Corporate login laptop bypass

smr

smr

Soldato
Joined
6 Mar 2008
Posts
8,753
Location
Leicestershire
Hi,

Got a laptop from a customer here and I've not had one of these jobs before so I'm wondering if anyone can shed any light on this

Basically he was laid off and they haven't asked for the laptop back so he's keeping it but wants to wipe everything and start again with it so just a format Win install job. Or so you'd think

Even after formatting the hard drive (which is an nvme ssd) and then installing Windows afresh, you get to the setup screen where on Windows 11 you'd bypass network connection with oobe/bypassnro or Win 10 you'd select 'Limited setup' ... well either of those options don't exist, your only choice is to connect to the Internet, and then after doing so it "connects to Microsoft" or something and the next screen is a login for a corporate / company login business organisation username and password.

So this is obviously some sort of bios encryption -

A simple fix would be to replace the hard drive, but given it's been formatted, is this security encryption embedded into the bios/motherboard somehow making trying a new hard drive futile?

Any ideas gladly welcome.
 
Sounds like it's intune enrolled.

Easiest way, would be to contact the company and have them delete the enrolled device. If they've left on good terms... As this would be a permanent fix.

Otherwise, AutoPilot deployment is only available on Pro/ENT OS, so a reinstall with Home may do the trick as it won't do the enrolment check, if they can live with that.

It's based on a hardware hash, may be able to flash the bios or disable/wipe TPM, and other requirements of Intune, but it may well cause future issues as most of these are requirements for Win 11. Working on the other side of it, I have had the hash change after BIOS updates, but equally, I've had it stay the same. Depends on manufacturer, model and how the BIOS is applied it seems!
 
Hi,

Got a laptop from a customer here and I've not had one of these jobs before so I'm wondering if anyone can shed any light on this

Basically he was laid off and they haven't asked for the laptop back so he's keeping it but wants to wipe everything and start again with it so just a format Win install job. Or so you'd think

Even after formatting the hard drive (which is an nvme ssd) and then installing Windows afresh, you get to the setup screen where on Windows 11 you'd bypass network connection with oobe/bypassnro or Win 10 you'd select 'Limited setup' ... well either of those options don't exist, your only choice is to connect to the Internet, and then after doing so it "connects to Microsoft" or something and the next screen is a login for a corporate / company login business organisation username and password.

So this is obviously some sort of bios encryption -

A simple fix would be to replace the hard drive, but given it's been formatted, is this security encryption embedded into the bios/motherboard somehow making trying a new hard drive futile?

Any ideas gladly welcome.

This is enrolled in Autopilot

Reimage the laptop, get to OOBE, bypassnro, don't connect to the internet and create a local account. Once you have passed OOBE, even just selecting the keyboard Autopilot won't interfere with the setup.

You can continue using the laptop as normal after this, it won't be registered or joined to Entra ID (Azure AD) or enrolled in intune unless the user decides to add their work account.

If you want to add a MS personal account after the local account is created it won't be an issue. Once you're beyond OOBE there is no Autopilot check and enrollment.
 
Last edited:
Whilst the above might help get around it, I notice you say this is from a "customer" and your workign on this as a job? This clearly isn't his laptop, and if its still Intune enrolled it absoultely was not meant for him to keep.

I would suggest this would be putting you on rather sketchy ground from a legal perspective given it's clearly not his to wipe.
 
I'd agree with above it is potentially a dodgy situation - at work or when family members have been given formerly work machines they usually have release paperwork and/or removed from enrollment. If unlucky it is a hardware/BIOS level enrollment which isn't easily removed/bypassed properly without basically replacing the mainboard or some soldering.

and if its still Intune enrolled it absoultely was not meant for him to keep.

To be fair wouldn't be the first time a company has folded, without debts/owing anyone anything, where no one is left to take responsibility for stuff like that and no one really has ownership of anything they don't already have their hands on.
 
Last edited:
Hi,

Got a laptop from a customer here and I've not had one of these jobs before so I'm wondering if anyone can shed any light on this

Basically he was laid off and they haven't asked for the laptop back so he's keeping it but wants to wipe everything and start again with it so just a format Win install job. Or so you'd think

Even after formatting the hard drive (which is an nvme ssd) and then installing Windows afresh, you get to the setup screen where on Windows 11 you'd bypass network connection with oobe/bypassnro or Win 10 you'd select 'Limited setup' ... well either of those options don't exist, your only choice is to connect to the Internet, and then after doing so it "connects to Microsoft" or something and the next screen is a login for a corporate / company login business organisation username and password.

So this is obviously some sort of bios encryption -

A simple fix would be to replace the hard drive, but given it's been formatted, is this security encryption embedded into the bios/motherboard somehow making trying a new hard drive futile?

Any ideas gladly welcome.
It so obviously isn't. It's simply been deployed by autopilot which means that serial is hard coded to the tenant. Any time it gets an internet connection, it's going to send you there. Probably why the didn't ask for it back. it's useless.
 
Any time it gets an internet connection, it's going to send you there. Probably why the didn't ask for it back. it's useless.
Only during OOBE. Once you've skipped OOBE it never checks in with the tenant. I use my current employer's laptop this way, bypassing Autopilot and installing my own image.
 
Last edited:
When you did the Shift-F10 oobe\bypassnro command, did you unplug the network cable for the rest of the installation? I have found that if you dont then it will still recognise the wired network/internet connection and ignore the bypassnro command and still wont allow you to do the limited setup. Install W11 from a USB key without network cable plugged in and then do the bypassnro and see if that works.
 
Keep the network disconnected until you've created a local account. Once logged in connect the network and then add a MS account if needed.

If you need drivers and updates at OOBE press CTRL+SHIFT+F3 to enter audit mode, download windows updates and install drivers, a restart will bring you back in to audit mode with autologon. If you accidentally sign out ot lock the screen just restart and you're logged back in.

Try not to update, install or remove any Microsoft Store apps, messes with Sysprep. If Syprep fails the error will tell you which log to check, and the log which apps to uninstall.

Once you have everything installed and updated select restart on the sysprep popup, you only need to check generalise if you want to capture the image and deploy to other computers.

Don't forget to disconnect the network before the computer restarts or you'll be back in to Autopilot.
 
Last edited:
Can we keep the legalities out of this thread please. We get enough of that in the movies and motoring forums.

There are legitimate reasons why Autopilot would need to be bypassed. I've tried several times to get previous owners of devices to remove from their Autopilot and never had any success.
 
Last edited:
They don’t have to ask for it back. It’s probably in the contract they signed that all devices has to be given back.

It’s actually theft of company property. They may send the bill. They may not.
With my work everything is assigned to the user. Serial numbers etc are all logged.

Then once you leave you need to give everything back that is assigned to you, maybe different else where but the laptops we use for work are not cheap and can cost 2\3K
 
Sometimes the time and effort involved to get a device back from an ex-employee isn't worth it. How much is the laptop worth after 3 years, even less if it is out of warranty. Storage, rebuild or disposal costs. A new employee would expect a brand new or nearly new device.

One place I worked at no one was sure who should make contact with the ex-employee, the manager or HR. What if they refused to hand the kit back, who has time to go down the legal route to recover. If you're a small business then you would try and recover the laptop but for large organisations used hardware is scattered all over the place.
 
Last edited:
I think your posts are heavily biased. You've clearly spent time figuring out how to bypass autopilot in a way that works for you, and you suggest everyone else should keep the legalities out of the thread whilst you say your using your employers laptop with your own image. Do your employees know this? For any employee worth their salt it would be clearly in breach of any kind of acceptable use policy. The cost value of obtaining a device isnt the only factor as regardless of age the device will likely contain coprorate data that might come under GDPR regulations. Whislt there might not be much cost value in the laptop, the value in being fined for a GDPR breach would be well worth the effort.

Whilst I appreciate there may occasionally be times where a company have forgotten and then are unwilling to remove auto pilot this would seem unlikely to me, and would indicate that the machine was never meant to be used by this person in this manner.

Whilst its easy for you to say "skip the legalities" if the OP doesnt know what autopilot is, and is doing this as a business transaction, I'd suggest its risky, and would possibly come close to something like handling stolen goods. Ultimately the machine is giving a very unambigious pompt that it's enrolled to a companies system, and the client has confirmed he no longer works for that company. I cant imagine theres more than £100 of profit in a job lik this and ultimately the OP needs to ask themselves if its worth it with the possible risk.
 
Spent a lot of time? Autopilot isn't a security feature. Autopilot needs an internet connection to join the tenant, disconnect the network !!

My reply in post 10 has nothing to do with autopilot, just a few tips on setting up a device.

Not even going to waste my time answering your other points.
 
Last edited:
Unless he’s got some written evidence from the employer that he can keep the laptop you’d be basically helping him to steal it. Don’t touch it with a barge pole.
This a hundred times over!
 
Ex-employee should be dealing with the companies IT department, rather than an independent. Either he shouldn't have it and it should be returned to the IT dept, or he was allowed to keep it and he should speak with his previous manager.
Hilarious to see it mentioned to keep the legal business out of the thread.

"Hey guys, I just stole this stuff and it's got passwords and security stuff. How can I turn it off?"
We shouldn't want to enable this.

Edit: Not meaning to imply that smr is the thief here. :D
 
Last edited:
Back
Top Bottom