Welcome to our blog series on Autopilot hybrid join scenario!
In this blog, we will delve into the intricacies of device enrollment troubleshooting during the Autopilot hybrid join process. Device enrollment is first step after the user enter his credential step in the Autopilot hybrid join process. It is important to understand the intricacies of this process to ensure a seamless experience. In this blog , we will explore various troubleshooting techniques specific to device enrollment during the Autopilot scenario
Stay tuned for upcoming blogs where we will cover additional steps in this flow.
Join us as we delve deeper into the realm of Autopilot hybrid join and uncover effective troubleshooting methods.
Table of Contents
Autopilot Hybrid Join – The Flow
Device Enrollment process starts once the user enter his credential on Entra AD sign-in screen “company branding”
After logging in on the Entra AD Sign-in screen, the user will see the following screen
Although the process involves numerous steps, end users will only see the screen mentioned above.
Following this, the device will reboot to finalize the domain join and transition to the Enrollment Status Page.
During this time, while users see the ‘Please wait while we set up your device…’ message, the device and service seamlessly handle the following setup tasks in the background
- The device enrolls in MDM
- It begins waiting for the ODJ (Offline Domain Join) blob.
- Offline domain join process started with the help of Intune connector for active directory to get the blob and send it to the device to complete the offline domain join.
- The device establishes connectivity with the Domain Controller by sending a ping and receiving a response.
- This step occurs only in User-Driven scenarios when the ‘Skip DC connectivity check’ option is not enabled in the Autopilot profile.
- If the ‘Skip DC connectivity check’ option is enabled or the device is in a pre-provisioning scenario, this step is skipped.
- Finally, the device reboots to complete the Active Directory domain join.
We will focus on this blog on the first step which is “Device enrolls in MDM”
Autopilot Hybrid Join – What Logs required
Will need Client side logs to troubleshoot device enroll in MDM
Client-Side
To troubleshoot failure in Device enrollment to MDM, the logs should be collected from the device as you will not find object in Intune to collect diagnostics from there
From an elevated Command Prompt (Shift + F10 during OOBE), you need to run the following command
MDMDiagnosticsTool.exe -area Autopilot;DeviceProvisioning;DeviceEnrollment -cab c:\temp\DeviceErollment.cab
Autopilot Hybrid Join – Troubleshooting
For device enrollment troubleshooting, we can check the following logs
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
This event viewer file can be found on the CAB log collected on the previous section
For successful enrollment these are the expected events
Event 4: MDM Enroll: Certificate policy request sent successfully.
Event 6: MDM Enroll: Certificate policy response processed successfully.
Event 8: MDM Enroll: Certificate enrollment request sent successfully.
Event 10: MDM Enroll: Certificate enrollment response parsed successfully.
Event 16: MDM Enroll: OMA-DM client configuration succeeds.
Event 58: MDM Enroll: Provisioning succeeded.
Event 72: MDM Enroll: Succeeded
If there are any enrollment errors, you should see them in this sequence
- Microsoft-windows-shell-core-operational.evtx
Also from the CAB file you can check the event viewer “microsoft-windows-shell-core-operational.evtx” for these events which indicate successful enrollment
CloudExperienceHost Web App Event 1. Name: ‘AutopilotWhiteGlove policy not found, performing device enrollment.’.
CloudExperienceHost Web App Event 1. Name: ‘Device enrollment returned successfully with internal server error: 1’.
- Registry Dump
From the file “MdmDiagReport_RegistryDump.reg” you can quickly get the Intune Device ID and enrollment time if enrollment completed successfully
Seach for “EntDMID” , this is the Intune device ID and from “EntDeviceName” you can get enrollment time
- Portal-Side
Check Intune Portal for Errors
Devices > Enrollment failures: In the Microsoft Endpoint Manager admin center, go to Devices > Monitor > Enrollment failures to check for any reported errors on the device.
General Troubleshooting
- Check Licensing and Permissions
- Ensure Correct Licensing: Verify that the user trying to enroll the device has the necessary Intune license assigned (e.g., Microsoft 365 or Enterprise Mobility + Security (EMS) license).
- Correct Azure AD Permissions: Confirm the user is part of the correct Azure Active Directory (AD) group and has the necessary permissions to enroll devices into Intune.
- Device Requirements and Configuration
- Check Supported OS: Ensure the Windows device meets the minimum OS version requirements. For Windows 10/11, ensure it is version 1607 or later
- Sync Time and Date Settings: Ensure the date and time settings on the device are correct, as out-of-sync devices might face authentication issues.
- Network Connectivity
- Check Internet Access: Verify the device has consistent access to the internet, and ensure it’s not being blocked by a proxy or firewall.
- Whitelist Required URLs: Ensure that the network allows access to these critical Microsoft service URLs. Please check https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints?tabs=north-america
- Check Automatic Enrollment configuration from portal
- Make sure users who deploy Microsoft Entra joined devices by using Intune and Windows are members of a group included in MDM User scope.
- Use the default values in the MDM Terms of use URL, MDM Discovery URL, and MDM Compliance URL boxes, and then select Save.
- Intune Enrollment Failure Codes
From the following Microsoft doc you can find the most general error codes
On the next post we will walk trough the Offline Domain Join process, the flow and how to troubleshoot, Stay tuned
For additional posts about Autopilot, please explore the relevant category in IntuneBytes
Leave a Reply