Intune provisioning failure, W11 at OOBE

Rob Brown 26 Reputation points
2023-05-01T17:46:03.42+00:00

We've started to encounter a consistent error when trying to provision new hardware at OOBE stage.

Devices pick up the tenancy and the assigned user, start to deploy the relevant apps and config policies - then after 2 hours time out.

A review of the logs show a set of actions looping for most of that 2 hours - I've no idea when this started (my former junior colleague has left the business) and I'm currently at a loss as to why it's doing it at all.

Interestingly, doing a full setup as a user doesn't appear to be a problem (I'm retesting now and will update once I've confirmed that) - the below log snippet is a snapshot, as best I can tell that block repeats hundreds and hundreds of times before the process as a whole times out and fails.

<![LOG[AAD User check using device check in app is failed, now fallback to the Graph audience. ex = Intune Management Extension Error.
Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.DiscoveryService.<IsAADUserInternal>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.DiscoveryService.<IsAADUser>d__15.MoveNext()]LOG]!><time="16:18:06.1834501" date="5-1-2023" component="IntuneManagementExtension" context="" type="3" thread="4" file="">
<![LOG[starting impersonation, session id = 1]LOG]!><time="16:18:06.1834501" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[After impersonation: SK-LT-FRRVML3\defaultuser0]LOG]!><time="16:18:06.1874509" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[[TokenManager::GetTokenForNewRequestAsync]]LOG]!><time="16:18:06.1874509" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[provider id = https://login.microsoft.com, authority = organizations]LOG]!><time="16:18:06.1914503" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[get provider, provider name = Workplace or school account]LOG]!><time="16:18:06.1914503" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[Failed to get AAD token. len = 34 using client id fc0f3af4-6835-4174-b806-f7db311fd2f3 and resource id 00000003-0000-0000-c000-000000000000, errorCode = 3399548929]LOG]!><time="16:18:06.6422213" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[Need user interaction to continue.]LOG]!><time="16:18:06.6422213" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[AAD User check is failed, exception is Intune Management Extension Error.
Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenInternalAsync>d__42.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenForNewRequestAsync>d__40.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.DiscoveryService.<<IsAADUserInternal>b__17_1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.ImpersonateHelper.<DoActionWithImpersonation>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.DiscoveryService.<IsAADUserInternal>d__17.MoveNext(), session is 1]LOG]!><time="16:18:06.6422213" date="5-1-2023" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,693 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,290 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 45,331 Reputation points Microsoft Vendor
    2023-05-02T01:18:28.2033333+00:00

    @Rob Brown, Thanks for posting in Q&A. From your description, it seems you are doing Autopilot pre-provisioning. And one app is failed to install.

    For the log you provided, the error is normal because during device setup phase, user is not logging. For our issue, I think we need to look into the IME log to see which app is failed. unassign this app to the device group and see if the Autopilot pre-provisioning can complete. To analysis IME log, here is a link with the detailed steps for your reference:

    https://www.anoopcnair.com/intune-win32-app-troubleshooting/

    Note: Non-Microsoft link, just for the reference.

    Also, if you want help to analysis IME log, with Q&A limitation, you can consider open case to get help on it. Here is a link with the steps to open case for your reference:

    https://learn.microsoft.com/en-us/mem/get-support

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Pavel yannara Mirochnitchenko 12,381 Reputation points MVP
    2023-05-02T07:04:16.7833333+00:00

    Maybe my blog could help you how to troubleshoot autopilot: https://www.linkedin.com/pulse/autopilot-troubleshooting-how-i-do-pavel-mirochnitchenko/

    You could also leave one computer with ESP failure to stay there for hours, and check later in Intune console, was there some app failing. App failure does not show in device detail right away, it takes some time to register failure.

    Also, make sure you are using latest Win11 installation media.

    0 comments No comments