August Patch is breaking Intune Enrollment

Copper Contributor

We have received multiple Incidents where users reported that after the patch was installed they rebooted their Windows 11 Enterprise devices and presented with just LocalAdmin account. There was no option to choose Other User or any other account.

We then tried all our common passwords and 1 of the password worked on 1 laptop but on the other, it did not work. So once we have logged in, when we navigate to access wor kor school, there is no enrolment profile. If we click on connect, Joining this device to AAD is not available. 

We then enabled the administrator account, deleted all the enrolments registry keys, rebooted and next time when well logged in with the Administrator account we got the option to re-enrol. 

 

After re-enrollment, a new user profile was created under the Users folder and we had to manually copy and paste the data from the old profile to the new one.

 

I tried searching for any known issues of Aug patch but did not find any and I am unsure whats happening with the devices.

22 Replies
Hi... 🙂 .. always nice to hear such things.... but care to explain yourself a little bit more... as Intune Enrollment... aka autopilot or aka autopilot pre provisioning or just having a aadj device and enrolling it into intune 🙂

I am interested... that's for sure.. feel free to reach out on my twitter... (as being logged in on al these forums 😛 )
Yes, they are Autopilot devices but AADJ only
As of a deployment of 5 surface pro 8s on Tuesday 8/16/2022 I am also having issues with Intune/autopilot enrollment. I keep looking at health to see if there is a known issue. New machines with Windows 11. Hashes were all uploaded and tags with profiles were assigned. 2 of 5 even got as far as renaming the device. NONE enrolled in intune but all are in AzureAD. I have been highly successful in the past with lots of deployments during covid where I never saw or touched the machine. I am not sure if Windows 11 or Surface Pro 8s are the issue or something else. The machines are in use but not being managed. I was able to ask one user to try enrolling using the company portal and he said no device was listed but when he tried to enroll it said his device was already enrolled. I have no screen shots...just an email from the user. Hopefully I can learn more next week. Are others having issues?
Okay so no autopilot pre provisioninng (windows key 5 times etc etc) ... happen to know to which part it succeeds?

If you could run the wpr -start which I am explaining here
https://call4cloud.nl/2021/11/theres-someone-inside-your-etl/
You could determine where it breaks.. or send it to me (email address removed for privacy reasons) but if you send it to me .. also attach this zip

wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1
powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1
Sure, if we receive any other user's issue will share the details.

I would like to explain it a bit more, Those devices were in fine condition until yesterday before the patch was installed.

To get these logs, we need to log in to the laptop but so far it's 50% success for login. We tried pressing the SHift key + reboot, landed on the Advanced recovery options page, opened cmd tried running the command from there but it is not recognizing the LocalAdmin account.

We tried doing the system restore and uninstalling the update, but nothing is working on the Advanced recovery options page.
Alsmost sounds like the 2022-08 update and the bitlocker issue 🙂
yes, almost. Because I have not yet seen any article or post that says It is actually breaking the Intune enrolment. Though I have opened the case with Intune support too, have not heard back from past 2 hours.
The end users who are using those devices are they admin or standard users?

if they lock the laptop, are they getting Other user option on the lock screen?

If they navigate to HKLM-> Software-> Microsoft-> Enrollments. Are there Hexadecimal GUIDs available?

At last go to Settings->Accounts-> Access work or school-> Export your management logs file. In that log file check the Device management logs. if you find any thing there?
But still... you are talking about it breaks the intune enrollment... but at the sam point you are telling us you cant login anymore (seems as the azure ad mdm organization cert is gone )
dsregcmd /status
If you are experiencing this.... gather the logs send them to ms support ..................................................................................... or me 😛

run the wpr -start (before enrollment) which I am explaining here
https://call4cloud.nl/2021/11/theres-someone-inside-your-etl/

and

wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1
powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1
By breaking the Intune enrolment I meant - Till yesterday device was enrolled and was in running condition. after the patch installation, it broke the enrolment.

Even to run dsregcmd I need an account, and so far the login success with the localadmin is 50% success.
I will wait for another user to report and if I
am able to login to that machine will fetch all the required details.

Yes they are admins of their machines.  Unfortunately I have no access to these devices. I do see them in active directory but they are grad students and in another state. I am not sure I will be able to get any of them to let me remote in. I will see if I can get a device log. All 5 grad students are unable to enroll via the Company Portal.  The message they get is that they are already enrolled yet no device is listed.

Today I got another device with the same issue, however today I have little more information.

When I opened CMD from the Advanced Recovery options, it was showing X:\Users\System32> It was not giving any result to any command I tried dsregcmd /status, dsregcmd.exe /status, winver.
I then changed the directory to C: and then rerun the commands, this time dsregcmd.exe gave me the output and AzureAD Joined, DomainJoined, EnterpriseJoined everything is NO, and hostname is "minint-qclkmek".
Winver is showing the version as "Version DEV".
wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1
powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1

would love to take a look at the logs 🙂
Good morning. I would like to also add that as of the August update, 2 of my customers no longer could deploy the O365 apps. They timed out and caused ESP to fail. These have been working for over 6 months. I had to recreate the 0365 apps as Win32 so I got around it, but as I mentioned, there were NO changes for months, and then since this update they are failing. 2 other colleagues are reporting profile assignment issues as in they add the new device to the AP devices list, then the AAD dynamic group updates with the new device, however the deployment profile which is (already) assigned to the dynamic group never shows the new device (that's in the AAD group) as an assigned device.

Hey Rudy, what's the 2022-08 BitLocker issue? Thx!
Hi... esp issues with the office 365 csp is indeed a common issue 🙂
https://call4cloud.nl/2021/02/office-csp-vs-win32app-dawn-of-justice/

It doesn't solve everything... but some 🙂 .. and indeed ...dynamic device groups and autopilot could indeed also cause some issues...
I was thinking this was related to my issues posted above but the date was earlier than this reports https://admin.microsoft.com/AdminPortal/Home#/servicehealth/:/alerts/IT420414
Users can't enroll Autopilot-registered devices as MDM-only, and some devices won't be able to go through Autopilot
IT420414, Last updated: September 5, 2022 3:12 PM
Estimated start time: August 26, 2022 6:27 PM
Affected services
Microsoft Intune
Issue type
Advisory
Issue origin
Microsoft
Status
Service degradation
Manage notifications for this issue
User impact
Users can't enroll Autopilot-registered devices as MDM-only, and some devices won't be able to go through Autopilot.
Are you experiencing this issue?
Is this post helpful?
All updates
September 5, 2022 3:05 PM
Title: Users can't enroll Autopilot-registered devices as MDM-only, and some devices won't be able to go through Autopilot

User Impact: Users can't enroll Autopilot-registered devices as MDM-only, and some devices won't be able to go through Autopilot.

More info: For users who can't go through Autopilot, they can manually re-register the devices into Autopilot to remediate the impact.

Current status: The deployment of our fix has completely saturated the affected environment, but some users are still experiencing impact. We're investigating why some users are still experiencing this issue to aid us in creating a solution that completely remediates impact.

Scope of impact: Your organization is affected by this event and users trying to enroll Autopilot-registered devices as MDM-only are impacted.

Start time: Tuesday, August 16, 2022, 7:18 AM (11:18 AM UTC)

Root cause: A recent change to the Autopilot architecture resulted in MDM-only enrollments being blocked.

Next update by: Wednesday, September 7, 2022, 2:00 PM (6:00 PM UTC)