Event banner
Event details
Hung_Dang
Microsoft
MicrosoftIf this is Autopilot-into-HAADJ, then the user ESP is likely trying to AAD register the domain-joined device, which can take up to an hour, depending on factors like the AAD Connector setup, network latency, etc.
If this really is about certs, it could be that your certs policies are user-targeted or requires user information. The device ESP runs in a device/system context without user info, and so those types of certs require installation during user ESP.
Hope this helps, Sebastian. Have a great day!
Hello Hung_Dang,
thanks for your feedback.
No the devices are simple AAD joined devices. They were normal enrolled via OoBE and everything works fine. And then out of nowhere Hello sign-in doesn't work anymore. Yes, the policy for the cert is user-assigned and in the initial ESP phase it works. Only when the ESP is wrongly shown after this problems the esp hangs there. It seems that the ESP is thinking that the user logging is a new user. The ESP is correclty showing that system-part is skipped, because initial enrollment was already done, but it seems that windows thinks the user logging in via password is a different user than the one that did the enrollment. But of course it's only the one user.
- Hung_DangTo clarify, the ESP profile in Intune does enable by default two ESPs (the device ESP during OOBE, and the user ESP right after Windows logon). The device ESP ("Device Setup" category on the ESP UX) is to block the user from getting to the desktop while system/device-targeted policies are being delivered to the device, and the user ESP ("Account Setup" category on the ESP UX) is to block the user while user-targeted policies are being delivered to the device. If there are no user-targeted policies, then the user ESP should only briefly display.