Nov 02 2021 08:29 AM
Hello,
We have an issue in our organization where some devices we enrol get in a sign in loop after a few days. More specifically, the way we've set up our environment is as follows:
- Devices are primarily managed by MECM so in order to enable co-management we add them to a collection called Pilot Co-Managed Devices.
- We then add the devices to an on-premises AD group in order to enable hybrid join.
- After the devices are hybrid joined we add them to an MEM group called Pilot Co-Managed devices in order for them to get the policies we have set up.
We've done that for about 600 devices. Now, a very small percentage of those (around 12 devices) develop the above-mentioned issue after a few days. All Microsoft products show a Fix Account error, same with windows, and the only way to solve it is to effectively offboard the device. When clicking on fix account either nothing happens or the sign in window keeps popping up. I've also some times noticed the device registration window flashing. Under email accounts there are two identical ones appearing with the only difference being one of them says All apps can sign you in and the other says Microsoft Apps can sign you in. From my understanding the problem is that the ad registered and the hybrid joined accounts don't merge. Two of those devices were working fine and the error occurred when the user changed their password because it had expired.
Any ideas? I'd really appreciate anyone's help!
Nov 02 2021 11:12 PM
Nov 04 2021 06:59 AM
Nov 05 2021 12:00 AM
Nov 08 2021 02:41 AM
Nov 08 2021 02:44 AM - edited Nov 08 2021 02:48 AM
Hi, thanx for replying back... I would love to hear what broke the account sign in from the security baseline.. (I am assuming you used the build in Security baseline for windows 10 or later?)
Maybe something to do with the credential guard being enabled or something like that?
Apr 15 2024 12:20 AM
Apr 15 2024 02:00 AM - edited Apr 15 2024 02:04 AM
Hello, we had a similar situation. The problem disappeared after we performed account opening or verification (MFA) in MsOffice 365 products. Then we excluded the MFA of MSOffice applications with Conditional access. In this case, users who had a problem only in case of password change were informed to log in to MsOffice 365 applications with their new passwords.