Forum Discussion
Device registered to Azure AD not showing in Endpoint Manager
Hello everyone,
We have a Hybrid Azure AD environment and we're experiencing a problem with some computers registered to Hybrid Azure AD but now showing in endpoint manager . For each of these computers, we have validated the follows :
- all have been registered to Azure AD and show as Hybrid Azure Ad joined
- output of dsregcmd / status command shows that computer is :
- local AD joined
- Azure AD joined
- Have correct MDM url's provided
- have AzureADPrt tokens at SSO state
- users have intune licence assigned
- Automatic domain join task runs without any errors (checked that in event viewer), except for warnings referring to Windows Hello for business not being launched which is expected behaviour since Windows Hello was disabled from endpoint manager - Windows enrollment
We have also tried dsregcmd /leave and /join a couple of times, same behavior, computer ends up joining Azure AD Hybrid but now showing in endpoint manager.
I have pasted below dsregcmd /status output (sensitive info being blanked)
Does anyone have any idea why this happens ?
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : [Deleted]
Device Name : [Deleted]
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : [Deleted]
Thumbprint : 78D841E138601196E60CEFC7C38E97216BF896B0
DeviceCertificateValidity : [ 2023-01-26 12:18:39.000 UTC -- 2033-01-26 12:48:39.000 UTC ]
KeyContainerId : 3c5200a7-a479-4b04-bf84-3c5247a13d9e
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : [Deleted]
TenantId : [Deleted]
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/d5cc540e-b65b-4b39-a22d-361e2a7a81af/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/d5cc540e-b65b-4b39-a22d-361e2a7a81af/oauth2/token
MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
SettingsUrl : eyJVcmlzIjpbImh0dHBzOi8va2FpbGFuaTYub25lLm1pY3Jvc29mdC5jb20vIiwiaHR0cHM6Ly9rYWlsYW5pNy5vbmUubWljcm9zb2Z0LmNvbS8iXX0=
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/d5cc540e-b65b-4b39-a22d-361e2a7a81af/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/d5cc540e-b65b-4b39-a22d-361e2a7a81af/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2023-01-27 05:38:37.000 UTC
AzureAdPrtExpiryTime : 2023-02-10 05:38:40.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/d5cc540e-b65b-4b39-a22d-361e2a7a81af
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : NO
KerbTopLevelNames :
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : [Deleted]
KeySignTest : PASSED
DisplayNameUpdated : Managed by MDM
OsVersionUpdated : Managed by MDM
HostNameUpdated : YES
Last HostName Update : NONE
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
- Hi...
1. I assume you configured the gpo to enable the mdm/intune enrollment?
2. Could you check out the "Devicemanagement-Enterprise-Diagnostics-Provider" event log as it should give you some more information where to start
3.If you happen to spot an error, you could check out this blog
https://call4cloud.nl/2022/06/how-to-get-the-intune-enrollment-errors-outta-your-**bleep**/
It lists most of the most common errors you could run into when enrolling your device into Intune
4.Besides troubleshooting this issue, did you happen to try to enroll a device manually with the deviceenroller.exe as mentioned here
https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/ - ZebwenCopper ContributorDid you manage to find a solution to this? I am experiencing the exact same issue. The device is stating that it is registered in dsregcmd but is not picking up any policy and is not showing in Endpoint Manager.
- rahuljindal-MVPBronze ContributorDo you have MDM enrollment configured correctly in Intune? Any device enrollment restrictions in Intune? Any CA policies?
- ZebwenCopper Contributor
Hi, thanks for your response.
MDM enrollment is configured (and works fine for other devices). There are no device enrollment restrictions for Windows (see screenshot below)
We do have conditional access policies, the one that this user account is using (confirmed by a what if test) is very basic and only requires MFA, as below:
- Dragos_DimitriuCopper Contributor
Zebwen no, have checked everything (GPO's , MDM settings in endpoint manager, task errors in event viewer , dsregcmd /status , as I have mentioned have tried leaving and rejoining a couple of times ) Similar to your situation all other devices have joined without problems.
- ZebwenCopper ContributorAre other new devices (since you attempted this one) joining and enrolling in intune correctly?
- DCozzyCopper ContributorDid you manage to solve this issue? I am experiencing the same with 2 recent AVD Deployments