cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fix account sign in loop after device enrollment

valexiadis
Copper Contributor

‎Nov 02 2021 08:29 AM

‎Nov 02 2021 08:29 AM

Fix account sign in loop after device enrollment

Hello,

 

We have an issue in our organization where some devices we enrol get in a sign in loop after a few days. More specifically, the way we've set up our environment is as follows:

 

- Devices are primarily managed by MECM so in order to enable co-management we add them to a collection called Pilot Co-Managed Devices.

- We then add the devices to an on-premises AD group in order to enable hybrid join.

- After the devices are hybrid joined we add them to an MEM group called Pilot Co-Managed devices in order for them to get the policies we have set up.

 

We've done that for about 600 devices. Now, a very small percentage of those (around 12 devices) develop the above-mentioned issue after a few days. All Microsoft products show a Fix Account error, same with windows, and the only way to solve it is to effectively offboard the device. When clicking on fix account either nothing happens or the sign in window keeps popping up. I've also some times noticed the device registration window flashing. Under email accounts there are two identical ones appearing with the only difference being one of them says All apps can sign you in and the other says Microsoft Apps can sign you in. From my understanding the problem is that the ad registered and the hybrid joined accounts don't merge. Two of those devices were working fine and the error occurred when the user changed their password because it had expired.

 

Any ideas? I'd really appreciate anyone's help!

11.6K Views
0 Likes
7 Replies
Reply
7 Replies
Rudy_Ooms_MVP

‎Nov 02 2021 11:12 PM

‎Nov 02 2021 11:12 PM

Re: Fix account sign in loop after device enrollment

Hi,

Any Conditional access or security baselines we should be aware of ?
Do you have any good reasons to go hybrid? LIke device authentication etc?

What does the dsregcmd /status tells you?
0 Likes
Reply
valexiadis

‎Nov 04 2021 06:59 AM

‎Nov 04 2021 06:59 AM

Re: Fix account sign in loop after device enrollment

Hello, thank you for your reply.

No conditional access but we do have a security baseline set for Defender which applies to the MEM group. I'm troubleshooting one of those devices currently and I have enrolled it to Intune but haven't added it to the MEM group in order to see if it develops the same issue. It usually happens after a couple of days so I should definitely know by tomorrow.

We went hybrid because we still need the on-premises MECM so Co-Management is the only option at this point. Dsreg shows everything is normal, as a successfully enrolled device.
0 Likes
Reply
Rudy_Ooms_MVP

‎Nov 05 2021 12:00 AM

‎Nov 05 2021 12:00 AM

Re: Fix account sign in loop after device enrollment

Hi, its indeed a good way to test if existing policies are giving you issues... please report back when you know if the base line could be the issue
0 Likes
Reply
valexiadis

‎Nov 08 2021 02:41 AM

‎Nov 08 2021 02:41 AM

Re: Fix account sign in loop after device enrollment

Hello, it does look like the security baseline is causing the issue. Thanks for pointing me in that direction. Now to find exactly which part of it is the cause!
0 Likes
Reply
Rudy_Ooms_MVP

‎Nov 08 2021 02:44 AM - edited ‎Nov 08 2021 02:48 AM

‎Nov 08 2021 02:44 AM - edited ‎Nov 08 2021 02:48 AM

Re: Fix account sign in loop after device enrollment

Hi, thanx for replying back... I would love to hear what broke the account sign in from the security baseline.. (I am assuming you used the build in Security baseline for windows 10 or later?)

 

Maybe something to do with the credential guard being enabled or something like that?

0 Likes
Reply
GiladD1240

‎Apr 15 2024 12:20 AM

‎Apr 15 2024 12:20 AM

Re: Fix account sign in loop after device enrollment

Hello
Im actually having the same problem with a similar set up (Intune computers, only a very small percentage are giving us this problem)
We also have conditional access regarding those computers, but it affects users that are excluded from it.
Can you please share how did you resolve the problem in the end please?
0 Likes
Reply
kuzucuoglu

‎Apr 15 2024 02:00 AM - edited ‎Apr 15 2024 02:04 AM

‎Apr 15 2024 02:00 AM - edited ‎Apr 15 2024 02:04 AM

Re: Fix account sign in loop after device enrollment

@GiladD1240 

 

Hello, we had a similar situation. The problem disappeared after we performed account opening or verification (MFA) in MsOffice 365 products. Then we excluded the MFA of MSOffice applications with Conditional access. In this case, users who had a problem only in case of password change were informed to log in to MsOffice 365 applications with their new passwords.

0 Likes
Reply