Event banner
Event details
104 Comments
- Our biggest issue is devices randomly failing compliance and the error messages are typically vague. Is compliance failure debug going to get better?
- Thanks panel. Sometimes it's easier to just nuke the device instead of debugging it.
- Tyler Castaldo
Microsoft
Hi, Rupert. Can you describe the specific scenario? I'd like to understand what's randomly failing and the error messages you're seeing.
Thanks for participating in today's AMA: Troubleshoot device issues with Intune! For reference, the panel covered this topic at 12:10.
We often struggle with open w-lans with a captive portal when enrolling windows 10 devices through OoBE. There is a kind of browser windows opened (with huge buttons in the top) but it is not Edge and even not IExplore. Sadly this "browser" is not able to show the captive portal website. There is only a white page displayed. To workaround we open a cmd via Shift+F10 open a edge and there the page is displayed and the user is able to accept the terms of use. Has anybody else seen this problems? Does anybody know what this window application in OoBE is? Does somebody a clue how to fix this?
- High level question about Graph. Is the graph SDK (for powershell, python etc) the preferred way to interact with Graph over REST if you can use it?
- Wouldn't it be nice to be able to run commands on systems without have to create a script and assign it to a group? Some sort of shell access.
- How to troubleshooting Bitlocker deployment in Intune?
- What is the best way to enable local admin on first login without needing to enable manually? What would be the best way to set up autopilot and gather the needed information to enroll device right from distributors?
- Hung_DangBy default on Windows, the first user logging in to Windows is part of the local admins group. If you find the user is not local admin, check your Autopilot profile to see if the setting to make the user standard is enabled. I didn't understand the second question. Could you clarify? Hope this helps, Cody. Have a great day!
- We use the Endpoint Security blade > Account protection > Local managed groups policies to manage local admin 🙂
- MACOS--I am having 2 issues with the Company Portal detailed below 1/. I configured a policy "Is Active" for 30 days. 2/. I have 2 devices (macOS) that are not compliant with my policy, after I checked on my client's device, they always open the device and work on this every day. 3/. I opened the Company Portal and saw the account was still signed on. 4/. I tried many times to select "Check status" on the Company Portal and got the issue: "There was an error while checking status. Your status may not be up to date. Try checking again" 5/. After I tried step 4, I removed this device and re-enroll and I got a new issue: "Unable to confirm setting" after the MDM profile is installed. Could you tell me how many ways to check/troubleshoot the issue for macOS and Windows? I don't see any docs from MS about troubleshooting that issue. Example: how do collect the log to troubleshoot?
- We often struggle with upcoming enrollment status pages (ESP) after problems with hello at a device. There are some situations in which the user gets an error when try to login via PIN. He then tries to login with password but then there is the ESP displayed again. Sadly the user than hangs in a situation where the ESP says that certificates should be installed. But they already are. We meanwhile found out that we can fix this at those devices when skiping user ESP via OMA-URI ./Vendor/MSFT/DMClient/Provider/ProviderID/FirstSyncStatus/SkipUserStatusPage. But it seems to be more a work-around than a solution. Any suggestions what could cause this and how to get around?
- Hung_DangIf this is Autopilot-into-HAADJ, then the user ESP is likely trying to AAD register the domain-joined device, which can take up to an hour, depending on factors like the AAD Connector setup, network latency, etc. If this really is about certs, it could be that your certs policies are user-targeted or requires user information. The device ESP runs in a device/system context without user info, and so those types of certs require installation during user ESP. Hope this helps, Sebastian. Have a great day!
Hello Hung_Dang,
thanks for your feedback.
No the devices are simple AAD joined devices. They were normal enrolled via OoBE and everything works fine. And then out of nowhere Hello sign-in doesn't work anymore. Yes, the policy for the cert is user-assigned and in the initial ESP phase it works. Only when the ESP is wrongly shown after this problems the esp hangs there. It seems that the ESP is thinking that the user logging is a new user. The ESP is correclty showing that system-part is skipped, because initial enrollment was already done, but it seems that windows thinks the user logging in via password is a different user than the one that did the enrollment. But of course it's only the one user.
Welcome to AMA: Troubleshoot device issues with Intune. Let's begin! Post your questions in the Comments, and we'll be answering questions here and in the live stream.
- Would it be possible to add functionality to Intune similar to the Defender console's Live Response? It allows you to connect to a remote computer and get a command line where you can run commands and scripts. Similar to PowerShell remoting, but it doesn't need the computers to be on an internal network.
Hi Char_Cheesman,
I think you missed this question and the answer in the video.
Maybee you could add you standard comment to this, so everybody is possible to find the answer.So long I will copy your sentence. 😉
For reference, the panel covered this topic at around 10:00.
- Another thumbs up for this. It's exactly the sort of thing that would solve a lot of our current issues.
