Forum Discussion
Intune Confusion
Hy,
Intune Management Extension:
IME is responsible for running PowerShell scripts and Win32 app deployments, so a device will first become the IME after a proper app or script assignment.
The IME Service only runs when device configuration policies, Win32 app or Scripts deployments are targeted to the device
So it could be possible, that the system with IME running has received a policy or app assignment which triggers it, while the others have not yet triggered IME because no applicable policies or apps are assigned (or successfully targeted) to them yet.
Device Only licensing:
these are intended for devices that are not user-affiliated, such as shared devices, kiosks, or hotdesks.
MDMURL blank:
dsregcmd output can mean the device is only enrolled in device management mode (device-only enrollment) without full MDM configuration profile or user MDM enrollment.
Questions:
Can you try to make an app deployment to those devices?
Check the Events under Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
Good luck!
Just on update on the below statement...
I've also created a PPKG file that I've placed upon a USB drive that executes AAD join and Intune enrollment (auto-enrollment enabled) within the workstation OOBE. The new system that downloads / installs all corporate software there afterwards - so actually quite happy with how this is now setup.
Can't really use autopilot as we are small(ish) business that does not purchase directly from the workstation manufacturer (thus cannot get the hardware harsh pre-deployment) but the USB PPKG approach will definitely suffice and is considerably better than what we are doing at the moment.
This approach strangely only works intermittently. AAD Join is always successful, as is Intune Enrollment. However, randomly (it is random - I've tested this heavily and there is no logic or pattern that I can identify) one of the following can occur:
Scenario 1 - The first AAD user logs into the Intune Plan 1 Device Only workstation and policies and software download install / apply without issue - syncs continue to function. A second person logs in and the workstation will not sync with the resulting sync error below.
Scenario 2 - The first AAD user logs into the Intune Plan 1 Device Only workstation and policies download, IME installs as software is deployed to the workstation in question, then the sync error below starts to occur and syncs fail there afterward and software is not installed. However, other users can log into the workstation and sync functions without issue.
One of the above scenarios is occurring every time I use the PPKG / USB drive solution. I need a rock solid solution and it appears this is not it.
SYNC ERROR
Event viewer (MDM 'Sync' Log) = MDM Session: OMA-DM message failed to be sent. Result: (Forbidden (403)
IME.log = The remote server returned an error: (401) Unauthorised.
Windows MDM Sync Status (Settings > Accounts > Work / School > MDM) = 0x80190190 Bad request (400).
I just wanted to share this so nobody thought the PPKG / USB drive was a solid solution. Back to the drawing board. Might have to be AAD join > Manual Enrollment via Settings > Accounts > Work / School > MDM using a DEM account. Will see if that is any more stable. Failing that - I might just give up and look at 'User' licenses rather than Device Only.
Cheers.