Back to the “Autopilot Hybrid Join Troubleshooting Series” , will continue on this post for Autopilot hybrid join troubleshooting process, with focus on “Account Setup”
During the Account Setup phase, various challenges can arise, such as network issues, and authentication errors. This guide will walk you through the flow and troubleshooting steps to resolve these issues effectively, ensuring a smooth and efficient deployment process. By following the best practices and solutions outlined in this series, IT professionals can enhance their troubleshooting skills and improve the overall success rate of Autopilot Hybrid Join troubleshooting deployments
We started the series with Device Enrollment, followed by an explanation of Offline Domain Join, and then delved into ESP categories, commencing with Device Preparation Category.
The next step involves beginning the device setup section, which will be detailed in a separate post and is not exclusive to hybrid. Lastly, we will cover the Account Setup category in this post.
On this post we will focus on the flow and next one will be for troubleshooting
Table of Contents
Autopilot Hybrid Join Troubleshooting – Account Setup – The Flow
- Once the device setup phase completed, the user will get windows logon screen displays. On which the users need to sign in with their AD credentials to authenticate against on-prem domain, so the device need to has a line of sight with the domain controller either directly if the device on the same network or by VPN
Note: If the Hybrid Autopilot process is conducted over a VPN and the connection is initiated manually, the user will encounter an additional network logon icon . This must be completed before proceeding with the Windows logon, as it establishes the necessary VPN connection to the corporate network for Active Directory authentication and Hybrid Azure AD Join registration.
However, if no VPN is required or if the VPN connection is automatically established, the user will be taken directly to the Windows logon screen without any extra steps.
- Account setup will begin, and the first step is “Joining your organization’s network”, this step will monitors the Hybrid Azure AD Join registration, it doesn’t initiate or control it as it depends on other factors “like Entra AD connect and Entra AD”.
Note: in some scenarios the hybrid registration can be completed before the end user logs into Windows with Active Directory (AD) credentials, provided the device has a line of sight to a domain controller.
If the hybrid registration is not finalized by this point, the ESP cannot proceed with processing user-assigned configurations. Instead, it will wait at the Account Setup > Joining your organization’s network step until registration is complete and a user token is obtained through an additional authentication prompt.
So, the question is “When the hybrid Azure AD join registeration” can be considered as completed?
This is happened when
- The device synchronized from on-prem to Entra AD using Entra AD connect “by default the delta cycle happened every 30 mins”
- The device is in registered state in Entra AD “Not in a pending state”
- Additional Authentication prompt
Why this additional authentication needed and it happened against on-prem AD or Entra AD?
- This authentication is happened against Entra AD.
- The ESP > Account Setup phase is responsible for tracking user-assigned policies and applications. To retrieve this information, the device must sync in the user context, which requires an Entra AD user token. However, this token is only issued when:
a) The device has already completed the Hybrid Azure AD Join process.
b) When the user logs into Windows. - If the Device Setup phase finishes and the user logs in before the Hybrid Join process is complete, Windows will allow the login, but an AAD user token won’t be issued. Without this token, the device cannot sync in user context, causing the ESP > Account Setup > Joining your organization’s network step to pause. It waits until the Hybrid Join process completes and then prompts the user for an additional login. Once the user authenticates, the required AAD user token is obtained, enabling the ESP to continue processing user-assigned policies and apps.
- However, if the Hybrid Azure AD Join process completes before the user logs in, then the Account Setup > Joining your organization’s network step will already be completed by the time the user reaches the User ESP. In this case, no additional authentication is needed, as the AAD user token is automatically issued during the Windows login, allowing the device to sync in user context without interruption.
- Then the user assigned policies, apps, certificates will be deployed.
Once all assigned payload to the user deployed successfully, the user will reach to the desktop.
On this post we explained the flow for the Autopilot hybrid AD join – Account setup, on the next one we will explore the troubleshooting part
For a detailed, step-by-step guide on setting up an Autopilot Hybrid environment, check out this comprehensive resource form “How to Manage Devices” blog to help you through the entire process.
Windows Autopilot Hybrid Domain Join Step-by-Step Implementation Guide”
Leave a Reply