Autopilot Hybrid Azure Join – Stuck on “Profile Downloaded”

Author:

There is a lot of good information out there already for troubleshooting Autopilot Hybrid Azure Join. I’d recommend the incredibly detailed page at Out of Office hours. It outlines the first steps you should take to troubleshoot Hybrid Azure Join, and you can find it here.

Instead, I’m going to focus on one particular error I came across in my adventures with Autopilot. Specifically, why Autopilot gets stuck on “Profile downloaded” step and never continues. Interestingly too, the issues I encountered with this actually prevented the machine from moving to the “something went wrong” screen.

Autopilot stuck on "profile downloaded" and "ODJ applied" is no.
is this even really an error? note odj applied is no, and we’re stuck on “profile downloaded”

I was like a lot of admins that run into Hybrid Azure Join problems… stuck on the dreaded “Please wait while we set up your device…” during the OOBE. I had double checked all the steps that Michael outlined in his post and yet I still couldn’t get the ODJ Connector logs to show anything but “nothing to do.” The only difference was the machine would never move past the “please wait” messaging, and would sit there until the end of time if I let it. It never presented an error.

Get-AutoPilotDiagnostics

Just a quick snippet here. The above screenshot is from a script that helps troubleshoot Autopilot, called Get-AutoPilotDiagnostics. If you’re having problems with Autopilot, start with this script, find more information here.

The Autopilot “Profile Downloaded” Problem

The screenshot above is really stupid and misleading. It’s worded in a way that makes you think it has communicated and enrolled in Intune, but that’s not the case.

In my case, I spent hours trying to figure out what was going wrong with the domain join profile. From the ODJ connector itself (including the server it was hosted on), and wasting time wiping VM after VM thinking it was an OS issue at the root.

Instead, it was so much simpler. In fact, that screenshot IS misleading. The machine hasn’t enrolled with Intune yet, and instead is in some sort of stuck state where the device is waiting for Intune to enroll, but it never will. The reasoning being is that, configured in Intune, the user in which is trying to enroll doesn’t have permissions to. In my case, I did this with an enrollment manager account, but I assume this would happen for any user account.

Within Intune – navigate to Devices -> Windows – > Windows Enrollment -> Automatic Enrollment. Double check your settings for “MDM user scope.” In my case, we had allowed only some users to enroll.

You can see, I only had this scoped to 1 group, which the user I was using to enroll was not part of.

Changing this over from “Some” to “All” would be a simple fix, but if you need more control you could scope this to additional groups. Alternatively, you could add the user to the group to which it is scoped (if applicable).

Once you’ve completed that, you may have luck, and it may start working afterwards. If not, again I strongly recommend you read over the document at OOFHours.

It would be nice to have Microsoft implement some error handling in this scenario. Perhaps having Autopilot error out suggesting that the user does not have permissions.

Categories: Autopilot, Intune
Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *