Forum Discussion

Dragos_Dimitriu's avatar
Dragos_Dimitriu
Copper Contributor
Jan 27, 2023

Device registered to Azure AD not showing in Endpoint Manager

Hello everyone,

 

We have a Hybrid Azure AD environment and we're experiencing a problem with some computers registered to Hybrid Azure AD but now showing in endpoint manager .  For each of these computers, we have validated the follows :

- all have been registered to Azure AD and show as Hybrid Azure Ad joined

- output of dsregcmd / status command shows that computer is :

  1. local AD joined 
  2. Azure AD joined 
  3. Have correct MDM url's provided 
  4. have AzureADPrt tokens at SSO state 
  5. users have intune licence assigned 
  6. Automatic domain join task runs without any errors (checked that in event viewer), except for warnings referring to Windows Hello for business not being launched which is expected behaviour since Windows Hello was disabled from endpoint manager - Windows enrollment 

We have also tried dsregcmd /leave and /join a couple of times, same behavior, computer ends up joining Azure AD Hybrid but now showing in endpoint manager.

 

I have pasted below dsregcmd /status output (sensitive info being blanked) 

 

Does anyone have any idea why this happens ?

 


+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : [Deleted]
Device Name : [Deleted]

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

DeviceId : [Deleted]
Thumbprint : 78D841E138601196E60CEFC7C38E97216BF896B0
DeviceCertificateValidity : [ 2023-01-26 12:18:39.000 UTC -- 2033-01-26 12:48:39.000 UTC ]
KeyContainerId : 3c5200a7-a479-4b04-bf84-3c5247a13d9e
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

TenantName : [Deleted]
TenantId : [Deleted]
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/d5cc540e-b65b-4b39-a22d-361e2a7a81af/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/d5cc540e-b65b-4b39-a22d-361e2a7a81af/oauth2/token
MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
SettingsUrl : eyJVcmlzIjpbImh0dHBzOi8va2FpbGFuaTYub25lLm1pY3Jvc29mdC5jb20vIiwiaHR0cHM6Ly9rYWlsYW5pNy5vbmUubWljcm9zb2Z0LmNvbS8iXX0=
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/d5cc540e-b65b-4b39-a22d-361e2a7a81af/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/d5cc540e-b65b-4b39-a22d-361e2a7a81af/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2023-01-27 05:38:37.000 UTC
AzureAdPrtExpiryTime : 2023-02-10 05:38:40.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/d5cc540e-b65b-4b39-a22d-361e2a7a81af
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : NO
KerbTopLevelNames :

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

AadRecoveryEnabled : NO
Executing Account Name : [Deleted]
KeySignTest : PASSED

DisplayNameUpdated : Managed by MDM
OsVersionUpdated : Managed by MDM
HostNameUpdated : YES

Last HostName Update : NONE

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision

  • Hi...

    1. I assume you configured the gpo to enable the mdm/intune enrollment?
    2. Could you check out the "Devicemanagement-Enterprise-Diagnostics-Provider" event log as it should give you some more information where to start

    3.If you happen to spot an error, you could check out this blog
    https://call4cloud.nl/2022/06/how-to-get-the-intune-enrollment-errors-outta-your-**bleep**/
    It lists most of the most common errors you could run into when enrolling your device into Intune

    4.Besides troubleshooting this issue, did you happen to try to enroll a device manually with the deviceenroller.exe as mentioned here
    https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/
  • Zebwen's avatar
    Zebwen
    Copper Contributor
    Did you manage to find a solution to this? I am experiencing the exact same issue. The device is stating that it is registered in dsregcmd but is not picking up any policy and is not showing in Endpoint Manager.
    • rahuljindal-MVP's avatar
      rahuljindal-MVP
      Bronze Contributor
      Do you have MDM enrollment configured correctly in Intune? Any device enrollment restrictions in Intune? Any CA policies?
      • Zebwen's avatar
        Zebwen
        Copper Contributor

        rahuljindal-MVP 

         

        Hi, thanks for your response.

         

        MDM enrollment is configured (and works fine for other devices). There are no device enrollment restrictions for Windows (see screenshot below)

         

        We do have conditional access policies, the one that this user account is using (confirmed by a what if test) is very basic and only requires MFA, as below:

         

         

         

    • Dragos_Dimitriu's avatar
      Dragos_Dimitriu
      Copper Contributor

      Zebwen no, have checked everything (GPO's , MDM settings in endpoint manager, task errors in event viewer , dsregcmd /status , as I have mentioned have tried leaving and rejoining a couple of times ) Similar to your situation all other devices have joined without problems.

      • Zebwen's avatar
        Zebwen
        Copper Contributor
        Are other new devices (since you attempted this one) joining and enrolling in intune correctly?
  • DCozzy's avatar
    DCozzy
    Copper Contributor
    Did you manage to solve this issue? I am experiencing the same with 2 recent AVD Deployments

Resources