May 16 2023 10:08 PM - edited May 16 2023 10:56 PM
I'm having an issue with some devices in our environment enrolling successfully into Intune.
Here is the lay of the land.
1. Devices are hybrid joined.
2. Using GPO to enforce auto-enrollment.
3. PCs that are not successful in joining to Intune are getting the following error:
4. Certificates are valid.
5. Scheduled tasks are present.
6. Sync in accounts shows same error:
7. In Azure devices the device shows up as enabled, with an owner, MDM as Microsoft Intune, and Compliance as No.
I've searched all over for the exact same error of 0x80072efe and nothing that helps me.
There is no smoking gun that is similar among these PCs. No firewall issues. Some PCs on the same VLAN will register just fine while others continue to get this error.
Total PC count: 1400
PCs having issue: 600
Any help is appreciated!
May 19 2023 02:10 AM
May 19 2023 03:11 AM
May 19 2023 03:16 AM
May 19 2023 06:09 AM - edited May 19 2023 06:11 AM
@Rudy_Ooms_MVP I'm working on getting the logs unfortunately people are actively using the computers so I will get it asap.
I do fine this interesting that they show up in Azure as a device with a MDM status:
But in Intune it doesn't even show up as a device:
You will have to trust me a little that the names are both correct.
May 19 2023 11:16 AM
May 22 2023 12:46 PM
I find this odd too. We get random usernames with Windows and the date show up in Intune but it doesn't seem to correct itself and associate with the windows device.
May 25 2023 09:34 AM - edited May 25 2023 10:02 AM
SolutionWe believe we figured this out. We are still monitoring it but we believe that SSL decryption was the cause of this. Even though the Microsoft articles say to not do it to https://device.login.microsoftonline.com we tried that with no success we had to exclude all Microsoft traffic from being decrypted on our firewall via a Dynamic List. Hope this helps someone out!
Article in reference was https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join that mentioned just that one URL.
We also prevented our PCs from being Azure AD Registered as Hybrid was our preferred method and we set the following registry key.
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin "BlockAADWorkplaceJoin"=dword:00000001
May 25 2023 09:34 AM - edited May 25 2023 10:02 AM
SolutionWe believe we figured this out. We are still monitoring it but we believe that SSL decryption was the cause of this. Even though the Microsoft articles say to not do it to https://device.login.microsoftonline.com we tried that with no success we had to exclude all Microsoft traffic from being decrypted on our firewall via a Dynamic List. Hope this helps someone out!
Article in reference was https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join that mentioned just that one URL.
We also prevented our PCs from being Azure AD Registered as Hybrid was our preferred method and we set the following registry key.
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin "BlockAADWorkplaceJoin"=dword:00000001