Forum Discussion
Problems enrolling devices into Intune
Hi,
We're deploying our machines to Intune, using a GPO. Most of the times everything works fine, but I still have about 300 machines which didn't get into Intune, and now we're analyzing why.
After reading a bit, I've found that most of the devices which are not getting into Intune is because they are not enrolling with the user in Azure AD.
So after the machine gets into the domain, it will go to Azure AD Devices as well, as Hybrid Azure AD Joined, which is fine. But when Owner field is not populated with the user, the device will not join Intune.
Looking at those machines, and running the command "dsregcmd /status", the ones which are not ok, in the "SSO State" area, have the following error:
Server Error Code : interaction_required
Server Error Description : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.
The users can logon to Azure AD with their MFA working fine. So any clue on how can I correct this issue?
I've read about disabling security defaults in Azure AD, but in our case, it's already disabled.
Thanks
Hi, So you are running a hybrid setup and those are existing devices. You have made sure those devices are in scope of the azure ad connect instance.
You are mentioning "they are not enrolling with the user in Azure AD.". Could you explain this a little bit more? Could you also confirm if those devices are azure ad joined and domain joined when looking at the dsregcmd status. While at it , I assume the azureprt is also "yes"
Troubleshoot questions:
*Anything in the DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
*Could you confirm the task schedules have been created
Enable automatic MDM enrollment for Azure Ad joined Devices (call4cloud.nl)
Resume: I guess we need some more info.... 🙂
- dmarquesgnIron ContributorHi,
Thanks for the reply.
What I mean they are not enrolling correctly in Azure AD is that, after we join the devices (Windows 10 and 11 devices) to our onprem AD, they sync to Azure AD, so I can see them in Azure AD, but on this cases they don't get an Owner attribute, like the screenshot attached. When they don't get the owner attribute, they are not enrolled into Intune.
https://wetransfer.com/downloads/83a2c1886d87b8886bbb62541e94fc7520220414084043/33003d55320bf529fd4f6fde54bdbeab20220414084059/714328
Also, on the link bellow you can see one example of the dsregcmd /status. I've redacted some areas, but you can see the AzurePrt is NO, and the reason why.
https://we.tl/t-34rNN0x1OU
Thanks- Just to be sure... the people who are working on that device.. do they even have a intune license applied and in the MDM scope?
Did you have taken a look at the event log DeviceManagement-Enterprise-Diagnostic-Provider .. it should mention something
No old lingering enrollments?
https://call4cloud.nl/2021/04/alice-and-the-device-certificate/#part2
Also worth trying.. what happens when you use a filter to exclude azure ad hybrid devices from mfa? so you could rule out the mfa issue
- aollivierre305Brass Contributor
- Ensure Modern Auth is enabled in the Org settings under admin.microsoft.com
- Disable sec defaults
- Disable the classic per user MFA and use CA policies to enforce MFA instead
- Target all users all cloud apps all devices all locations with Grant and Require MFA via CA policy
- Exclude Break the Glass accounts (max 2 Break the glass accounts are fine) from the CA policy
- Exclude SMTP accounts from the CA policy or move SMTP traffic to a third party like SMTP2GO and then create a CA policy to block legacy auth all together in the tenant
- Disable all forms of legacy auth/basic auth the Org settings under admin.microsoft.com
- see again if Devices are now auto enrolling into Intune ~300 are quite high number and there has to be a good reason
- dmarquesgnIron ContributorHi,
Thanks for the notes and tips. Some of those we are already implementing, but some of those mess with the users, so they need to be done carefully. And some might impact legacy stuff, which needs to be considered carefully.
On the meanwhile of course I would like to debug this cases so I can understand what is going on and try to fix it.
Thanks- blaubachCopper Contributor
dmarquesgn Any update on this, I am having exactly the same issue you are. Thanks in advance!