HELP: Windows Autopilot Hybrid Join take to much time

%3CLINGO-SUB%20id%3D%22lingo-sub-2220625%22%20slang%3D%22de-DE%22%3EHELP%3A%20Windows%20Autopilot%20Hybrid%20Join%20take%20to%20much%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2220625%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%20people%2C%20%3CBR%20%2F%3E%20currently%20I%20have%20the%20problem%20that%20during%20the%20Windows%20Autopilot%20installation%20process%20the%20device%20takes%20too%20long%20in%20the%20ESP%20window%20during%20Account%20Setup.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3EWe%20are%20using%20the%20following%20setup%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E-%20Hybrid%20AD%20Join%20%3CBR%20%2F%3E%20-%20Windows%20Autopilot%20%3CBR%20%2F%3E%20-%20Deployment%20duration%20(%2B2h)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20a%20pure%20Windows%20autopilot%20deployment%20via%20Azure%20AD%2C%20it%20only%20takes%20me%208%20minutes.%3C%2FP%3E%3CP%3EThe%20following%20things%20I%20have%20checked%20or%20working%3A%20%3CBR%20%2F%3E%20-%20Firewall%20rule%2C%20443%2C%2080%20is%20allowed.%20%3CBR%20%2F%3E%20-%20Intune%20AD%20Connector%20has%20been%20configured%20and%20is%20active%20(forest%2C%20sync%2C%20etc.)%20%3CBR%20%2F%3E%20-%20Computer%20objects%20are%20created%20in%20the%20correct%20OU%20on%20the%20local%20AD%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3ENow%20here%20comes%20my%20questions%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EDo%20any%20Group%20Policy%20prohibit%20the%20ESP%20process%20from%20not%20completing%3F%3CBR%20%2F%3EVisually%2C%20the%20Hybrid%20AD%20Join%20works%20and%20the%20device%20is%20in%20the%20domain%20after%20the%20two%20hours.%20But%20what%20bothers%20me%20is%20that%20the%20configuration%20profile%20for%20the%20AD%20Join%20in%20Endpoint%20Manager%20does%20not%20switch%20to%20Applicable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20I%20authorized%20the%20Intune%20Connector%20on%20my%20autopilot%20join%20organization%20unit%20in%20AD.%20%3CBR%20%2F%3E%20-%20I%20have%20enabled%20synchronization%20of%20the%20Autopilot%20OU%20on%20the%20connector%20(%22customize%20synchronization%20options%22%20and%20so%20on).%20%3CBR%20%2F%3E%20-%20I%20created%20the%20forest%20(%22configure%20device%20option%22%20and%20so%20on).%20%3CBR%20%2F%3E%20-%20The%20Intune%20Connector%20in%20the%20Endpoint%20Manager%20has%20the%20green%20status%20Active.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3EI%20have%20not%20done%20the%20following%20things%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E-%20I%20have%20not%20enabled%2Fcreated%20any%20special%20group%20policies.%20%3CBR%20%2F%3E%20-%20I%20have%20not%20enabled%20%22Configure%20Device%20Writeback%22%20under%20%22Configure%20Device%20Option%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20any%20of%20you%20know%20what%20the%20problem%20could%20be%3F%20It%20comes%20on%20the%20firewalls%20to%20packet%20time%20out%20from%20the%20client%20and%20I%20see%20that%20on%20the%20Account%20Setup%20item%20on%20the%20ESP%20page%20%22Joining%20your%20organization%20Network%22%20is%20set%20to%20%22%3CSTRONG%3Ein%20progress%3C%2FSTRONG%3E%22%20for%20%3CSTRONG%3Etwo%20hours%3C%2FSTRONG%3E.%20It%20seems%20that%20some%20communication%20between%20on%20premise%20AD%20and%20Azure%20AD%20is%20not%20working%20100%25%20and%20it%20is%20getting%20a%20TimeOut.%20The%20Endpoint%20Manger%20also%20does%20not%20get%20a%20status%20that%20the%20device%20has%20joined%20the%20local%20domain%20although%20the%20computer%20object%20has%20already%20been%20created%20and%20the%20device%20has%20landed%20in%20the%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

Hello people,
currently I have the problem that during the Windows Autopilot installation process the device takes too long in the ESP window during Account Setup.


We are using the following setup:
- Hybrid AD Join
- Windows Autopilot
- Deployment duration (+2h)

 

For a pure Windows Autopilot deployment via Azure AD, it only takes me 8 minutes.

The following things I have checked or working:
- Firewall rule, 443, 80 is allowed.
- Intune AD Connector has been configured and is active (forest, sync, etc.)
- Computer objects are created in the correct OU on the local AD


Now here comes my questions:

Do any Group Policy prohibit the ESP process from not completing?
Visually, the Hybrid AD Join works and the device is in the domain after the two hours. But what bothers me is that the configuration profile for the AD Join in Endpoint Manager does not switch to Applicable.

 

- I have authorized the Intune Connector on my autopilot join organization unit in AD.
- I have enabled synchronization of the Autopilot OU on the connector ("customize synchronization options" and so on).
- I created the forest ("configure device option" and so on).
- The Intune Connector in the Endpoint Manager has the green status Active.


I have not done the following things:
- I have not enabled/created any special Group Policies.
- I have not enabled "Configure Device Writeback" under "Configure Device Option".

 

Do any of you know what the problem could be? It comes on the firewalls to packet time out from the client and I see that on the Account Setup item on the ESP page "Joining your organization Network" is set to "in progress" for two hours. It seems that some communication between on premise AD and Azure AD is not working 100% and it is getting a TimeOut. The Endpoint Manger also does not get a status that the device has joined the local domain although the computer object has already been created and the device has landed in the domain.

 

1 Reply
Hello Dave
I would start by reviewing the TS steps for this phase. For this check: https://docs.microsoft.com/en-us/troubleshoot/mem/intune/understand-troubleshoot-esp#account-setup

Regards,

Juan S.