Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Apr 13, 2022

Problems enrolling devices into Intune

Hi,

 

We're deploying our machines to Intune, using a GPO. Most of the times everything works fine, but I still have about 300 machines which didn't get into Intune, and now we're analyzing why.

After reading a bit, I've found that most of the devices which are not getting into Intune is because they are not enrolling with the user in Azure AD.

So after the machine gets into the domain, it will go to Azure AD Devices as well, as Hybrid Azure AD Joined, which is fine. But when Owner field is not populated with the user, the device will not join Intune.

 

Looking at those machines, and running the command "dsregcmd /status", the ones which are not ok, in the "SSO State" area, have the following error:

Server Error Code : interaction_required
Server Error Description : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.

 

The users can logon to Azure AD with their MFA working fine. So any clue on how can I correct this issue?
I've read about disabling security defaults in Azure AD, but in our case, it's already disabled.

 

Thanks

  • dmarquesgn 

     

    Hi, So you are running a hybrid setup and those are existing devices. You have made sure those devices are in scope of the azure ad  connect instance.

     

    You are mentioning "they are not enrolling with the user in Azure AD.". Could you explain this a little bit more? Could you also confirm if those devices are azure ad joined  and domain joined when looking at the dsregcmd status. While at it , I assume the azureprt is also "yes"

     

    Troubleshoot questions: 

    *Anything in the  DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

    *Could you confirm the task schedules have been created

     

    Enable automatic MDM enrollment for Azure Ad joined Devices (call4cloud.nl)

     

    Resume: I guess we need some more info.... 🙂 

  • dmarquesgn 

     

    - Ensure Modern Auth is enabled in the Org settings under admin.microsoft.com

    - Disable sec defaults

    - Disable the classic per user MFA and use CA policies to enforce MFA instead

    - Target all users all cloud apps all devices all locations with Grant and Require MFA via CA policy

    - Exclude Break the Glass accounts (max 2 Break the glass accounts are fine) from the CA policy

    - Exclude SMTP accounts from the CA policy or move SMTP traffic to a third party like SMTP2GO and then create a CA policy to block legacy auth all together in the tenant

    - Disable all forms of legacy auth/basic auth the Org settings under admin.microsoft.com

    - see again if Devices are now auto enrolling into Intune ~300 are quite high number and there has to be a good reason

    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor
      Hi,

      Thanks for the notes and tips. Some of those we are already implementing, but some of those mess with the users, so they need to be done carefully. And some might impact legacy stuff, which needs to be considered carefully.
      On the meanwhile of course I would like to debug this cases so I can understand what is going on and try to fix it.

      Thanks
      • blaubach's avatar
        blaubach
        Copper Contributor

        dmarquesgn Any update on this, I am having exactly the same issue you are.  Thanks in advance!

Resources