intunebytes-logo
Autopilot Hybrid Join Account Setup – Troubleshooting

Autopilot Hybrid Join Troubleshooting Series – Account Setup -Part2

IntuneBytes

Welcome to Part 2 of our Autopilot Hybrid Join Troubleshooting – Account Setup Series. In Part 1, we explored the overall flow of Account setup category, providing a high-level understanding of how the process works and what to expect during the setup. Now, in this second installment, we dive deeper into troubleshooting. Specifically, we will focus on how to check and analyze logs from both the client and on-prem servers. By the end of this article, you’ll be equipped with the necessary tools and knowledge to effectively identify and resolve common issues that may arise during the Account setup during Autopilot Hybrid Join scenario. Let’s get started!

Autopilot Hybrid Join Troubleshooting Account Setup – What Logs required

Before diving into troubleshooting, it’s crucial to gather the necessary logs from both the client device and on-premises infrastructure. These logs will help identify potential issues during the Autopilot Hybrid Join process. Below are the key logs you need to collect:

1. Client-Side Logs

As the device completes the enrollment, it is easier to collect log from Intune portal directly, Please check the following doc to collect diagnostics logs

https://learn.microsoft.com/en-us/mem/intune/remote-actions/collect-diagnostics#collect-diagnostics

2. On-Premises Server Logs

for the account setup we would need to check the Entra AD connect

3. Service side logs

We may need to check the sign-in logs for the user

Autopilot Hybrid Join Account Setup – Troubleshooting

Back to the flow we explained in Part1

  1. the user will get windows logon screen displays. On which the users need to sign in with their AD credentials to authenticate against on-prem domain

If any issue happened during this step and user failed to Authenticate, the issue will be either connection to the domain controller or failure in authentication. so make sure that the device has a line of sight with the domain controller either using VPN or directly.

If it is using VPN, confirm if the VPN configuration is delivered to the device, the user can authenticate against it and it is connected.

  1. Joining your organization’s network, as mentioned this step will monitors the Hybrid Azure AD Join registration and it will be completed once the device synchronized from on-prem AD to Entra AD and registered.

Lets explain the status on Entra AD for the devices and what is expected during the Autopilot hybrid process

  • Before user start the Autopilot process, we will notice that there is one associated object for the device in Entra AD with “Microsoft Entra joined” type, this object is created once the admin upload the HW hash “once the device registered in Autopilot”
Autopilot Hybrid Join Troubleshooting Account Setup
  • As we mentioned during the “Joining your organization’s network” we are waiting for the device to be synchronized to Entra, this is the second object that will be in Entra for the same device. when the device joined to the on-prem domain during the “Offline domain join process“, it will be synchronized from on-prem to Azure AD by the Entra AD connect, the deice will be with “Entra hybrid joined” type and in pending registeration state
Autopilot Hybrid Join Troubleshooting Account Setup
  • If we didnt find the second object with the “Hybrid Joined” type, then we need to check the Entra AD connect if synchronization happened, what is the configuration of Delta synchronization, by default it is running every 30 mins, also to make sure that the Organization unit of the hybrid devices is included on the synchronization scope
    • This can be confirmed from the client log in “microsoft-windows-user device registration-admin.evtx” event viewer
    • If you still see the error “missing_device” this means that the device still not synchronized to Entra AD
Autopilot Hybrid Join Troubleshooting Account Setup
  • Then the device will begin the registeration, after it is completed we should see the date mentioned under registeration column
Autopilot Hybrid Join Troubleshooting Account Setup
  • If the device stuck in “Pending” registeration state , and for any issue during registeration we need to check “microsoft-windows-user device registration-admin.evtx” event viewer “it will be in the mdm diagnostics logs”
  • the “registeration” is triggered by the task “Automatic-Device-join”, which is under “Task scheduler –> Microsoft –> Windows –> Workplace Join”
  • from the ” “microsoft-windows-user device registration-admin.evtx” this is the expected events for registeration process
    • The discovery request send operation was successful.
    • The discovery operation callback was successful. Server response was: xxx
    • The initialization of the join request was successful. Inputs: JoinRequest: 7 (DEVICE_AUTO) Domain: xxx.onmicrosoft.com
    • The get join response operation callback was successful. Activity Id: xxxxx, Server response was: {“Certificate”:{“Thumbprint”:” the Thumbprint of the certificate
    • The registration status has been successfully flushed to disk. Join type: 7 (DEVICE_AUTO)
    • The complete join response operation was successful.
    • Automatic registration Succeeded.
  1. Additional Authentication prompt

Ideally, the hybrid registration process would finish before Device Setup concludes. In this case, when users reach the Windows logon screen, they can sign in with their Active Directory (AD) credentials. This triggers the retrieval of an Azure Primary Refresh Token (PRT), allowing users to smoothly transition to the Account Setup phase. The first step, “Joining your organization’s network,” would already be completed, and the system would move forward with applying the user-assigned configuration

However, the timing of the hybrid registration process isn’t something you can control through Intune or Autopilot. It depends on various factors as explained network visibility to the domain controller (direct or via VPN), and the AD Connect sync schedule.

if users do reach Account Setup and hybrid registration still not completed, the first step will monitor it untill it is completed as we explained, At this point, an extra authentication prompt will appear, requiring users to log in again. Once they authenticate, an Azure AD user token is issued, allowing the device to sync with the MDM service in the user context and process the user-assigned configurations tracked within the User ESP phase.

Once sync complete this will be the final state of the 2 objects in Entra AD

Autopilot Hybrid Join Troubleshooting Account Setup
  1. Then the user assigned policies, apps, certificates will be deployed.

All steps can be tracked from “microsoft-windows-shell-core-operational.evtx” event viewer

  • Account Setup Category Started:
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPProgress_Category_Started’, Value: ‘{“message”:”BootstrapStatus: Starting category AccountSetupCategory…”,”errorCode”:0}’.
  • Joining your organization’s network started
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Started’, Value: ‘{“message”:”BootstrapStatus: Starting subcategory AccountSetup.WaitingForAadRegistrationSubcategory…”,”errorCode”:0}’.
    • There is a timeout for this step to be completed “1.5 hour”
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPAccountSetup_AadRegistration_Wait’, Value: ‘{“message”:”BootstrapStatus: AAD registration timeout set to 5400000“,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPAccountSetup_StartAadRegistration_Success’, Value: ‘{“message”:”BootstrapStatus: Starting AAD device registration task succeeded“,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPAccountSetup_AadRegistrationTask_Complete’, Value: ‘{“message”:”BootstrapStatus: AAD device registration task completed with hresult 0″,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Success’, Value: ‘{“message”:”BootstrapStatus: Subcategory ID = AccountSetup.WaitingForAadRegistrationSubcategory; state = succeeded.”,”errorCode”:0}’.
  • Additional Authentication Prompt
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Started’, Value: ‘{“message”:”BootstrapStatus: Starting subcategory AccountSetup.PrepareMultifactorAuth…”,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPAccountSetup_MultifactorAuth_Preparation’, Value: ‘{“message”:”BootstrapStatus: Requesting AAD user token“,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPAccountSetup_AadTokenRequest_Success’, Value: ‘{“message”:”BootstrapStatus: AAD user token successfully requested“,”errorCode”:0}’.
  • Joining your organization’s network completed
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Success’, Value: ‘{“message”:”BootstrapStatus: Subcategory ID = AccountSetup.PrepareMultifactorAuth; state = succeeded.”,”errorCode”:0}’.
  • The user assigned policies, apps, certificates will be deployed. with the 4 subcategories to report stated and succeeded
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Started’, Value: ‘{“message”:”BootstrapStatus: Starting subcategory AccountSetup.SecurityPoliciesSubcategory…”,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Started’, Value: ‘{“message”:”BootstrapStatus: Starting subcategory AccountSetup.AppsSubcategory…”,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPAccountSetup_PoliciesInstallation_Succeeded’, Value: ‘{“message”:”BootstrapStatus: Policies application completed successfully.”,”errorCode”:0}’.
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_BootstrapStatusCategory_SubcategoryProcessing_Success’, Value: ‘{“message”:”BootstrapStatus: Subcategory ID = AccountSetup.AppsSubcategory; state = succeeded.”,”errorCode”:0}’.
  • ‘End of the Account setup
    • CloudExperienceHost Web App Event 2. Name: ‘CommercialOOBE_ESPProgress_Category_Success’, Value: ‘{“message”:”BootstrapStatus: Category AccountSetupCategory succeeded.“,”errorCode”:0}’.

Solving a specific scenario

As we see the Hybrid Entra AD Join device registration process to complete it depends on the the AD Connect sync process to complete which can take up to 30 minutes, since that’s the frequency of the Entra Connect sync process that synchronizes the newly-created AD computer object for a device into Entra AD.

if the delta cycle configured to run for example every 2 hours there is a possibility that “Joining your organization’s network” timed out before ethe delta cycle started, for this issue “Michael Niehaus” have a great article that introduce a script to speed up the delta cycle process

Here is the post “Supercharge the Hybrid Azure AD Join device registration process

Tags:
share this:

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts