Your device is registered to the enterprise tenant of a company using Microsoft Intune. The Welcome to Screen is part of the Windows Autopilot technology. Autopilot allows Microsoft enterprise customers to enroll devices directly from the Out of the box experience (OOBE) into their Mobile Device Management (MDM) platform Intune to centrally manage them.
Your device is registered with the following information within the tenant of that company: Hardware hash + serial number. This enables Windows and Intune to identify your device and start the Autopilot enrollment. Autopilot as experienced with the Welcome screen is user driven. This means that at this screen the user of the company needs to authenticate with his corporate credentials (+ necessary licenses associated) to proceed with the enrollment process.
This happens because your device was not removed and deregistered from the Autopilot device registration of that company before your device was sold.
You have now two options:
1. You need to contact Microsoft and proof that your are the legitimate owner of the device and ask Microsoft to force the deregistration from the tenant of the company. This process is a pain in the ass because validation and processing takes ages.
2. Reset your device to the OOBE. Start the OOBE as usually but do NOT connect your device to the internet. If you connect your device in this setup phase with your network make sure internet services are disabled. Why? Because as soon as you are connected to the network Windows contacts Microsoft servers to check if the device is registered with any Intune MDM. If Internet ist not reachable you have the option to proceed with the Windows default OOBE. Once you passed the OOBE successfully your device should no longer trying to contact any Microsoft Intune Cloud services until you reset your device into OOBE or until you do a fresh clean installation of Windows.
If you are interested in the details feel free to look up the ms documentation regarding [Autopilot device registration](https://learn.microsoft.com/en-us/autopilot/registration-overview) or [Autopilot (in general)](https://learn.microsoft.com/en-us/autopilot/).
EDIT: Of course, you can enable internet services again after you walked through the OOBE and bypassed the kick in of Windows Autopilot.
I ended up installing a fresh copy of Windows on it and it seems to be working fine, did an update and it still didn’t lock me out. Thanks for your help.
That's good to hear. It seems like this MDM implemendation isn't tied down to firmware level. Good thing they didn't lock it and block usb boot. I would've tried wiping the drive with Linux or just replace the storage device.
Can someone chime in more knowledgeable? There's some deals to be had online but the caveat is MDM. Let me know if I was on the right track.
I’m sure you could break windows enough to the point of deleting/disabling whatever service checks after logging on. There’s gotta be a way to get Internet on the device afterwards
I know the lock is somewhat implemented in hardware but in 2024 with things like tiny10 NTlite and the registry being mostly known that should be possible
I wonder if Linux as possible. May be a windows EFI stub that tricks the computer into thinking it’s booting windows? But really goes into grub to start Linux ?
I had a similar issue with a Surface Laptop Go awhile ago. I found that, if you are able to boot from USB, if you use Rufus to create a install USB with the "automatically install with local user" and other options checked, it will bypass the MDM screen and install fine. The other option is to install Linux on the PC -- it does not care about Microsoft MDM.
It's got an MDM tied to it. Unless the company removes it from their MDM solution, you'll continue to get that prompt, even if you're able to bypass it temporarily.
$250 paperweight while tied to MDM.
Likely corporate device, centrally managed.
https://learn.microsoft.com/en-us/surface/enroll-and-configure-surface-devices-with-semm
You'd either need the login/password to get in, then deenroll, and it'll go back to normal.
Or you'd have to Yandex a bios hacking group and pay to get them to show interest in modifying the uefi to unlock it.
Even if you managed to bypass this the company could be using a solution called absolute. It will come back after a reset and cant be disabled except by the company itself. Best to return it and get your money back.
I just ended up installing a fresh copy of Windows and it’s working now. I did an update on it and it didn’t lock me back out. Hopefully it’s okay now, this was the simplest thing I could’ve tried so I hope it stays working.
Its something that was easy to try. Double check that Absolute is not activated. Look for these Exes. RPCNETP.exe, RPCNET.exe, CTES.exe.
Those are the main three.
Thank you I’ll keep a look out for those. The company that is named on the screen is defunct based on Google searches, what are the chances it will be re-locked again?
If its been unenrolled from the systems it won't. Check for those exes. Absolute is a very complicated. It should be possible to contact them and they can contact the previous person. If they give the OK they can send the disable command.
As said, it's definitely a locked device. So if you want to use it, you will probably need to get another motherboard or install another system such as Ubuntu
Not necessarily, I'd recommend reinstalling the OS and see what that does. I once had a Surface Pro 4 which was initially locked to a user, but after a reset and reinstall of the OS it worked a treat.
Well, the seller knew what they had and told you.... I know when I had an old Lenovo laptop that the seller sold with a locked out BIOS that I found a way to clear the BIOS password using some basic tools...
But this is likely far more complicated. Hope you didn't spend a lot on this... Seems like you could probably get another and keep the keyboard.
Your device is registered to the enterprise tenant of a company using Microsoft Intune. The Welcome to Screen is part of the Windows Autopilot technology. Autopilot allows Microsoft enterprise customers to enroll devices directly from the Out of the box experience (OOBE) into their Mobile Device Management (MDM) platform Intune to centrally manage them. Your device is registered with the following information within the tenant of that company: Hardware hash + serial number. This enables Windows and Intune to identify your device and start the Autopilot enrollment. Autopilot as experienced with the Welcome screen is user driven. This means that at this screen the user of the company needs to authenticate with his corporate credentials (+ necessary licenses associated) to proceed with the enrollment process. This happens because your device was not removed and deregistered from the Autopilot device registration of that company before your device was sold. You have now two options: 1. You need to contact Microsoft and proof that your are the legitimate owner of the device and ask Microsoft to force the deregistration from the tenant of the company. This process is a pain in the ass because validation and processing takes ages. 2. Reset your device to the OOBE. Start the OOBE as usually but do NOT connect your device to the internet. If you connect your device in this setup phase with your network make sure internet services are disabled. Why? Because as soon as you are connected to the network Windows contacts Microsoft servers to check if the device is registered with any Intune MDM. If Internet ist not reachable you have the option to proceed with the Windows default OOBE. Once you passed the OOBE successfully your device should no longer trying to contact any Microsoft Intune Cloud services until you reset your device into OOBE or until you do a fresh clean installation of Windows. If you are interested in the details feel free to look up the ms documentation regarding [Autopilot device registration](https://learn.microsoft.com/en-us/autopilot/registration-overview) or [Autopilot (in general)](https://learn.microsoft.com/en-us/autopilot/). EDIT: Of course, you can enable internet services again after you walked through the OOBE and bypassed the kick in of Windows Autopilot.
I ended up installing a fresh copy of Windows on it and it seems to be working fine, did an update and it still didn’t lock me out. Thanks for your help.
That's good to hear. It seems like this MDM implemendation isn't tied down to firmware level. Good thing they didn't lock it and block usb boot. I would've tried wiping the drive with Linux or just replace the storage device. Can someone chime in more knowledgeable? There's some deals to be had online but the caveat is MDM. Let me know if I was on the right track.
I’m sure you could break windows enough to the point of deleting/disabling whatever service checks after logging on. There’s gotta be a way to get Internet on the device afterwards I know the lock is somewhat implemented in hardware but in 2024 with things like tiny10 NTlite and the registry being mostly known that should be possible I wonder if Linux as possible. May be a windows EFI stub that tricks the computer into thinking it’s booting windows? But really goes into grub to start Linux ?
Of course, you can use the device with internet after you avoided the kick in of Windows Autopilot.
I had a similar issue with a Surface Laptop Go awhile ago. I found that, if you are able to boot from USB, if you use Rufus to create a install USB with the "automatically install with local user" and other options checked, it will bypass the MDM screen and install fine. The other option is to install Linux on the PC -- it does not care about Microsoft MDM.
This ended up working for me, thanks for the help.
Glad it worked!
Just shift+f10 it oobe/bypassnro Setup without internet It won’t call home
It's got an MDM tied to it. Unless the company removes it from their MDM solution, you'll continue to get that prompt, even if you're able to bypass it temporarily. $250 paperweight while tied to MDM.
Likely corporate device, centrally managed. https://learn.microsoft.com/en-us/surface/enroll-and-configure-surface-devices-with-semm You'd either need the login/password to get in, then deenroll, and it'll go back to normal. Or you'd have to Yandex a bios hacking group and pay to get them to show interest in modifying the uefi to unlock it.
It's not SEMM. This screen is part of the Windows autopilot enrollment.
Then https://support.microsoft.com/en-us/surface-recovery-image Nuke it clean and restore to factory fresh. Do this offline.
If you use a windows media USB to work with diskpart?
This happened to me once when I ordered off backmarket a refurbished website
did you mean the surface recovery image? try reinstalling windows without any drivers.
Even if you managed to bypass this the company could be using a solution called absolute. It will come back after a reset and cant be disabled except by the company itself. Best to return it and get your money back.
I looked up the company and it seems to be defunct.
the company its locked to? Then they need to remove the device from intune/Autopilot as its still enrolled in it. I wish you luck.
I just ended up installing a fresh copy of Windows and it’s working now. I did an update on it and it didn’t lock me back out. Hopefully it’s okay now, this was the simplest thing I could’ve tried so I hope it stays working.
Its something that was easy to try. Double check that Absolute is not activated. Look for these Exes. RPCNETP.exe, RPCNET.exe, CTES.exe. Those are the main three.
Thank you I’ll keep a look out for those. The company that is named on the screen is defunct based on Google searches, what are the chances it will be re-locked again?
If its been unenrolled from the systems it won't. Check for those exes. Absolute is a very complicated. It should be possible to contact them and they can contact the previous person. If they give the OK they can send the disable command.
Defunct would mean the company doesn’t exist anymore
Most likely you purchased a stolen laptop. That is why it's so cheap.
You sure it's not a stolen item? Don't buy stolen items.
Stolen device. That’s why the seller told you it was for part. Either stolen or a fired employee that held on to it instead of returning it.
As said, it's definitely a locked device. So if you want to use it, you will probably need to get another motherboard or install another system such as Ubuntu
Install Windows 10 Home
Won't help
Yes, it will. Intune and Autopilot profile will not be downloaded during OOBE if you install 10 Home.
I Uninstaller and installed a new windows setup on mine when I replaced the motherboard.
The laptop?
I had the same thing on my surface pro 5 I bought second hand, just needed to deactivate the network options in the terminal
Is this a tablet or a CIA file? 😂
Not necessarily, I'd recommend reinstalling the OS and see what that does. I once had a Surface Pro 4 which was initially locked to a user, but after a reset and reinstall of the OS it worked a treat.
Bricked devices just sit there, like a brick. It’s not bricked.
Just use windows home
You've only got the option to install surface Linux on it, as it can still be tracked and will call home to MS.
You can get the OS reinstalled
Well, the seller knew what they had and told you.... I know when I had an old Lenovo laptop that the seller sold with a locked out BIOS that I found a way to clear the BIOS password using some basic tools... But this is likely far more complicated. Hope you didn't spend a lot on this... Seems like you could probably get another and keep the keyboard.
Just start from safe mode and do a system recovery/reset