset the test device to factory settings:

Go to Settings > Update & Security > Recovery
Click Get started under Reset this PC
Choose Remove everything
Select Remove files and clean the drive

During the Autopilot process, monitor for issues using these techniques:

Real-time monitoring with PowerShell:

# Monitor Autopilot progress (run on the device during OOBE)
$autopilotLog = "C:\Windows\Logs\Autopilot\AutopilotDiagnostics.log"
if (Test-Path $autopilotLog) {
    Get-Content $autopilotLog -Tail 10 -Wait
}

# Monitor Intune Management Extension
$imeLog = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log"
if (Test-Path $imeLog) {
    Get-Content $imeLog -Tail 5 -Wait | Where-Object { $_ -match "reboot|restart" }
}

Generate comprehensive diagnostics after completion:

# Generate MDM diagnostics report
mdmdiagnosticstool.exe -out C:\temp\AutopilotDiagnostics

# Collect Autopilot logs
Get-AutopilotDiagnostics -OutputPath C:\temp\AutopilotLogs

# Check for any remaining reboot-required URIs
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs" -ErrorAction SilentlyContinue

Document the complete Autopilot timeline:

OOBE start time
ESP device setup phase completion
User sign-in
ESP user setup phase completion
Desktop presentation
Any unexpected interruptions or reboots

Verification: A successful Autopilot deployment should complete without any unexpected reboots. The device should go from OOBE directly to the desktop after ESP completion. Check that all policies and apps are applied correctly post-deployment.

Warning: If reboots still occur, check for recently added policies or apps. New security policies assigned to device groups will immediately cause the issue to resurface.

Implement Ongoing Monitoring and Prevention

Establish monitoring processes to prevent future Autopilot reboot issues. Create automated checks and alerts for problematic policy assignments.

Create a PowerShell script for regular policy auditing:

# Autopilot Policy Audit Script
# Run weekly to check for problematic assignments

Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All", "Group.Read.All"

# Define problematic policy types
$problematicPolicyTypes = @(
    "#microsoft.graph.windows10EndpointProtectionConfiguration",
    "#microsoft.graph.windowsDefenderAdvancedThreatProtectionConfiguration",
    "#microsoft.graph.windows10CustomConfiguration"
)

# Get Autopilot device groups
$autopilotGroups = Get-MgGroup | Where-Object { $_.DisplayName -like "*Autopilot*" -or $_.DisplayName -like "*OOBE*" }

Write-Host "Checking for problematic policy assignments..." -ForegroundColor Cyan

foreach ($policyType in $problematicPolicyTypes) {
    $policies = Get-MgDeviceManagementDeviceConfiguration | Where-Object { $_.AdditionalProperties["@odata.type"] -eq $policyType }
    
    foreach ($policy in $policies) {
        $assignments = Get-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $policy.Id
        
        foreach ($assignment in $assignments) {
            if ($assignment.Target.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.groupAssignmentTarget") {
                $groupId = $assignment.Target.AdditionalProperties.groupId
                
                if ($groupId -in $autopilotGroups.Id) {
                    Write-Host "WARNING: Policy '$($policy.DisplayName)' assigned to Autopilot device group" -ForegroundColor Red
                    Write-Host "Group: $($autopilotGroups | Where-Object Id -eq $groupId | Select-Object -ExpandProperty DisplayName)" -ForegroundColor Yellow
                    Write-Host "Recommendation: Move to user group assignment" -ForegroundColor Green
                    Write-Host "---"
                }
            }
        }
    }
}

Write-Host "Audit complete." -ForegroundColor Green

Set up automated alerting using Azure Logic Apps or Power Automate:

Create a Logic App with a recurrence trigger (weekly)
Add an HTTP action to call Microsoft Graph API
Query for device configuration assignments
Filter for device group assignments to security policies
Send email alerts when problematic assignments are detected

Create documentation for your team:

# Autopilot Policy Assignment Guidelines

## NEVER assign to device groups:
- Device Guard policies
- Credential Guard policies  
- Attack Surface Reduction rules
- VBS/HVCI policies
- Windows Update rings with preview builds

## ALWAYS assign to user groups:
- All Endpoint Security policies
- Compliance policies (when possible)
- App protection policies

## Safe for device groups:
- Wi-Fi profiles
- Certificate profiles
- VPN profiles (non-security related)
- Basic device restrictions

Verification: Run the audit script weekly and confirm no alerts are generated. Test new policy deployments on a small group before broad assignment. Maintain a change log of all Autopilot-related policy modifications.

Pro tip: Create separate Autopilot device groups for testing and production. Always test policy changes on the test group first, and monitor for at least one complete Autopilot cycle before promoting to production.

Frequently Asked Questions

Why do Device Guard and Credential Guard policies cause reboots during Windows Autopilot OOBE?+

Device Guard and Credential Guard policies require fundamental changes to Windows security architecture, including enabling Virtualization-Based Security (VBS) and Hypervisor-protected Code Integrity (HVCI). These changes modify boot-time security settings that can only take effect after a system restart. When these policies are assigned to device groups during Autopilot, they apply during the device setup phase and trigger an immediate coalesced reboot to activate the security features.

How can I identify which specific Intune policies are causing unexpected reboots during Autopilot?+

Use Event Viewer to examine the DeviceManagement-Enterprise-Diagnostics-Provider logs for Event ID 2800, which indicates coalesced reboots. Cross-reference the policy URIs found in these events with the registry key HKLM\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs. You can also use PowerShell to compare reboot-required URIs with current device policies to pinpoint the exact policies causing issues.

What's the difference between assigning security policies to device groups versus user groups in Intune?+

Device group assignments apply policies immediately during the device setup phase of Autopilot, before user sign-in, which can trigger reboots during OOBE. User group assignments delay policy application until after the user signs in and the Enrollment Status Page completes, avoiding interruptions to the Autopilot experience. The policies achieve the same security outcome but with different timing that prevents OOBE disruptions.

Can Windows Update rings still cause Autopilot reboots even after Microsoft's 2111 service update?+

Yes, Windows Update rings can still trigger reboots during Autopilot if the 'Enable pre-release builds' setting is misconfigured. Even though Microsoft addressed some preview build issues in the 2111 update, the problem can resurface if this setting is enabled and then changed. The workaround involves toggling the setting to 'Enabled', saving, waiting, then changing it back to 'Not Configured' to clear the problematic policy URI.

How do I prevent Win32 applications from causing unexpected reboots during Autopilot deployment?+

Configure Win32 apps with proper reboot suppression parameters in their install commands (like /norestart for MSI files or /noreboot for EXE installers). Set up appropriate return codes in Intune, particularly 3010 for soft reboots and 1641 for hard reboots, and configure the device restart behavior to 'Determine behavior based on return codes'. This allows Intune to manage restart timing appropriately rather than allowing applications to force immediate reboots.

Further Intelligence

Deepen your knowledge with related resources

tutorial

Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive

tutorial

Cloud Computing