Forum Discussion
Problems enrolling devices into Intune
Hi, We're deploying our machines to Intune, using a GPO. Most of the times everything works fine, but I still have about 300 machines which didn't get into Intune, and now we're analyzing why. A...
Hi, So you are running a hybrid setup and those are existing devices. You have made sure those devices are in scope of the azure ad connect instance.
You are mentioning "they are not enrolling with the user in Azure AD.". Could you explain this a little bit more? Could you also confirm if those devices are azure ad joined and domain joined when looking at the dsregcmd status. While at it , I assume the azureprt is also "yes"
Troubleshoot questions:
*Anything in the DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
*Could you confirm the task schedules have been created
Enable automatic MDM enrollment for Azure Ad joined Devices (call4cloud.nl)
Resume: I guess we need some more info.... 🙂
Hi,
Thanks for the reply.
What I mean they are not enrolling correctly in Azure AD is that, after we join the devices (Windows 10 and 11 devices) to our onprem AD, they sync to Azure AD, so I can see them in Azure AD, but on this cases they don't get an Owner attribute, like the screenshot attached. When they don't get the owner attribute, they are not enrolled into Intune.
https://wetransfer.com/downloads/83a2c1886d87b8886bbb62541e94fc7520220414084043/33003d55320bf529fd4f6fde54bdbeab20220414084059/714328
Also, on the link bellow you can see one example of the dsregcmd /status. I've redacted some areas, but you can see the AzurePrt is NO, and the reason why.
https://we.tl/t-34rNN0x1OU
Thanks
Thanks for the reply.
What I mean they are not enrolling correctly in Azure AD is that, after we join the devices (Windows 10 and 11 devices) to our onprem AD, they sync to Azure AD, so I can see them in Azure AD, but on this cases they don't get an Owner attribute, like the screenshot attached. When they don't get the owner attribute, they are not enrolled into Intune.
https://wetransfer.com/downloads/83a2c1886d87b8886bbb62541e94fc7520220414084043/33003d55320bf529fd4f6fde54bdbeab20220414084059/714328
Also, on the link bellow you can see one example of the dsregcmd /status. I've redacted some areas, but you can see the AzurePrt is NO, and the reason why.
https://we.tl/t-34rNN0x1OU
Thanks
- Just to be sure... the people who are working on that device.. do they even have a intune license applied and in the MDM scope?
Did you have taken a look at the event log DeviceManagement-Enterprise-Diagnostic-Provider .. it should mention something
No old lingering enrollments?
https://call4cloud.nl/2021/04/alice-and-the-device-certificate/#part2
Also worth trying.. what happens when you use a filter to exclude azure ad hybrid devices from mfa? so you could rule out the mfa issue- Licensing is fine, as we have M365 E5 for all of them, and some are enrolling fine in Intune.
I'll get those Logs to try to check if something there might help.
I could use a filter to exclude MFA, but in fact all of our users have MFA, and some of them enroll just fine in Intune, while some others don't, so I don't really think it's MFA related.
I'll start by getting the Logs from those machines and check those.
I'll post after I read the Logs.
Thanks- Hi,
I've got already the logs from some of the devices.
On the Operational Log there are no errors.
On the Admin Log I've got 3 events repeated from 5 to 5 minutes, events 80, 90 and 76.
Event 80 - Warning - Auto MDM Enroll DmRaiseToastNotificationAndWait Failure (Unknown Win32 Error code: 0x8018002a)
Event 90 - Information - Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource Url (https://enrollment.manage.microsoft.com/), Resource Url 2 (NULL), Status (Unknown Win32 Error code: 0x8018002a)
Event 76 - Error - Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002a).
So seems the device is not authenticating correctly in Azure AD from my little understanding. Is there any way to force it to sync with AAD or debug the reason why it's not getting an authentication in AAD?
Thanks
