Troubleshooting Intune Deployment Failures

Josh Kennedy 0

Hello, I need help with Intune deployment failures for Autopilot/ESP. Since August 22, our deployments have been failing. They fail on Apps(Identifying).

UPDATE 9/11: We determined (Shout out @Rudy Ooms ), that only the T480 devices are affected. On the same network, was able to deploy T460 and T14 with no issues same deployment). Seems to be something with T480 model.

The devices are starting from OOBE state with Windows 11. The issue started right around when we received 2408 release wave, we are in North America 0602 region.

Example of failed logs indicate firewall blocking traffic, however I've tested on multiple networks including hotspot, same issue. Deployments only go through when NOT using a Lenovo T480 model. Unfortunately, we use the T480 for our main devices.

Let me know any questions or suggestions please - need help getting this resolved. Ticket in with MS but slow movement.

Example of failed logs = intunemanagementextension.log

FIRST: [IsWebExceptionRetryable] web exception status = SecureChannelFailure

NEXT: [SendWebRequestInternal] Web Exception occurs when sending network request, non-retryable, the exception is System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)

at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.

Mo Farook 0 Reputation points

2024-10-03T00:10:05.5133333+00:00

I have worked on similar issue

Refer below link. this should help

https://call4cloud.nl/2024/09/securechannelfailure-apps-failed/

4 answers

VarunTha 8,060 Reputation points Microsoft Vendor

2024-09-09T15:39:05.9166667+00:00

Hi Josh Kennedy,
Intune is currently not supported in the Q&A forums, the supported products are listed over here https://learn.microsoft.com/en-us/answers/products (more to be added later on).

You can ask the experts in the dedicated Intune forum over here: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune

Please don't forget to Accept answer and close this thread.
Thank you.
Please sign in to rate this answer.
Pavel yannara Mirochnitchenko 12,576 Reputation points MVP

2024-09-09T20:21:10.8566667+00:00

Intune is supported in Q&A forums and also #Autopilot is here with its own hashtag.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pavel yannara Mirochnitchenko 12,576 Reputation points MVP

2024-09-09T20:45:27.61+00:00

Are you only deploying W365 machines or also physical? On physical devices I would recommend to rely on this script first:

https://oofhours.com/2023/12/27/use-the-new-community-modules-for-autopilot/
Please sign in to rate this answer.
Josh Kennedy 0 Reputation points

2024-09-10T13:22:11.9633333+00:00

Hey there - thanks for your reply. We are using the following script to obtain the Autopilot hardware hash (Connect device to internet in OOBE and then run the below script off flash drive). I can look at changing this, but unsure if that has anything to do with the error, as the devices are already adding to AP without issue.

Thoughts?

$SerialNumber = (Get-CimInstance Win32_BIOS).SerialNumber

$OutputFilePath = "D:\HWID$SerialNumber.csv"

if (-not (Test-Path -Path (Split-Path $OutputFilePath))){

New-Item -ItemType Directory -Path (Split-Path $OutputFilePath) -Force

}

$PreviousExecutionPolicy = Get-ExecutionPolicy -Scope Process

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

if(-not (Get-Module -Name "Get-WindowsAutoPilotInfo" -ListAvailable)){

Install-Module -Name "Get-WindowsAutoPilotInfo"

}

Get-WindowsAutoPilotInfo -OutputFile $OutputFilePath -ErrorAction Stop

Set-ExecutionPolicy -Scope Process -ExecutionPolicy $PreviousExecutionPolicy -Force

Pavel yannara Mirochnitchenko 12,576 Reputation points MVP

2024-09-10T21:31:08.13+00:00

@Josh Kennedy you missed my point. When ESP fails, install and execute the Get-AutopilotDiagnosticsCommunity.ps1 script. It will mark you the phase where are you failing. It is not about device hash script at all :)

Josh Kennedy 0 Reputation points

2024-09-12T03:01:29.56+00:00

@Pavel yannara Mirochnitchenko Thank you for clarifying this. Much appreciated.

I can try this out tomorrow, maybe it will help. We just found that ONLY T480 devices have issues, every other model works. It is very odd. I've got lots of logs and fiddler logs and such.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
ZhoumingDuan-MSFT 13,085 Reputation points Microsoft Vendor

2024-09-10T02:23:53.7666667+00:00

@Josh Kennedy,Thanks for posting in Q&A.

From your description, I know you have trouble in Intune Autopilot Deployment.

To clarify this issue, could you share with us what kind of device failed deployment? Windows 365 device or physical device? If it is physical device, please check the following.

1.What kind of Autopilot deployment mode have you configure?

2.Check whether the device meet the requirements mentioned in the link.

https://learn.microsoft.com/en-us/autopilot/requirements?tabs=networking

3.Please share with us if there is some error message during ESP stage.

4.Check if there exist relate error in Event Viewer at Application and Services Logs -> Microsoft -> Windows -> ModernDeployment-Diagnostics-Provider -> Autopilot.

https://learn.microsoft.com/en-us/autopilot/troubleshooting-faq#what-do-the-different-event-ids-mean-in-the-windows-autopilot-event-log-entries-in-event-viewer-

5.Check the registry key to see if the device revived Autopilot profile settings at HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\Autopilot.

https://learn.microsoft.com/en-us/autopilot/troubleshooting-faq#where-are-the-windows-autopilot-profile-settings-received-from-the-windows-autopilot-deployment-service-stored-

And there are some links about troubleshooting Autopilot deployment failure you can refer.

https://www.anoopcnair.com/windows-autopilot-troubleshooting-guide/

https://oofhours.com/2020/07/12/windows-autopilot-diagnostics-digging-deeper/

Non-official, just for reference.

If there is any update, feel free to let me know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Josh Kennedy 0 Reputation points

2024-09-10T13:54:46.1066667+00:00

Hey there. Thanks for your reply.
To clarify, when we go through Autopilot, on ESP it hangs on Apps(Identifying) pictured below when using Autopilot V1. When we use V2, it says the deployment was successful , but does not include any apps. I have also tried turning off assignments for all apps, scripts, and configurations, and it still hangs. When we spin up a Windows 365 cloud PC, using the same assignments as failed V1 / V2, it goes through and apps / scripts / configs work.

I have tested on many networks in the NA 0602 region and all fail, even hot spots.

I have configured both Autopilot V1 and V2 (Device Preparation policies) to test both.

Device does meet all requirements.

Pictured below.

I did not find any of those error types in the event viewer.

Device seems to have received AP settings, but we did find the CloudAssignedOOBEConfig value was listed as 0x0000051e (1310)

Thank you for any additional assistance you can provide. We are anxious to figure this one out as we are not able to deploy successfully

Example log below of failure log

intunemanagementextension.log

Josh Kennedy 0 Reputation points

2024-09-10T14:03:35.62+00:00

@ZhoumingDuan-MSFT

Thanks for your reply. I have tested on both physical and 365. 365 works, physical does not. My theory is something to do with release wave 2408 as it works in 365 cloud PC but not North America 0602, and issue started the day we got 2408.

I have configured both Autopilot V1 and V2 (Device Preparation Policies)

Device meets requirements

Was not able to locate related errors to this in the specified area

Device appears to have recieved autopilot settings, however we did see that CloudAssignedoobeConfig value was 0x0000051e (1310)

Thank you for your assist, also attaching an example of failed logs below. Let me know if you require any additional info as we are unable to deploy machines through ESP at this time.

intunemanagementextension.log

ZhoumingDuan-MSFT 13,085 Reputation points Microsoft Vendor

2024-09-11T08:21:05.5766667+00:00

@Josh Kennedy, Thanks for your reply.

As you are anxious to figure this one out and cannot be able to deploy successfully, after reading the log you provided, there no more helpful information for the error, it is suggested that you open an online case to analyze the failure log

https://learn.microsoft.com/en-us/mem/get-support

Also, I will do an Autopilot v2 testing and if there is any update, I will share it with you.

Thanks for your kind understanding.

Josh Kennedy 0 Reputation points

2024-09-12T02:48:22.08+00:00

@ZhoumingDuan-MSFT Thank you for your prompt replies. I will open an online case, I do have a case with Microsoft Intune already..

We did have a break through, that it is only occurring on Lenovo T480 devices. On the same network, we are seeing both T14 and T460 go through without issue using same deployment that the T480 is failing on.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Nick Eckermann 576 Reputation points

2024-09-10T20:37:45.1766667+00:00

Use the shift f10 option to get a command prompt and troubleshoot the network issue for the device after the failure.

Are you deploying any Windows firewall configuration or rules to the device?
If you have a configuration that says enable block outbound by default turned on and the firewall rules you are applying are not on the device it will start to block traffic. We have seen this in the past cause issues.
Check your firewall config.
Please sign in to rate this answer.
Josh Kennedy 0 Reputation points

2024-09-11T03:46:45.9+00:00

Thank you for your reply!I have tested on my hotspot, work and home network, and verified the connecting goes through. As for the laptop, it is coming from oobe, but Azure was also double checked.

Josh Kennedy 0 Reputation points

2024-09-12T02:44:09.86+00:00

Hey there @Nick Eckermann . We were able to determine the issue is specific to the T480 Lenovo model. On the same network, we deployed a T460 and T14 with no issue.

Trying to figure out what to do now.

Nick Eckermann 576 Reputation points

2024-09-12T02:58:21.44+00:00

Can you collect the full logs on the device and attach them..https://github.com/markstan/IntuneOneDataCollector

Josh Kennedy 0 Reputation points

2024-09-12T03:07:25.3566667+00:00

@Nick Eckermann absolutely. I have actually collected many logs, and can take a look at the GitHub you sent. I have the logs on a Google Drive due to size limitations, and can share that with you.

The T480 did not go through (the same network issue on Apps(Identifying), the T460 went through (did have a few issues but we haven't deployed T460 in a while). But the T460 and a T14 we tested did go through fine (I have logs for the T14 also). All targeted same network same deployment.
https://drive.google.com/drive/folders/111EChAxwOEbYgR7FlRHEWX_hA0dONRoL?usp=sharing

Josh Kennedy 0 Reputation points

2024-09-12T03:11:00.7766667+00:00

@Nick Eckermann thank you for your prompt reply. I have attached full logs for both the T460 and the T480, and also have logs for the T14 that worked. All on same network same deployment. Linked below due to size limitations.

https://drive.google.com/drive/folders/111EChAxwOEbYgR7FlRHEWX_hA0dONRoL?usp=sharing

Josh Kennedy 0 Reputation points

2024-09-12T03:13:50.0433333+00:00

@Nick Eckermann Thank you for your prompt reply. I do have some useful logs, what is the best way to get them to you? I have some in a Google Doc link, some of the fiddler logs are rather large. Microsoft had me run the following scripts:
Please collect the ODC from the scoped affected device PF1H232Z and working device T460. Please run these commands 1 by 1 in PowerShell (elevated) in the affected device: 1) wget https://link.edgepilot.com/s/44971e30/H5qdcZsBbk6FDVl71IQr5w?u=https://aka.ms/intunexml -outfile Intune.xml 2) wget https://link.edgepilot.com/s/07d211af/1cgPVIo790SXu64Y84iYVA?u=https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1 3) powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1 Please wait for the last command to finish as it will open a progress box (can take 10-20 minutes) and after that it will finish (as it will wrap up the collected data) and automatically open the directory in File explorer where the folder name CollectedData (zip folder will be present).

Nick Eckermann 576 Reputation points

2024-09-16T14:22:43.0233333+00:00

Nothing stands out to me with those logs. Any update from your case?

Josh Kennedy 0 Reputation points

2024-09-17T02:18:04.9466667+00:00

Nothing yet. They referenced me to Lenovo, upon which Lenovo said T480 is compatible. Then a manager seemingly emailed back...
We highly value your time and are committed to assisting you in resolving your issue as swiftly and efficiently as possible. Following our conversation with [initial Microsoft Rep] , it has come to our attention that the issue is happening with set of Lenovo devices and the issue started post 2408 release.

Our goal is to provide seamless support, but it appears we have fallen short in this instance. It's possible that there might have been some discrepancies in the information provided to you. We deeply regret any inconvenience this situation may have caused you.

Still waiting on a reply as I indicated the T480 is still having issues going through Autopilot / ESP.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Troubleshooting Intune Deployment Failures

4 answers

Your answer