Unable to associate user account to adfs after using autounattend.xml

Hello.

First off i'm a Linux Sysadmin so not so familiar with Windows, but I was tasked to start setting up some Windows computers, and there will likely be more coming.

So to make the installation of the computer smoother, I decided to set it up using autounattend.xml. I used a generator to make the autounattend.xml and I put on the USB stick with windows install.
The link to the generator:
https://schneegans.de/windows/unattend-generator/

And it worked well.
I selected Language, amd64, GPT partition, Administrator account and an administrative user.
Also attached an example of the file generated.

I put the file on the USB-stick with the windows install. And It installed perfectly without asking anything, it then booted me into the administrator account where I could make the final adjustments.

However, when the user then logs in and tries to link the account to our office365 system by clicking "Sign in with a Microsoft account instead" there is an error "That Microsoft account doesn't exist. Enter a different account or get a new one"

I tried to search for the error and it seem pretty common to get this error, but none of what I could find was where the account was created using autounattend.xml.

I also tried to log into the Administrator account and remove the auto-created user, and then add another one. But the same thing happens to that user.
Is it the wrong way to create the account, or is there something missing?
Or even better what is the correct way to set up the account to be a office365 business account?

The version of Windows is Windows 10 Pro 21H2

I'm going to test your answer file to see what I can come up with. With just a quick glance I see nothing obvious, but I'll do a deeper dive when I have the opportunity later today.

I think I see an issue already. Will need to test, but I may be on to something

EDIT

I just noticed that the ProtectYourPC setting that I use is "1" and you used "3". If you use my sample, don't forget to change the value I have to "3".

END OF EDIT

I had to make some changes to your answer file because I use US English language versions of Windows, so I modified the language settings accordingly. However, that should not make any difference to the issue you were seeing.

I also noticed several other issues with the answer file, so I have made those changes as well.

Below is a list of items that I addressed.

NOTE: Because I found several things that needed addressing, I didn't even bother to test the original answer file, especially since I had to change the language settings anyway.

After installation, I allowed Windows to install updates, and rebooted once. Then I switched over to my Microsoft account. This worked absolutely flawlessly for me.

Some of the items that I change are probably inconsequential, but those that I think deserve particular attention I explained in a bit more detail below.

First, let's address the issue regarding the account named "Administrator". After unattended setup, this account is disabled. This is done on purpose to protect this account. Normally, you would only enable it if there was a problem with all other admin accounts on the system. In your case, since you create an admin account called "Testuser" you should be able to perform an admin tasks using that account, but there is no reason that you should not be able to enable and then use the "Administrator" account if you wish to do so.

List of items I noticed in your answer file

1) I noticed that your file had a product ID of all zeros. I assume that you likely did that to protect your actual product key. This in turn leads me to question whether you actually supplied a "real" product ID here. Please note that in an answer file, you SHOULD NOT provide a real product activation key. You supply that key AFTER Windows has been installed. In the answer file you supply a so-called "GENERIC" product key. Because there is a generic key, there is no need to protect it in the answer file. You can safely supply this key to other people. The only purpose of the generic key is to tell Windows setup what edition of Windows to install. For example, if you supply a generic Windows Pro key, then setup will know that it should install Windows Pro (as opposed to Home edition, education edition, etc.). This is important because many Windows images contain multiple editions of Windows and setup needs to know what it is expected to install.

You can find a list of available generic product keys here:

Generic Product Keys to Install Windows 10 Editions

Please be aware that a Windows 10 product key is the same as a Windows 11 product key. I know that you are currently working with Windows 10, but in the future simply be aware that the same key will work for the same edition of Windows 11 as well.

In my testing, I used a Windows Pro Retail Edition generic product key.

2) I noticed that for AutoLogon, you specified the "Administrator" account. Don't do this! You should specify the user name "Testuser". Note that if you had created more than one admin level user, you could specify any of those user accounts, just don't use the actual "Administrator" account.

3) On the topic of AutoLogon, here is a point to be aware of:

As it sits now, AutoLogon would log you on TWICE even though your configuration is set to perform an autologon only once. If you don't care about this, you can skip reading the rest of this section (item #3).

This is due to a bug in the AutoLogon logic. AutoLogon erroneously adds 1 to the LogonCount value. As a result, you must subtract 1 from the number of times you want it to logon. To logon once, you must make the LogonCount 0. Unfortunately, Windows properly understands a LogonCount of 0 as meaning Never AutoLogon. To correct this, we must make the LogonCount 1 and use a registry entry to correct for this problem. To do this, you would add the following to your answer file:

Under the "Windows-Shell-Setup" block, you would add a "FirstLogonCommands" block. Under this, you would add "New SynchronousCommand" and then set the following values:

CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 0 /f

Order: 1

NOTE: In my test, I left this setting as you had it. While it did autologon twice, it made no difference to the functionality of Windows otherwise.

4) Probably not critical, but you should supply timezone information in Pass 4 specialize by adding the following:

Windows-Shell-Setup

Set the "TimeZone" value to the correct timezone.

A valid list of timezones is available here:

https://docs.microsoft.com/en-us/pre...ectedfrom=MSDN

5) In pass 1 windowsPE, you are missing a "UILanguageFallback" entry. You should add this entry to handle anything that has not been localized to your local language. In general (there are some exceptions) this setting should always be set to "en-US".

The location for this is:

1 windows PE > Windows-International-Core-WinPE

Set "UILanguageFallback" to "en-US".

6) This is almost identical to item #5 above but in a different location.

The location for this is:

7 oobeSystem > Windows-International-Core

Set "UILanguageFallback" to "en-US".

7) This is identical to item #4 above but in another location. You should supply timezone information in this location:

7 oobeSystem > Windows-Shell-Setup

Set the "TimeZone" value to the correct timezone.

A valid list of timezones is available here:

https://docs.microsoft.com/en-us/pre...ectedfrom=MSDN

8) Under 7 oobeSystem > Windows-International-Core, set the following values in addition to what you already have:

HideOEMRegistrationScreen - set to true
HideOnlineAccountScreens - set to true
HideWirelessSetupInOOBE - set to true
UnattendEnableRetailDemo - set to false

My personal recommendations and resources

I know that I have thrown a lot of information at you, but this is what I would suggest:

First, if you simply want to hack these changes into your answer file, I am supplying below an answer file that I created so that you can use it as a model to see where all of the items I have noted above are located.

Second, I would suggest taking a look at the tutorial below. This is an EXCELLENT tutorial that will guide you through making your own answer files.

I'm not a huge fan of the auto answer file generators because it always seems to me that they get something wrong. You might consider using the generator as a starting point, then open the answer file in the "Windows System Image Manager" as outlined in the tutorial to make any corrections / changes as needed.

IMPORTANT: The tutorial is geared toward a different kind of automated setup, namely, a scenario where you configure a "Reference Machine", customize it, create a new Windows image from that reference system, then deploy that image using unattended setup. That tutorial involves creating 2 different answer files rather than just one as you are doing. Fortunately, this tutorial is EASY to modify to do what you are doing, that is, to deploy Windows unattended with a single answer file and no need for a reference system.

Below you will find two links: One is to the original tutorial, the second is to post #299 within that same tutorial thread. Post #299 is something that I wrote to tell you what to do to modify that tutorial to do what you want.

My suggestion would be to read post 299 FIRST so that you can understand what will be done differently in the tutorial, then go back and step through the tutorial.

Link to tutorial:
Create media for automated unattended install of Windows 10

Link to post #299 explaining what to modify in the tutorial:
Create media for automated unattended install of Windows 10

Sample answer file:
Note: This sample answer file has a section called "RunSynchronous". The entries in this section are used to bypass Windows 11 system requirements. This section will not affect Windows 11 at all. If you prefer, you can remove the "RunSynchronous" block.

Please read the detailed notes about the configuration in the comments at the top of the answer file.

Code:

<?xml version="1.0" encoding="utf-8"?>
<!--
************
* WARNING! *
************

This answer file will cause Windows setup to WIPE disk 0 without any warning and to begin installation
to that disk. It is strongly advised that you do one of the following:

1) If your system has only one HDD / SSD, then that disk is disk 0. Make sure you are okay with this
   drive being wiped before you proceed.

2) Boot from Windows installation media WITHOUT this answer file. Open a command prompt at the first
   static screen by pressing SHIFT + F10, run diskpart, and MAKE SURE that disk 0 is the disk to which
   you want to install.

3) If not certain, use the answer file that stops to ask you to which disk Windows should be installed.
   That answer file does everything the same as this one with the exception of allowing you to choose
   the disk to be used for installation.

******************
* END OF WARNING *
******************

Notes about this answer file:

1) It includes a Windows 10 / 11 Pro key.
2) It will install Windows to Disk 0.
3) It creates an Admin level user named "WinUser", full name "Windows User" with no password.
4) Because this answer file was created using Windows System Image Manager, the password shows as an encrypted hash.
5) Locale settings are set to United States English.
6) Time zone is set to US Central Time.
7) It includes settings to bypass Windows 11 system requirements.
8) This answer file can be used with both Windows 10 and 11. The settings to bypass
   Windows 11 system requirement checks will have no effect on Windows 10.
-->
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
        <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SetupUILanguage>
                <UILanguage>en-US</UILanguage>
            </SetupUILanguage>
            <InputLocale>en-US</InputLocale>
            <SystemLocale>en-US</SystemLocale>
            <UILanguage>en-US</UILanguage>
            <UILanguageFallback>en-US</UILanguageFallback>
            <UserLocale>en-US</UserLocale>
        </component>
        <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ImageInstall>
                <OSImage>
                    <InstallTo>
                        <DiskID>0</DiskID>
                        <PartitionID>4</PartitionID>
                    </InstallTo>
                </OSImage>
            </ImageInstall>
            <UserData>
                <ProductKey>
                    <Key>VK7JG-NPHTM-C97JM-9MPGT-3V66T</Key>
                </ProductKey>
                <AcceptEula>true</AcceptEula>
            </UserData>
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Order>1</Order>
                    <Path>reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Order>2</Order>
                    <Path>reg add HKLM\System\Setup\LabConfig /v BypassSecureBootCheck /t reg_dword /d 0x00000001 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Order>3</Order>
                    <Path>reg add HKLM\System\Setup\LabConfig /v BypassRAMCheck /t reg_dword /d 0x00000001 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Order>5</Order>
                    <Path>reg add HKLM\System\Setup\LabConfig /v BypassCPUCheck /t reg_dword /d 0x00000001 /f</Path>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Order>4</Order>
                    <Path>reg add HKLM\System\Setup\LabConfig /v BypassStorageCheck /t reg_dword /d 0x00000001 /f</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
            <DiskConfiguration>
                <Disk wcm:action="add">
                    <CreatePartitions>
                        <CreatePartition wcm:action="add">
                            <Order>1</Order>
                            <Size>500</Size>
                            <Type>Primary</Type>
                        </CreatePartition>
                        <CreatePartition wcm:action="add">
                            <Order>2</Order>
                            <Size>260</Size>
                            <Type>EFI</Type>
                        </CreatePartition>
                        <CreatePartition wcm:action="add">
                            <Order>3</Order>
                            <Size>128</Size>
                            <Type>MSR</Type>
                        </CreatePartition>
                        <CreatePartition wcm:action="add">
                            <Extend>true</Extend>
                            <Order>4</Order>
                            <Type>Primary</Type>
                        </CreatePartition>
                    </CreatePartitions>
                    <ModifyPartitions>
                        <ModifyPartition wcm:action="add">
                            <Format>NTFS</Format>
                            <Label>WinRE</Label>
                            <Order>1</Order>
                            <PartitionID>1</PartitionID>
                            <TypeID>DE94BBA4-06D1-4D40-A16A-BFD50179D6AC</TypeID>
                        </ModifyPartition>
                        <ModifyPartition wcm:action="add">
                            <Format>FAT32</Format>
                            <Label>System</Label>
                            <Order>2</Order>
                            <PartitionID>2</PartitionID>
                        </ModifyPartition>
                        <ModifyPartition wcm:action="add">
                            <Order>3</Order>
                            <PartitionID>3</PartitionID>
                        </ModifyPartition>
                        <ModifyPartition wcm:action="add">
                            <Format>NTFS</Format>
                            <Label>Windows</Label>
                            <Letter>C</Letter>
                            <Order>4</Order>
                            <PartitionID>4</PartitionID>
                        </ModifyPartition>
                    </ModifyPartitions>
                    <DiskID>0</DiskID>
                    <WillWipeDisk>true</WillWipeDisk>
                </Disk>
            </DiskConfiguration>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-US</InputLocale>
            <SystemLocale>en-US</SystemLocale>
            <UILanguage>en-US</UILanguage>
            <UILanguageFallback>en-US</UILanguageFallback>
            <UserLocale>en-US</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <ProtectYourPC>1</ProtectYourPC>
                <UnattendEnableRetailDemo>false</UnattendEnableRetailDemo>
            </OOBE>
            <UserAccounts>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <DisplayName>Windows User</DisplayName>
                        <Group>Administrators</Group>
                        <Name>WinUser</Name>
                        <Password>
                            <Value>UABhAHMAcwB3AG8AcgBkAA==</Value>
                            <PlainText>false</PlainText>
                        </Password>
                    </LocalAccount>
                </LocalAccounts>
            </UserAccounts>
            <TimeZone>Central Standard Time</TimeZone>
            <AutoLogon>
                <Enabled>true</Enabled>
                <LogonCount>1</LogonCount>
                <Username>WinUser</Username>
                <Password>
                    <Value>UABhAHMAcwB3AG8AcgBkAA==</Value>
                    <PlainText>false</PlainText>
                </Password>
            </AutoLogon>
            <FirstLogonCommands>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>reg add &quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon&quot; /v AutoLogonCount /t REG_DWORD /d 0 /f</CommandLine>
                    <Order>1</Order>
                </SynchronousCommand>
            </FirstLogonCommands>
        </component>
    </settings>
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OEMName></OEMName>
            <TimeZone>Central Standard Time</TimeZone>
            <ComputerName></ComputerName>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="catalog://godzilla/data/windows/windows tools and deployment apps/assets and tools for deployment/win 11 pro 21h2 catalog file/install_windows 10 pro.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Final Words

Again, I know I've thrown a lot at you. If there is anything that is unclear or if I can be of any further help, please do let me know!

Hi there
@eldaria

I also recommend reading Ms's documentation on setting up via SYSPREP for custom installs -- especially if having to do it for a lot of machines e.g in a workplace or corporate environment.

Nothing wrong either with previous posters info.

https://docs.microsoft.com/en-us/win...iew=windows-11

Incidentally I also use Linux regularly and generally run W11 and W10 as VM's using KVM/QEMU. My main laptop runs KDE plasma on Arch Linux and I set up windows on vhdx files and have installed (edk2--)ovmf for VM UEFI boot and the IBM TPM emulator for TPM V2. For better video etc download the windows virtio iso from fedora / Red hat site. The VM copies also easily to real machines for V2P conversion where after boot Windows will grab any missing "real" hardware drivers. You might have to re-install the windows boot loader again but that's easy enough.

Also using dism /Apply-Image and bcdboot to install Windows and the bootloader should make it easier to create "answerless custom install scripts".

If you get hosed up with partitioning GPARTED stand alone partitioner is brilliant - you shouldn't have any trouble using it if required. Diskpart -->select disk -->clean-->convert gpt is also a good way in Windows to reset and empty partitions / disk.

cheers
jimbo

Thanks a lot for that write up.
Indeed a lot of reading, I the added this to my read later, it's summer time and i'm alone in IT at the moment.

I tried the config you provided, I only changed the Regional settings and Time Zone and the ProtectYour PC.
However after install it still will not let me sign in with a business office365 account.
It still tells me it is not an Microsoft account instead of redirecting to the adfs page.

Another thing I was wondering. Is it possible to enforce disk encryption?
I noticed that it is not enabled after installing.