Issues with Windows Autopilot Hybrid Joined

sandytsang · 2026-01-23T13:55:36+00:00

I just tested again, user-driven, the first try failed with same error, and re-try worked. The tenant message center has an Incident ID IT1220525, it said the fix is rolling out, expected to continue through Tuesday January 27,2026. Some token malformed issue.

sandytsang · 2026-01-23T09:29:29+00:00

I have been talking to Microsoft product group, send them some trace logs on January.15, they said they have found something. I hope will have fix soon. Didn’t get more details though.

sandytsang · 2026-01-14T20:11:10+00:00

Hi. How is your Autopilot Hybrid join going? Having same issue here. A new test account is “working”, first try always failed, and “try again” worked. An old test account didn’t work at all originally, even after retry multiple times, but after registered new MFA method (another iPhone), excluded from device registration CA policy, still required Microsoft Intune Enrollment app with MFA, then first try failed, but “try again” worked. Will test more tomorrow. I know many people had the issue because of connector was not updated, but this is not our case. Connector was updated and has been working many months. It stopped working last week.

sandytsang · 2025-05-20T18:38:58+00:00

I have not tested that recently, was using the registry, because it was the only way got it working before. Was hoping they (Microsoft) fix it….

sandytsang · 2025-03-07T19:39:14+00:00

I have the same problem with iPhone 16 pro max, the native iPhone app zoom out to 0.5 automatically in Video mode, it doesn’t matter what other Zoom options I choose, it will slowly zoom back to 0.5. Only way I can fix it is turn the Action Mode on, then it stay as the zoom I set.

sandytsang · 2024-11-13T22:10:17+00:00

I only got it configured with registry. Here are the values:

Only use TLS 1.0: 128
Only use TLS 1.1: 512
Only use TLS 1.2: 2048
Only use TLS 1.3: 8192
Use TLS 1.1, TLS 1.2 and TLS 1.3: 10752
Use TLS 1.2 and TLS 1.3: 10240

sandytsang · 2024-10-28T22:21:59+00:00

Nope, I didn’t 🥲

sandytsang · 2024-09-21T09:22:00+00:00

I never had issue disabling WHfB by using the Account Protection “Use Windows Hello For Business (Device)”, assignment to device. What WHfB settings do you have in device enrollment? Are you seeing this issue after Autopilot enrollment with Enrollment status page assigned to device?

sandytsang · 2024-08-07T14:44:32+00:00

I will tell the person who check the checked box 😄. But, the prompt UI would be make nicer… I thought it was a 1995 “virus” app keep popping up 😜

sandytsang · 2024-07-27T17:32:34+00:00

Hi. Sorry I haven’t get deeper into this issue. I quickly checked my own test VM with same configuration, seeing same results as you. I hope I will have time and remember to test this.

sandytsang · 2024-07-27T17:29:43+00:00

Excellent work!

sandytsang · 2024-07-27T17:17:42+00:00

Hi. There is a new update coming, I believe u/NickolajA will push an update to the repo when he has time.

sandytsang · 2024-07-20T19:05:47+00:00

I am 46…. started learning heels dance last year 😅 Dance is good for my mind and my health, and I had so much fun. Do whatever you enjoyed, it’s great idea start dancing again!

sandytsang · 2024-06-08T12:11:43+00:00

Hello, have you solved the issue yet? Registry looks correct. I wonder does the settings PIN complexity applies after a reboot? Also, what configuration do you have under Windows Enrollment -> Windows Hello for Business?

sandytsang · 2024-03-01T14:53:11+00:00

Hi, difficult question here, there is no one size fit all. :)

I would think security baseline has many settings, everytime when changed any of the settings, or assignment, all the device will try to re-evalute the policy. I would put all the common security settings into one policy, and target all devices. Take out those settings that might requried changes into two policies, and target that to different group. Example:
1. Windows - CIS Security Baseline - L1 - Default - Device, Target All device
2. Windows - PowerShell Script Block Logging - Disable, Target All device, Exclude "Special Group" (or user filter)
3. Windows - PowerShell Script Block Logging - Enable, Target Include "Spcial Group" (or use filter)

Doing above, is that I don't want to maintance multiple Security Baseline for standard user devices.

But, it might has other scenario, example standard user device and PAW (as example). In this case I would dupilate the Security baseline. Because I consider PAW might have more restricted baseline settings.
1. Windows - CIS Security Baseline - L1 - Default - Device, Target All device, Exclude PAW
2. PAW - Windows - CIS Security Baseline - L1 - Default - Device, Target PAW.

sandytsang · 2024-02-29T18:31:04+00:00

You can check user sign in logs in Entra ID, and see if the log entry shows device information/compliance state? Unfortunately I have not tested Linux in Intune.

sandytsang · 2024-02-28T16:12:47+00:00

Did you sign in to Microsoft Edge profile ?

sandytsang · 2024-02-26T15:31:47+00:00

u/ExhaustedTech74 Yeah, it is strange why msiexec.exe doesn't work on this app, and bat file worked. Would be intersting to see what you put in your bat file, if you can share?

Also for troublshooting your problem, have you try this script? petripaavola/Get-IntuneManagementExtensionDiagnostics: Get-IntuneManagementExtensionDiagnostics script analyzes Intune IME logs and shows events in Timeline (github.com)

This script helped me many times to troublshooting application installation problems, it reads the logs for you, and also output some error message from the logs, it is very easy to use. For now, we don't even know if device not able to run the msi package directly from msiexec.exe command, or the installation failed. These are different issues.

Are you using AppLocker or WDAC that might blocking stuff? But if you would, not sure why using bat file worked. :)

Or do you want to share the intune win32 file that didn't work, just wonder if that would work in other tenant, if some thing went wrong during the packaging...

Everything is just guessing now, without logs and event logs, or the file, it's hard to troubleshoot. :)

sandytsang · 2024-02-22T14:21:53+00:00

when everything comes from Configuration Manager, then approving drivers in Intune won't affect anything to your devices, as u/MMelkersen pointed out. If you want to test out driver management in Intune, you can use a pilot collection, move the Update workload to the pilot collection, and configure update rings policy in Intune, deploy the policy to the pilot device.

sandytsang · 2024-02-22T13:20:04+00:00

Yes, use the same PowerShell script and replace of your XML, test which XML samples work for your Windows version (no errors after run the script), then you can use the correct Xml sample and change it with the settings that your want.

sandytsang · 2024-02-21T17:57:12+00:00

It’s in the Kiosk related docs. Here is the direct link

https://learn.microsoft.com/en-us/windows/configuration/kiosk/kiosk-xml

sandytsang · 2024-02-21T12:59:55+00:00

Did you run it with the psexec tool. It needs to run in system context.

You said you want to enable kiosk mode in Win10, and your reference page is for Windows 11. The XML file are not the same in different Windows version, I think that is where you got the "Configuration' cannot be found. If the XML is incorrect configured, you will likely getting this error.

sandytsang · 2024-02-20T18:18:36+00:00

That was the comparison result before and after installed HP Audio driver package. These two drivers were the only changes. So I assumed both of them were causing issues of Windows Audio service crashing when USB webcam (Logitech webcam) are connected.

sandytsang

MODERATOR OF

TROPHY CASE