Jan

@IntuneSuppTeam Have you heard any reports of required Win32 apps not installing during the Autopilot ESP? We are seeing this intermittently in various countries. #Autopilot #Intune

@IntuneSuppTeam @Mister_MDM Microsoft has apparently 'fixed' the problem in the service. You may want to retry now if you did experience the issue.

@IntuneSuppTeam something seems broken (intermittently) with Autopilot. The profiles are not reliably delivered at OOBE. A restart often times seems to help. Anything you can share on this please? @Mister_MDM, maybe you have some valuable insights? :-)

@PerLarsen1975 @IntuneSuppTeam @Mister_MDM Seeing in both scenarios, so firewall/proxies can probably be ruled out.

@dobrigod @IntuneSuppTeam @Mister_MDM Are you provisioning straight on the internet or do you have firwall/proxy servers in the mix?

@Mister_MDM @RoyTrizzle Exactly. But having to reprovision devices because of 1 missing/corrupted cert would be a pain.

@dobrigod @RoyTrizzle Well if that cert is gone the entra join is gone… i know the intune mdm crrt has a built in recovery… but entra … not

⚠️ Heads up!!! Big warning for HP AI Devices! ⚠️ Some of HP’s latest Next Gen AI PCs, including the EliteBook X Flip G1i, are getting the updated OneAgent 1.2.50.9581 build. That version seems to run a cleanup script removing any certificate containing “1E” in its subject .... which can delete the MS-Organization-Access cert. Once that happens, your device is no longer Entra joined or Intune Enrolled!. #Intune #MSIntune #Windows #Windows11 #Entra

@Mister_MDM @RoyTrizzle Curious to see if you have any suggestions how to a) prevent Entra ID join certificate modifications by rogue processes b) if that cert gets deleted, can you gracefully recover from that without needing to reprovision the device.

@RoyTrizzle Nope and the best thing if it only removed the intune cert… thst wouldnt be a problem :)… it will come back automaticallt (writing the blog post now)

@Mister_MDM @h1ghju1ce The BitLocker issue seems to have been resolved for us. No action required on our end, they fixed it (rolled back something?) in the service. Not sure how GA'ing 'Windows Backup for Organizations' would be related to this though.

@h1ghju1ce Bitlocker :) patchmypc.com/blog/bitlocker…

Important: Update on the Intune Service Side Issues UPDATE: A temporary workaround, creating a new group and moving users from the existing group to the new one... which "could" fix it :) UPDATE 2: Issue seems to be ack by Intune… with it, a message will be posted in the message center (soon … I hope :) )🤞🏽 UPDATE 3: Having as well Autopilot Issues and you are in those tenants... upgrade to the Windows August build before enrollment.... (and if you are running into #WindowsAutopilot issues... please reach out... I want to check something) Read more in the post below @IntuneSuppTeam #Intune #MSIntune #WindowsAutopilot

@IntuneSuppTeam, are you aware of any issues where MDM BitLocker policies are not honored in time, leading to devices encrypted at the wrong level? Anything in the Intune August release that may have introduced an issue (RACE condition) in MDM policy delivery? #MDM #Autopilot

@RoyTrizzle @IntuneSuppTeam You can see this in the IME log file. Compare one from today to one from a few weeks ago and you should see the same.

@dobrigod @IntuneSuppTeam Eeekk.. got a source for that or did you see this in cache?

@IntuneSuppTeam Intune PowerShell scripts are no longer getting delivered in our tenant. I hear that other customers are reporting the same issue. Do you have any Information that you can share about this?

@IntuneSuppTeam @RoyTrizzle It appears that the sudden increase in the size of the payload is due to the fact that the 'EncryptedPolicyBody' property is now populated with a long base64 value, pretty much doubling the size of the payload. Why are those type of changes not properly tested/communicated?

@IntuneSuppTeam @RoyTrizzle Apparently there is a 2MB overall payload limit for #Intune #Powershell scripts. This is different from the 200KB per script. Would be good to know if that has always been there or if that was recently introduced. I don't recall seeing anything about that in the documentation.

@IntuneSuppTeam Hi team, just to clarify. The issue is not that the scripts are not showing in the Intune console. The issue is that the script are not delivered to endpoints. Are we talking about the same issue?

@dobrigod Hi Jan, thanks for flagging! We are aware of the issue, and it is being looked into internally. In the interim, can you remove the status column, and let us know if this helps to load the scripts? Thanks! ^IH

@SteffenAtCloud @IntuneSuppTeam Manually triggering the Tpm-HASCertRetr scheduled task seems to help in many cases. Are you still seeing the issue?

@IntuneSuppTeam Seeing multiple #Intune tenants where #BitLocker compliance is not give for newly enrolled devices (no error shown). Multiple restarts and syncs do not help. Issue persists - even after multiple hours. Encryption report is looking good.

@IntuneSuppTeam, I've noticed a lot of [AgentCommon] messages in the IME log file during Autopilot. It seems to prolong the duration of the ESP Account phase, adding a number of minutes to the overall process. Any idea if this was a recent addition to the IME?

@IntuneSuppTeam, do you have any additional information that you can share about Intune Service Degradation Advisory IT867628: 'Some users can't check in devices managed through Microsoft Intune'?

@IntuneSuppTeam @banterci We have been seeing similar issues since last Thursday. It's intermittent, one day it works, the next it does not. The URL for us seems to be in EMEIA: euprodimedatasec.azureedge.net/IntuneWindowsA…

@banterci Hi, Josh! We had a look and nothing currently flagged on our end around this behavior. We were also unable to repro this behavior on our end. If you're still encountering further issues with this, could you DM us with more info, so we can look further into this? Thanks! ^MS

Hey @IntuneSuppTeam, seeing IntuneManagementExtension not downloading on devices, when hitting naprodimedatasec.azureedge.net/intunewindowsa… direct, getting "BlobNotFound". Can you confirm if this is an issue on your end?

@Mister_MDM @IntuneSuppTeam It looks like this:

@dobrigod @IntuneSuppTeam Just wondering but is it happening on the apps part as shown below? or?

@IntuneSuppTeam we are seeing issues with Autopilot getting stuck on the ESP page during the Account phase. Have you heard anything to that extend?

@mniehaus Looks like it's working for me now. I believe the issue was that I wasn't 'Internet connected' during the initial boot to OOBE. That's when the AUTOPILOT_MARKER seems to get created. Thanks for your help with this, much appreciated!

@dobrigod I believe so, yes. I didn't verify the exact point (start of OOBE vs. running the script), but it seems logical that grabbing the hash would do it.

Windows Autopilot testing with VMs oofhours.com/2023/08/23/win…