Support Tip: Enrolled Windows 10 devices not able to use the CP app to install available apps
Published Jan 24 2019 09:40 PM 31.7K Views

By Scott Duffey | Intune Sr. PM

 

Update to the post as of March 5, 2019: 

We’ve been working on a solution and are pleased to share we’ll be rolling out some changes to resolve this known issue in the March (1903) Intune service release.

 
The cause for the Company Portal enrollment message was due to the affected devices not having an Intune Primary User assigned. We’ve ensured that Primary User will be correctly added for devices that enrolled through Auto MDM Enrollment with AAD Token, Autopilot Hybrid Azure AD Join, and ConfigMgr co-management enrollment types. We expect to back-fill those devices already enrolled without this Primary User so they now have this information.

 

In addition, we will be introducing a new capability specifically for shared devices that were bulk Azure AD Joined and automatically enrolled into Intune (this includes devices that were bulk provisioned with “Setup School PC” or “Windows Configuration Designer”). Since these devices are used by multiple Windows Users and not a Primary User, we’ve made a few changes to the way the Company Portal detects the enrollment state. The end result to these changes is that end users of bulk-enrolled devices will be able to use the Company Portal to acquire available apps.
 
 We thank you for your patience while we engineered a solution. Again, we expect these changes to occur during the March Intune release.  

 

Original post: 

We have received a few cases and are aware of an issue where some enrolled Windows 10 devices are not able to use the Company Portal app to install available apps. The end user experience is that there are no available apps in the Company Portal.

 

Here's the details of this known issue. Note there's more than one workflow.

  • Devices are enrolled into Intune through the Group Policy autoenrollment. The workflow is - Computer Configuration > Administrative Templates > Windows Components > MDM > Auto MDM Enrolment with AAD Token
  • The second workflow is when enrolled using an AutoPilot profile with Hybrid Azure AD Join (Preview)

 

End users may see the following message when launching the company portal app “This device hasn’t been set up for corporate use yet. Select this message to begin setup.”

 

my devices.png

 

We are investigating these scenarios further and working on solution(s) depending on configuration. There's an immediate workaround regardless of your path to get here. You can make the apps required.

 

Post Updated:

  • March 5, 2019 to including details on a resolution/solution coming in an upcoming release. 
52 Comments
Brass Contributor

Same Issue when devices are Bulk enrolled with "Windows Configuration Designer" package, @Intune_Support_Team please add to roadmap when this can be resolved and also when we can change owner of device in intune.

Brass Contributor
I've been struggling with this issue for days. Please let us know when a real fix is found
Brass Contributor

I took also a device for testing where i had the Problem....after complete reinstallation it works now….

 

I also found some settings from Intune Profiles vs GPOs which can block each other without telling it in the Intune Reporting (Server or client)

Also other big problem for a lot of people is to set the background or lock screen picture which doesnt really work with Intune....will try to troubleshoot also GPO related settings in the registry which can cause a "block" for Intune...

Steel Contributor

Yup this is happing to our PCs currently, looking forward to the next update

Copper Contributor

I have this exact issue as well.

Microsoft

@Elvar Aðalgeirsson Thanks for the comment. Your right, Bulk enrolled devices are not able to use the company portal. We've heard the request and looking into it right now. Stay tuned.

Microsoft

Thanks for the feedback @MatAitAzzouzene, @m_krone, @Paul Youngberg@Alex Laurie - will update this post when we have news for you.

Copper Contributor

@Scott Duffey Any news about that? We have exactly the same Problem when devices are enrolled using an AutoPilot profile with Azure AD Join (not hybrid)

Microsoft

@gerlach_6300, If these are AzureAD Autopilot profiles you might be hitting something unrelated. Make sure the user signed into the company portal is the same user who did the enrollment into Intune. 

Copper Contributor

@Scott Duffey, We are using Windows Autopilot Self-Deploying mode, so the enrollment into Intune is done even before the user ever logs on. Moreover we have the same issues as described above:

  • The following message in CP: This device hasn’t been set up for corporate use yet. Select this message to begin setup
  • If an app is marked as required the installation works
Copper Contributor

@Scott DuffyThanks for taking time to reply, we have this issue on about half our workforce.  Only recently started happening since about November last year.  I had multiple tickets opened with MS Support but no resolution.  We have recently completed our SOC2 audit with the AICPA and we received Non Conformities for our use of Microsoft Intune as devices are failing to enrol successfully and when they were enrolled at least a third were misreporting as non-compliant although when you drill through the report, all items were in-fact compliant.  Furthermore, it was embarrassing explaining to auditors that the reports we used to be able to provide for items such as hardware reports or installed software are no longer present through the UI since the old Silverlight portal was closed.

 

We are using a combination of Hybrid Domain Join through on-prem AD and GPO and autoenrollment, Autopilot, and Azure AD Join.

 

In two weeks we have our ISO27001 audits and it looks unlikely we will have this resolved by that time, at present my SMT is considering dropping Intune allthogether as the management overhead has become unacceptable.

 

Microsoft

@JamesHeathcote - Thanks for the comments.  I'll follow up with you now via direct message as I think your issue (Enrollment failure, non-compliance, reports) may be different to the contents of this post.

Copper Contributor

@Scott Duffey We are in a similar situtation as all the others here as well.

First of all, I can confirm this issue started to appear in our environment by approx. end of November 2018.

 

Unfortunately, without being aware of this issue to occur in the whole field, we have a ongoing integration of all Windows 10 devices to Intune and the delivery of the company portal in order to make users able to get apps they need for work.

 

We have currently approx. 6000 devices and more than 50% of all users report the issue stated above in the article. 

People are not able to get their apps, as the company portal asks to enroll the device. All of them are signed in into company portal with the same account which is reflected for the device in Intune.

 

We've been working with Microsoft Support on this, but don't see any resolution for this problem.

Sorry, but deploying the Apps as required is not a workaround. At least it is not for us. We have over 100 apps which are available to end users on demand. Do you really ask me to make more than 100 apps to be automatically deployed on each computer just in case the user maybe need it? Not really a good option!

 

Guys, company portal and intune are products which are used by enterprises in productive environments. This is not a preview or test or whatever...

Why does it take already more than 3 months to fix the issue? We currently even do not have a ETA for the fix.

 

So any kind of information would be highly appreciated.

Brass Contributor

Having this with a select few of Autopilot devices that are user driven - Hybrid domain joined.   Not all but some have come across this when opening the company portal.  Seems as though there is no solution or fix in sight - assuming since Hybrid DJ is in public preview still?

 

When we open the Company Portal App, the device is not longer recognized as enrolled.  However from the Intune Portal it does show as fully enrolled and managed.

 

2019-02-19_10-28-51.jpg

Copper Contributor

We have also encountered this issue in our enterprise environment and have created a MS ticket for it. We have a sizeable deployment of taking place in the coming weeks and its good to see you all are on this!

Copper Contributor

Same here. All devices are deployed via AutoPilot Hybrid Join deployments and those devices are joined to both local AD as Azure AD just fine. Required apps work; but the Company Portal app keeps showing the message 'Your device hasn't been set up for corporate use yet'.

 

I made sure a user and device category was assigned and the device mode has been set to 'Corporate', but the issue remains.

 

Hoping there will be a fix soon...

 

Edit: We have a TeamViewer connector set up in Azure too, but because of this issue, users are no longer able to see the Remote Assistance Request in the Company Portal app either... This was working fine before too. 

Copper Contributor

Seeing the same issue for a client wanting to move all their devices to Intune and the first test device, joined through a bulk enroll provisioning package, had the Company Portal pushed as required but I have many Win32 apps I've built in Intune that are set as available because they're large installations the customer wants on demand. In Intune the Owner and User name fields are populated with package_{GUID}, which I'm guessing is the sticky point for why CP is freaking out over the wrong user opening the portal. The client also doesn't want each user to be an admin on their system, which is a requirement for the account joining AAD and staying connected (if you remove admin privs you lose AAD connectivity), so joining devices as each user is not only a security requirement but the manual effort required is the whole reason for a bulk enrollment solution in the first place.

Copper Contributor

Any updates on this? Autopilot Hybrid join started to fail in the beginning of 2019 on our default laptop model HP Zbook 15u G5. Laptops deployed in December didn't have problems with the current model. 

 

I don't know if it is related, but when I get to desktop, there is a second login screen and if I login it tries to do Azure AD join like it would on Office Pro Plus and laptop without sync. 

Brass Contributor

This has been a major blow for us.  Our hybrid join devices can only get required apps. The Company Portal is useless until this code fix. 

 

Is is there an eta for 1903 update??

Brass Contributor

Hey guys, I was able to resolve this issue, by creating a enterprise app with a redirect URI for the company store. I'll list the directions. 

I went to azure portal -> Azure active directory -> App Registration (Preview) 

- New Registration

- Name what ever (I used Company Portal)

- Accounts in this organization only (Didn't change)

- IMPORTANT part add a Redirect URI = https://microsoft.AAD.BrokerPlugin/Microsoft.CompanyPortal 

- Register the application

 

After I did this I did not have the issue observed. Our tenet is GPO AAD hybrid join + GPO MDM enrollment

 

Specifically I found AAD BrokerPlugin errors in the event log and it lend me to this fix.

 

I hope it helps some of you. The experience for us just testing the deployment was very frustrating. 

 

When I compared my tenet to a tenet NOT having this issue it appears the apps registrations where their even though the Global Admin had not created them, so maybe for some tenets its breaking or not getting created as it should be.

 

 

Copper Contributor

@mdaiber This resolved the issue for me!

 

Thank you very much. After adding in an app registration with the AAD broker redirect all my Company Portal issues have been resolved. How this is not in the troubleshooting in the Intune docs is beyond me!

Brass Contributor
All users on new Autopilot devices have now access to the Company Portal applications, unfortunately all the devices which were having the issue still have it unless we wipe them. I tried to add the Company Portal in App Registration as mdaiber suggested but it does not fix the issue.
Microsoft

@mdaiber , @Alex Laurie , I think you must be trying to fix something unrelated to the contents of this post. This post was about a very specific issue affecting some devices based on the way they enrolled. I'm not aware of the issue you've described about Azure AD app registrations - It would be great if you could raise a support case so that we can investigate and update our troubleshooting docs if needed.

Microsoft

@Mathieu Aït Azzouzène , The fix is rolling out in 1903 Intune service release - You wont have to wipe them.

Brass Contributor

@Scott Duffey  its specific to this in the original post, 

 

"We have received a few cases and are aware of an issue where some enrolled Windows 10 devices are not able to use the Company Portal app to install available apps. The end user experience is that there are no available apps in the Company Portal.

 

Here's the details of this known issue. Note there's more than one workflow.

  • Devices are enrolled into Intune through the Group Policy autoenrollment. The workflow is - Computer Configuration > Administrative Templates > Windows Components > MDM > Auto MDM Enrolment with AAD Token"

It resolved that work flow in my environment 

 

Copper Contributor

@Scott Duffey  as per @mdaiber response. This is the exact issue I was having with bulk enrolled devices that were hybrid Azure AD joined and then enrolled into Intune with the GPO policy. On opening the Company Portal application it reports the device is not enrolled into Intune and then prompts to enrol (the machine is most definitely enrolled).

 

On adding the app registration with the redirect to the AAD.Broker services for the Company Portal the issue was instantly resolved and SSSO now also works absolutely perfectly. On checking some other tenants I manage that don't have the issue they have a "Microsoft Intune" Enterprise application present that is not in the problem tenant, so there may be an internal deployment issue going on with Azure/Intune.

 

I'm based in Brisbane, if you want to go into further detail send me a message and I'd be happy to jump on a call and go over my findings if you want.

Brass Contributor

@Alex LaurieThat's what I found as well, unaffected tenets already had the application in the registered applications list, but not added by the organization. As it was not in the owned by me category.

 

As an aside if more people are helped by this can you respond I see I have 6 likes, but I don't know if that means it has helped 6 tenets out.

@Scott Duffey  does not see how this could be a solution, so I think its an issue Microsoft is not aware of.

 

Edit: grammer

Brass Contributor

I was able to fix this per machine by removing the MDM from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

Brass Contributor

This "known issue" is really putting a wrench in my organization rolling out Intune to manage our devices.  When we first set up a device we image it using an MDT Task off our SCCM to install Windows and join to our on-prem domain.  Then the GPO set the Enterprise Management settings.  We will almost always sign into the device as ourselves and apply updates and such and it seems to attach the device to our user accounts so when we give it to the student it will not allow them to the Company Portal.   

 

Shared Device policies are set and are shown to be applying. 

 

Anyone know when these 1903 updates for Intune will be applied? 

@bwilkerson217 the back end service update is complete for 1903. So any new devices you enroll should not run into this known issue. The fix to update existing devices is rolling out - they're doing it in batches to minimize risk. I haven't gotten an ETA when that batching will be complete. But you should have no problems enrolling devices now and seeing available apps in the CP. 

Brass Contributor

@Intune_Support_Team  - Well a couple of the devices affected by this were literally enrolled yesterday (3/18/2019).  I only have like 8 devices in my Intune as managed as I am just beginning on testing this for a rollout in a few weeks to some of our users with the hopes of a full rollout this summer.  So was this backend update completed last night or am I still showing issues with even newly enrolled devices?

Microsoft

Hi @bwilkerson217 . The scenario you described above (where an admin logs onto the device first, then hands it to the end-user) would not be resolved by the fix implemented in the latest service release. I believe the enrollment process you are using would result in the IT admin account (first user to use it after enrollment) becoming the primary device user. Which means that that user account is the only one that can use the Company Portal. We've heard some feature requests with IT admins wanting to change the Primary User via Script or in Console, we've also heard requests for making special allowances in the Company Portal for shared devices and were looking into that right now.

 

 

 

Brass Contributor

@bwilkerson217, can you just retire the machines in intune? I experienced this in cases where we would have a person sign in by accident or need a machine reassigned to a different user. I deleted them and a message will show up if they are still logged in stating the machine is no longer registered by them, but it will then go back though the process and have the MDM auto enrollment GPO applied. Then it will register to the next person who logs in. So you just need to set them up then retire them from intune. I think this is the intended process, as I don't think the expectation is wiping machines before reassigning them. In documentation I believe it states it only takes 15 minutes to remove it from intune.  

Brass Contributor

@bwilkerson217Oh, I just thought about our environment more. We have a local admin account created in the MDT which we use to update the system, which would also circumvent that issue, because the local admin does not exist in azure AD. Just a thought.


Brass Contributor

@Scott Duffey  - Thank you for that information.  What would recommend doing in this scenario?

Working in education we have devices that we keep for loaners to hand out to substitutes or in cases where teachers forgot their device.  The same goes with students.  These loaners could be for a short period like just a few hours or a day but they could be used for a longer period like weeks.  In many of those cases the users of the temporary device may need to go to the company portal and install software that is not installed by default.  

 

EDIT:  Same goes for Lab computers if we ever planned on using Intune to manage those.  A new user uses those computers each hour ever every day almost.  I just think we have many areas where computers are used by multiple people throughout the day and on a regular basis that we should not have to go through the retire option.

@mdaiber Also is there more detailed steps on this "retiring" procedure to clear out the previous primary owner?  I can foresee several scenarios where a device would get registered to the wrong primary user and we would need to clear it.

 

EDIT:  I took one of my test devices and retired it and after about 15 minutes it disappeared from my Intune portal.  I then restarted it and signed with a different account and it now shows that account as the primary user.  Tested the company portal and it works.   Still seems like a pain process to do when you have to manage 2400 devices in the hands of students and teachers that often forget their device and have to get loaners and expect all services to work.  

Brass Contributor

@bwilkerson217 yeah I see the issue. For my experience unfortunately I have not tested shared devices set up with the intune profile. I plan to do that next. Does anybody know if the company portal works at all on devices setup as shared devices in intune?

Brass Contributor

@Intune_Support_Team @Scott Duffey  Great work in getting this sorted out.  I have been able to get into the Company Portal on all my newly built hybrid devices so far.  The timing was excellent and will now hopefully wait to see those existing users with the issue fixed.

Brass Contributor

It works now for my previously deployed devices! Thx

Brass Contributor

@Intune_Support_Team 

Company App works without any issues on all existing and newly deployed hybrid devices.

No interaction was necessary from my side.

Thanks a lot. Great work.

@Scott Duffey can you help comment on the shared device scenario (specifically the lab comments)? 

Microsoft

@Intune_Support_Team , @bwilkerson217  

Up until now, Company Portal (available apps) has been a feature for for single user devices - hence the requirement for UDA. We're working on expanding this out to apply to more scenarios including multi-user win 10 devices (such as labs, training rooms, call centers etc). A first step in this direction is a feature we are about to roll out for EDU where the company portal will work if the device was bulk-enrolled via a provisioning package (It wont look at UDA). Its not quite ready for release yet but we will post a message here when it's done. 

 

Copper Contributor

Hope this gets fixed soon

Copper Contributor
@Intune_Support_Team Should the batching be complete yet for the 1903 rollout? We are still not seeing Available apps for our hybrid Azure AD joined devices. The only way they do show up is to reset the devices through Autopilot reset. The redirect URI workaround didn't work for us and retiring devices results in not being able to add them back to Intune.
Copper Contributor
I found a solution that works for us. We are set up for Co-management with Configuration Manager 1806 but hadn't enabled the pre-release feature "Mobile apps for co-managed devices" Once this was enabled, I was able to switch the workload in SCCM to Intune for the Client Apps. GPupdate and synced the clients and the available apps all appeared in the Company portal andf no longer show as "Not Applicable" in Intune. Here is the link detailing how to do this: https://www.imab.dk/flipping-the-switch-part-5-a-closer-look-on-the-client-apps-workload-co-manageme...
Copper Contributor

I want to do bulk enrollment then assign the device to some other users. The purpose of this task is that we do not want standard user to have administrative privileges.
If a user tries using the Company Portal, they receive a warning that their device needs further actions.The device is enrolled, but the enrollment is not recognized by the Company Portal.

Any help would be highly appreciable. Please provide me your thoughts. 

Brass Contributor

@Intune_Support_Team What's the status on this for multi-user devices?

We're still getting the error when using a different account than the owner from AzureAD.

 

Iron Contributor
I've just tested this with Windows build 1903 and am also still getting this when using with any other user than the primary (shared or non shared scenario's).
Brass Contributor

@Jos Lieben  I also have tried this and not getting the results I was thinking.  Still getting the same message you mentioned.   

 

@Intune_Support_Team  what can you tell us about this as following the link and the latest features announced - still not seeing it when applying.

 

https://docs.microsoft.com/en-us/intune/shared-user-device-settings-windows

Microsoft

Hi @Jos Lieben and @Miguel Sanabia 

 

- When a device has a primary user assigned, that user is the only one who can use the Company Portal to get available apps. Other users can not.

"Shared Devices" are ones that don't have any Primary User. On those, all users are able to get available apps.

 

We recently released a couple of docs/support articles as the Company Portal got some improvements to this scenario in 1906. That version is currently being deployed.

 

 

 

Brass Contributor

@Scott Duffey  Thanks for the response.  However there might be something I am missing that doesn't seem to be working.   My tenant status shows as having service release - 1906.  

2019-07-02_12-41-38.jpg

In device configuration I have created a profile type = Shared multi-user device and assigned it to my device (I've also tried user assignment).  In the profile settings I have 'Shared PC Mode' as Enabled with the rest as Not configured.

 

2019-07-02_12-35-15.jpg

 

In both user and device status it shows as deployment status = Succeeded.   When I check my device and open the Company Portal under devices its not showing 'Shared' device.  In the Intune Portal I see also Primary User as assigned.    What am I missing or thoughts..??

2019-07-02_12-38-40.jpg

Version history
Last update:
‎Dec 19 2023 01:23 PM
Updated by: