question

FredrikHofgren-1591 avatar image
0 Votes"
FredrikHofgren-1591 asked Crystal-MSFT edited

Rash of computers failing network join during the Intune ESP

Greetings
As of last week we've had an increasing number of Windows 10 (20H2) getting stuck at the Intune Enrollment Status Page and reporting failed at "joning computer network". The computers are all hybrid joined without autopilot and EV reports them as AAD joined in Microsoft-Windows-User Device Registration/Admin. The error appears regardless of which user is logging in as long as it's an AD-account, local accounts can log in without errors and the domain user can log into another computer. So far we've tried to remove some of the computer accounts from both the on-prem domain, Intune and AAD without luck.

Any tips?

Regards
Fredrik

mem-intune-enrollment
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@FredrikHofgren-1591, From your description, it seems that some windows 10 20H2 devices are failed to login in ESP with error "joining computer network". If there's any misunderstanding, please let us know.

To clarify our issue, could you collect the following information to us:
1. Could you get a screen shot of the error we get during ESP?
2. Could you let us know which enrollment method we use on the affected device?
3. Could you get a screen shot of the device status in Azure AD to see if there's any issue with the device? Was there any duplicate records for this device?
89352-image.png
4. Could you check AAD event log to see if there's any error related?
89246-image.png
Please collect the above information and if there's any update, feel free to let us know.


0 Votes 0 ·
image.png (111.4 KiB)
image.png (47.2 KiB)
FredrikHofgren-1591 avatar image
0 Votes"
FredrikHofgren-1591 answered Crystal-MSFT edited

Hi
We have the "skip ESP" OMA-URI in effect already and it hasn't helped.
Meanwhile I did some digging in the registry of one of our affected computers and under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning there were alot of keys labeled autopilot which I though was strange since we don't use autopilot. For better or worse I deleted those keys and after a reboot I was presented with a normal ESP which was skippable and the user could go back to work. This workaround seems to be effective on all affected computers so far.

Regards
Fredrik

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@FredrikHofgren-1591 Thanks for your sharing. I’m glad to hear we resolve our issue by deleting the registry key with Autopilot. Congratulations! If there is anything else we can help in the future, welcome to post in our Q&A to discuss together.

Thanks for your time and have a nice day.

0 Votes 0 ·
FredrikHofgren-1591 avatar image
0 Votes"
FredrikHofgren-1591 answered Crystal-MSFT edited

Hi
Thank you for the answer. I'll fill in with some details.
Question #1: Below is a screenshot of the ESP page, the user cannot proceed but you can access task manager and sign in as a different user

89483-image.png
Question #2: My bad, I should have included this in my first post. We autoenroll the majority of our PCs using a GPO as described at https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Question #3:
89511-image.png

Question #4: The AAD Event log on the PC show a few warnings but nothing that indicates a problem with the AAD computer account.
89512-image.png

The troubleshooting steps I've taken so far is to delete the device from AAD and Intune and wait for a resync from AD. No luck. One work-around that does however work is if I disconnect the PC from the AD, reconnect it and then enroll the PC to Intune manually. After that procedure the user is able to access the PC normally.

Regards
Fredrik [3]: /answers/storage/attachments/89412-intuneproblem3.png



intuneproblem3.png (43.6 KiB)
image.png (87.2 KiB)
image.png (126.6 KiB)
image.png (89.9 KiB)
image.png (171.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@FredrikHofgren-1591 Thanks for the reply. To protect the information in our environment, we hide something for you.

From the pictures, I notice it is failed during join the organization in Account setup. Based on our research, this stage will obtain the Primary Refresh Token (PRT) and do authentication with Azure AD.
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/understand-troubleshoot-esp#account-setup

I think the issue can be occurred when obtain PRT. To check on this, log analysis is necessary. As Q&A limitation, for such issue, we suggest to open case to troubleshoot this. Here is a link about opening case
https://docs.microsoft.com/en-us/mem/get-support

As a workaround, maybe we can try to skip the Account setup phase by creating a custom device configuration profile in Intune,

OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type: Boolean
Value: True
https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp

Thanks for the understanding and have a nice day!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.