CIS Benchmark & Autopilot Reboot Loops: The Device vs. User Context Fix

You deploy CIS Benchmark v2.0.0 to your Intune tenant. Devices ship to users. Autopilot begins. And then—mid-OOBE, the device reboots. Again. And again. You exclude the CIS policy from the Autopilot device group, and the problem vanishes. But now you're stuck: how do you enforce CIS security without breaking Windows Autopilot pre-provisioning?

This is not a CIS problem. It's an assignment context problem. And it's entirely fixable.

⚠ Critical Caveat Not all CIS policies cause reboot loops. The culprits are policies that trigger system restarts during OOBE before a user account logs in. User-context policies apply after Autopilot provisioning completes, which means they don't block pre-provisioning. This article identifies which CIS controls restart the device and when to reassign them.

The Problem: Why CIS Breaks Autopilot

When you assign a CIS Benchmark policy to a device group, Intune delivers that policy to the device during pre-provisioning. The Intune management agent begins enforcing settings before any user logs in. If a policy setting triggers a reboot—Device Guard enablement, BitLocker requirements, update policies, or UAC changes—the device reboots mid-OOBE and the provisioning flow stalls or loops.

The magic word is context. Device-context policies apply in the system account environment. User-context policies apply only after a user token exists on the device. By the time Autopilot assigns the user, that user-context policy can apply cleanly without interrupting pre-provisioning.

Device-context policies execute during OOBE pre-provisioning and can trigger reboots. User-context policies defer until after Autopilot completes, preventing loops.

Which CIS Controls Trigger Reboot Loops?

Not every CIS setting causes a reboot. The culprits are settings that:

Enable security features that require a restart — Device Guard (Virtualization-Based Security), BitLocker, UEFI firmware settings, Credential Guard
Modify system startup behavior — Boot options, Secure Boot, TPM policies
Restrict system services before user login — Services that block OOBE progression.
Require account elevation or UAC changes — Policies that change how administrators are prompted

Based on real-world troubleshooting, these specific OMA-URI policies in CIS v2.0.0 and v3.0 have caused Autopilot reboot loops:

OMA-URI / Setting	CIS Control	Why It Reboots	Can Be User Context?
`./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`	Virtualization-Based Security	Requires CPU & firmware changes, mandatory reboot	✗
`./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures`	Device Guard Platform	UEFI + TPM validation, hardware-level enforcement	✗
`./Device/Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings`	Exploit Guard	System-level memory protection, reboot required	✗
`./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds`	Build Version Lock	Modifies Windows Update behavior, may block provisioning	✓
`./Device/Vendor/MSFT/Accounts/Domain/ComputerName`	Computer Name Policy	Requires reboot to apply hostname changes	✗
`./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowUSBConnection`	USB Restriction	Can block device responsiveness during OOBE	✓
`./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy`	DMA Guard	PCIe device enumeration, firmware-level setting	✗
`./Device/Vendor/MSFT/Policy/Config/Start/Hide*`	Start Menu Controls	Usually safe, but can conflict with default OOBE UI	✓
Administrative Templates: AutoAdminLogon	Auto Logon Disable	Affects OOBE flow completion, user logon timing	✓
Local Policies: UAC Elevation Prompt	UAC Behavior	Changes admin prompt style mid-provisioning	✓

💡 Pro Tip The key distinction: firmware and hardware-level policies (Device Guard, DMA Guard, Exploit Guard) must stay on Device context because they require pre-boot validation. But UI, services, and user-logon behavior policies can move to User context without breaking security.

The Solution: Split CIS Into Three Policies

The most effective production strategy—used by several MSPs and enterprises in the community—is to refactor the CIS benchmark into three separate policies:

Device-Context OMA-URI Policy (Hardware & Firmware Controls)
Device-Context Settings Catalog (System Settings)
User-Context Settings Catalog (User Preferences & UI)

This strategy lets you:

Exclude Autopilot devices from device-context policies until after provisioning
Apply user-context policies immediately without blocking OOBE
Use dynamic group membership to auto-enroll devices in the full CIS policy 24 hours post-provisioning

The three-policy split ensures user-context rules apply immediately during Autopilot, while device-context rules apply post-provisioning via a delayed dynamic group.

Step-by-Step Implementation

Create "Autopilot" Dynamic Device Group
This group contains all devices during the first 24 hours post-provisioning. Devices auto-remove themselves after that window. Requires Azure AD Premium P1.

Membership Rule:
```
(device.enrollmentProfileName -eq "Autopilot") AND (device.enrollmentDateTime -gt now.subHours(24))
```
If dynamic groups are unavailable, manually create a static group and remove devices 24 hours after provisioning via a scheduled Graph API script.
Create "CIS v2.0 Device (Exclude Autopilot)" Device Group
This group contains all devices except those in the Autopilot pre-provisioning window. Policies assigned here will NOT break Autopilot.

Membership Rule:
```
(device.enrollmentProfileName -ne "Autopilot") OR (device.enrollmentDateTime -le now.subHours(24))
```
Export CIS Benchmark v2.0.0 from Your Template
In Intune, navigate to Devices → Configuration Profiles → Create Profile → Import Policy (if using CIS template) or manually create three policies:
- Windows 11 CIS Benchmark v2.0 (Device OMA-URI)
- Settings Catalog: Device Controls
- Settings Catalog: User Controls
Policy 1: Move Hardware OMA-URIs to Device Group (Exclude Autopilot)
In the Intune portal, edit your CIS OMA-URI policy and change its assignment:
```
# Current assignment (BREAKS AUTOPILOT)
Assign to: All Devices

# Corrected assignment
Assign to: CIS v2.0 Device (Exclude Autopilot)
```
Policy 2: System Settings Catalog → Device Group (Exclude Autopilot)
Create or move system-level Settings Catalog policies (Windows Updates, firewall, logging) to the Exclude Autopilot device group.

Example Settings Catalog paths:
- System → Windows Update → Configure Automatic Updates
- Network → Firewall → Firewall Profiles → Inbound Connections
- Security → Defender → Real-Time Protection

Policy 3: User Settings Catalog → User Group (All Users)

Create a new Settings Catalog policy and assign it to All Users or a specific user group. Move these settings into it:

# Settings safe to apply immediately during OOBE
Administrative Templates → System Logon → Always wait for the network at computer startup and logon
Start Menu → Hide Power Button
Start Menu → Hide Sleep
Start Menu → Hide Shutdown
User Account Control → Behavior of the elevation prompt for administrators
Notifications → Disallow Cloud Notification on Windows Lock Screen

Test Autopilot on Pilot Device

Select a test device and run through Autopilot provisioning. Monitor:

Does OOBE complete without reboots?
Does the user sign in successfully?
Do user-context policies apply post-logon (check Policy Status in device properties)?
Do hardware policies apply after 24 hours?

Check policy application on the device:

# PowerShell (Run as Administrator)
$DiagPath = "C:\DiagReport"
Get-MdmDiagnosticReport -OutputPath $DiagPath
Expand-Archive -Path "$DiagPath\mdmdiagnostics.cab" -DestinationPath "$DiagPath\Expanded" -Force

# View applied policies
Get-Content "$DiagPath\Expanded\ActivitiesLog.xml" | Select-String -Pattern "DeviceGuard|CIS|Settings"

# Alternative: Check registry for applied policies
Get-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\current\device" | Format-Table

Monitor & Document Which Settings Caused Issues

If Autopilot still loops, isolate the culprit. Check Intune event logs on the device to identify reboot sources:

# PowerShell (Run as System during OOBE)
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational" -MaxEvents 50 | Where-Object { $_.Message -like "*reboot*" -or $_.Message -like "*restart*" } | Format-List TimeCreated, Message

For detailed analysis, refer to the PatchMyPC Autopilot reboot troubleshooting guide.

Deploy to Production in Waves
Roll out the refactored policies to device groups in stages:
- Week 1: Pilot group (25 devices)
- Week 2: Early adopters (100 devices)
- Week 3: All devices
Use a phased rollout query to control velocity:
```
(device.deviceOSType -eq "Windows") AND (device.isRooted -eq false) AND (device.lastLogonTimeStamp -gt now.subDays(30))
```

What If Your Device Still Reboots?

If Autopilot still enters a reboot loop after splitting policies, you've hit a setting that is fundamentally incompatible with Autopilot. The options are:

🔴 Fundamental Autopilot Incompatibilities

These settings CANNOT be applied during Autopilot pre-provisioning, even with user context. The device must reboot for them to take effect:

Device Guard (Virtualization-Based Security) — Requires firmware & CPU validation before Windows boots. Solution: Apply post-provisioning via delayed assignment (48–72 hours).
BitLocker Full-Disk Encryption — Modifies boot sector. Solution: Use Windows Update for Business or late-stage remediation scripts.
UEFI/Firmware Policies — Hardware-level, pre-OS. Solution: Exclude from Autopilot entirely; apply after manual login.
ComputerName (via OMA-URI) — Hostname changes require reboot. Solution: Use Win32 app script or Task Scheduler post-provisioning.

Option: Delay Device-Context Policies by 72 Hours

If a policy is truly critical but incompatible with Autopilot, use a Microsoft Graph API script to add the device to the CIS policy group 72 hours after enrollment:

# PowerShell script using Microsoft.Graph module
# Run this as a scheduled task post-Autopilot

require -Version 7.0
Import-Module Microsoft.Graph.Groups -MinimumVersion 2.0

# Authenticate (use -TenantId for production)
Connect-MgGraph -Scopes "Group.ReadWrite.All"

$groupId = ""
$deviceId = (Get-MgDevice -Filter "displayName eq '$env:COMPUTERNAME'").Id

if ($deviceId) {
    try {
        New-MgGroupMember -GroupId $groupId -DirectoryObjectId $deviceId
        Write-Output "Device added to CIS group after 72-hour delay"
    } catch {
        Write-Error "Failed to add device: $_"
    }
} else {
    Write-Warning "Device not found in Azure AD"
}

Schedule this script via Task Scheduler:

# Create scheduled task for 72-hour delay
$TaskName = "DelayedCISEnrollment"
$ScriptPath = "C:\Scripts\AddDeviceToCISGroup.ps1"
$ScheduledTime = (Get-Date).AddHours(72)

$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File $ScriptPath"
$Trigger = New-ScheduledTaskTrigger -At $ScheduledTime -Once
$Settings = New-ScheduledTaskSettingsSet -RunOnlyIfNetworkAvailable -StartWhenAvailable

Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger -Settings $Settings -RunLevel Highest -Force

Production Checklist

Task	Complete?	Notes
Verify Azure AD Premium P1 license for dynamic groups	☐	Check Tenant > Licenses
Create "Autopilot" dynamic device group with 24h membership rule	☐	Test rule on 5 devices first; allow 24h for sync
Create "CIS Exclude Autopilot" device group	☐	Verify membership query returns correct device count
Inventory CIS Benchmark v2.0.0 settings by type (hardware/system/user)	☐	Use the CIS reboot table as reference
Create 3 separate Intune policies (Device OMA, Device Settings, User Settings)	☐	Test each policy independently on pilot device
Reassign Device OMA & Settings Catalog policies to "Exclude Autopilot" group	☐	Verify old all-devices assignment is removed
Assign User Settings Catalog policy to user group or all users	☐	Test with one user account first
Run pilot Autopilot on 3–5 devices; monitor for reboots	☐	Collect MDM diagnostic reports if loops occur
Verify CIS policies apply post-provisioning (24–72 hours)	☐	Check Device Configuration status in Intune portal
Deploy to early adopter wave (50–100 devices)	☐	Monitor success rate and support tickets for 1 week
Roll out to production (all remaining devices)	☐	Stagger in batches of 500+ to avoid support overload
Document final CIS policy split for future reference	☐	Include which settings went to which policy and why

Key Takeaways

Device-context policies apply during Autopilot pre-provisioning (system account) and can trigger reboots that break OOBE. Hardware and firmware policies (Device Guard, BitLocker, DMA Guard) must stay here but be excluded from Autopilot devices.
User-context policies apply after user logon and do not interrupt Autopilot. UI, UAC, and service policies can safely move here and apply immediately during provisioning.
Split CIS into three policies: Device OMA-URI (hardware), Device Settings Catalog (system), and User Settings Catalog (UI/preferences).
Use dynamic group membership to automatically enroll devices into full CIS enforcement 24 hours after Autopilot completes.
Test on 3–5 pilot devices before rolling out to production. Monitor MDM diagnostics and event logs for remaining reboot sources.
If a policy still causes reboots, delay its assignment by 48–72 hours using a scheduled Graph API script or Configuration Manager.

CIS Benchmark & Autopilot Reboot Loops: The Device vs. User Context Fix