Rash of computers failing network join during the Intune ESP

Question

Rash of computers failing network join during the Intune ESP

Fredrik Hofgren 96

Greetings
As of last week we've had an increasing number of Windows 10 (20H2) getting stuck at the Intune Enrollment Status Page and reporting failed at "joning computer network". The computers are all hybrid joined without autopilot and EV reports them as AAD joined in Microsoft-Windows-User Device Registration/Admin. The error appears regardless of which user is logging in as long as it's an AD-account, local accounts can log in without errors and the domain user can log into another computer. So far we've tried to remove some of the computer accounts from both the on-prem domain, Intune and AAD without luck.

Any tips?

Regards
Fredrik

Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2021-04-20T03:54:56.88+00:00
@Fredrik Hofgren , From your description, it seems that some windows 10 20H2 devices are failed to login in ESP with error "joining computer network". If there's any misunderstanding, please let us know.

To clarify our issue, could you collect the following information to us:

Could you get a screen shot of the error we get during ESP?

Could you let us know which enrollment method we use on the affected device?

Could you get a screen shot of the device status in Azure AD to see if there's any issue with the device? Was there any duplicate records for this device?

Could you check AAD event log to see if there's any error related?

Please collect the above information and if there's any update, feel free to let us know.

Accepted answer

2 additional answers

Your answer

Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2021-04-20T03:54:56.88+00:00

@Fredrik Hofgren , From your description, it seems that some windows 10 20H2 devices are failed to login in ESP with error "joining computer network". If there's any misunderstanding, please let us know.

To clarify our issue, could you collect the following information to us:

Could you get a screen shot of the error we get during ESP?

Could you let us know which enrollment method we use on the affected device?

Could you get a screen shot of the device status in Azure AD to see if there's any issue with the device? Was there any duplicate records for this device?

Could you check AAD event log to see if there's any error related?

Please collect the above information and if there's any update, feel free to let us know.

Answer 1

Fredrik Hofgren 96

Hi
We have the "skip ESP" OMA-URI in effect already and it hasn't helped.
Meanwhile I did some digging in the registry of one of our affected computers and under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning there were alot of keys labeled autopilot which I though was strange since we don't use autopilot. For better or worse I deleted those keys and after a reboot I was presented with a normal ESP which was skippable and the user could go back to work. This workaround seems to be effective on all affected computers so far.

Regards
Fredrik

Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2021-04-21T08:38:19.92+00:00

@Fredrik Hofgren Thanks for your sharing. I’m glad to hear we resolve our issue by deleting the registry key with Autopilot. Congratulations! If there is anything else we can help in the future, welcome to post in our Q&A to discuss together.

Thanks for your time and have a nice day.

Answer 2

Hi
Thank you for the answer. I'll fill in with some details.
Question #1: Below is a screenshot of the ESP page, the user cannot proceed but you can access task manager and sign in as a different user

Question #2: My bad, I should have included this in my first post. We autoenroll the majority of our PCs using a GPO as described at https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Question #3:

Question #4: The AAD Event log on the PC show a few warnings but nothing that indicates a problem with the AAD computer account.

The troubleshooting steps I've taken so far is to delete the device from AAD and Intune and wait for a resync from AD. No luck. One work-around that does however work is if I disconnect the PC from the AD, reconnect it and then enroll the PC to Intune manually. After that procedure the user is able to access the PC normally.

Regards
Fredrik 3: /api/attachments/89412-intuneproblem3.png?platform=QnA

Answer 3

@Fredrik Hofgren Thanks for the reply. To protect the information in our environment, we hide something for you.

From the pictures, I notice it is failed during join the organization in Account setup. Based on our research, this stage will obtain the Primary Refresh Token (PRT) and do authentication with Azure AD.
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/understand-troubleshoot-esp#account-setup

I think the issue can be occurred when obtain PRT. To check on this, log analysis is necessary. As Q&A limitation, for such issue, we suggest to open case to troubleshoot this. Here is a link about opening case
https://learn.microsoft.com/en-us/mem/get-support

As a workaround, maybe we can try to skip the Account setup phase by creating a custom device configuration profile in Intune,

OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type: Boolean
Value: True
https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp

Thanks for the understanding and have a nice day!

Share via

Rash of computers failing network join during the Intune ESP

2 additional answers

Your answer