question

TaylorArtunian-5283 avatar image
0 Votes"
TaylorArtunian-5283 asked Crystal-MSFT commented

Autopilot Hybrid AD Join - Incompatible with Enable Automatic MDM Enrollment GPO?

I am having an issue with the "Account Setup - Joining your organization's network" portion of Autopilot deployment.

Just like this Technet post, I am getting a 204 and 304 event in the User Device Registration log, the only difference is that they were trying to disable automatic enrollment via GPO and we have it enabled. Is this GPO incompatible with Autopilot?

The 304 error says that "The device object with the given id {id} is not found. I went and looked at the AAD device id and it is in fact different. The device was deleted from AD, AAD and Intune before beginning deployment with a Windows 10 USB.



intune-enrollmentwindows-autopilot
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TaylorArtunian-5283, Based on my research, I didn't find any article mentioned the Enable Automatic MDM enrollment GPO will affect Autopulot Hybrid Azure AD joined. But we can check if the policy settings in the following link are set which has conflict with Autopilot profile.
https://docs.microsoft.com/en-us/mem/autopilot/policy-conflicts

Meanwhile, based on my research, for event id 204, it seems there's some issue with the synchronization with Azure AD. Please check the synchronization and here is a link for the reference:
http://blog.petersenit.co.uk/2019/04/troubleshooting-azure-ad-hybrid-join.html
Note: Non-Microsoft link, just for the reference.

Hope it can help.

1 Vote 1 ·
TaylorArtunian-5283 avatar image
0 Votes"
TaylorArtunian-5283 answered

I ended up disabling ESP which does not get rid of the error immediately but a couple of reboots seems to allow it to find the AAD object. Also worth noting is that it is expected that there will be two AAD device objects for hybrid joined devices which I had not seen in official documentation.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

What you are seeing is normal and expected to my knowledge as the device is already enrolled in Intune long before the group policy applies.

Are you actually experiencing an issue?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TaylorArtunian-5283 avatar image
0 Votes"
TaylorArtunian-5283 answered Crystal-MSFT commented

Thank you for the replies. I have since moved my Autopilot devices to a new OU with no GPO's and changed both the Domain Join profile and AAD Connect to include the new OU and am still encountering the same issue.

During user ESP the install process hangs on "Joining Your Organization's Network". Looking at the logs, the device appears to try 3 times to run the Automatic-Device-Join task before giving up, each time generating the 304 and 204 events with the 0x801c03f3 error:

 Automatic registration failed at join phase. 
 Exit code: Unknown HResult Error code: 0x801c03f3 
 Server error: The device object by the given id (e2f251bb-c6e1-4378-b65a-f8dfd1622ba9) is not found. 
 Tenant type: Managed 
 Registration type: sync 
 Debug Output: 
 joinMode: Join
 drsInstance: azure
 registrationType: sync
 tenantType: Managed
 tenantId: 235907c4-a81a-4ff8-80a3-32d8a3730c36
 configLocation: undefined
 errorPhase: join
 adalCorrelationId: 62693e8a-a008-48c2-8d47-5335f93eaeae
 adalLog:
 undefined
 adalResponseCode: 0x0

I have two devices which are doing this and I think they may be caused by separate issues.

On one device, if I manually start the Automatic-Device-Join after ensuring that the AD object has been synced to AAD, the ESP completes fine (though the Autopilot device only shows an Associated Intune device while the Associated Azure AD device shows N/A).

I have another device that won't get past the same "Joining Your Organization's Network" step despite it having resolved the 204 and 304 Device Join errors on its own. To make it more confusing, the corresponding AAD device has a DeviceID which is different from the one that the device is looking for and different from the AD ObjectGUID. The AD connect sync rules are stock so the AAD DeviceID should be the ObjectGUID.

I think I may need to go the support ticket route since this is looking like multiple issues. Thanks.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you reviewed https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/?

Have you disabled user ESP as suggested?

1 Vote 1 ·

That seems to have made it work. Thanks

0 Votes 0 ·

Thanks for the update. I am glad to hear the it is resolved. Congratulations! Thanks for your time and have a nice day!

1 Vote 1 ·

@TaylorArtunian-5283 , Thanks for the reply. Yes, it seems there are multiple issues in our environment. And it seems log analysis may be more helpful to troubleshoot our issue. As Q&A limitation, Phone support or email support can be more efficient for such situation. Agree with you, we also suggest to open case to handle it. Here are links describe how to open cases to AAD and Intune support:

AAD
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto

Intune
https://docs.microsoft.com/en-us/mem/get-support

Hope it can help.

0 Votes 0 ·