AAD joined device no longer receiving apps

Question

question

McKeemanSamuel-3321 asked Apr 14, '21 kurtgp answered Apr 19, '22

AAD joined device no longer receiving apps

Having an issue with an AAD joined device that is no longer receiving client apps and updates. Under Managed Apps for the device, they are showing "Waiting for Install Status". Apps and updates were previously installing without issue.

I've gone through the following logs below and keep seeing errors over and over, most having to do with getting an AAD token. Does anyone have advice on how to resolve this issue?

IntuneManagementExtension log

Failed to get AAD token. len = 336 using client id fc0f3af4-6835-4174-b806-f7db311fd2f3 and resource id 0000000A-0000-0000-C000-000000000000, errorCode = 3399614476

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '0000000a-0000-0000-c000-000000000000'.
Trace ID: 33d4e9f3-9cec-4b71-b9fd-0590843e1900
Correlation ID: 06186d47-771a-4dd0-93f9-096c42bfdd71
Timestamp: 2021-03-13 19:56:48Z

Failed to Get UserToken For Web Request with Intune Management Extension Error.
Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenInternalAsync>d_41.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenForNewRequestAsync>d39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<<SendWebRequestInternal>b17_1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.ImpersonateHelper.<DoActionWithImpersonation>d4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d_17.MoveNext()

Also noticed:
[Win32App] start: app workload is not switched from SCCM, skip app check in. now check ESP status.
Doesn't make sense because device is AAD joined

AgentExecutor log

Errors started 12/2

DNS detection: WinHttpGetProxyForUrl call failed because of error 12167 AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
DHCP detection: WinHttpGetProxyForUrl call failed because of error 12167 AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
C:\Windows\TEMP\IntuneWindowsAgent_Proxy_HIDDEN.txt AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
{0} software distribution gets invoked AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
url is https://fef.msua02.manage.microsoft.com/TrafficGateway/TrafficRoutingService/SideCar/StatelessSideCarGatewayService AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
True AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)

ClientHealth log

Got empty UserToken For Web Request IntuneManagementExtension 3/14/2021 10:09:09 AM 1 (0x0001)

<![LOG[Exception happens during client health Post Process, the exception is System.AggregateException: One or more errors occurred. ---> System.ComponentModel.Win32Exception: An attempt was made to reference a token that does not exist
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d_17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequest>d18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneController.<Put>d7`1.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.CHReporter.SendReport(SideCarHealthReport report, Int32 sessionId, IController serviceProxy)
at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.ClientHealthRuleEngine.PostProcess()
at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.ClientHealthManager.Run()
---> (Inner Exception #0) System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequest>d18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneController.<Put>d_7`1.MoveNext()<---

mem-intune-general mem-intune-application-management

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-04-14T22:45:04.597Z

RahulJindal-2267 answered Apr 14, '21

Is it a co-managed state?

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-04-15T03:20:59.473Z

LuDaiMSFT-0289 answered Apr 15, '21 LuDaiMSFT-0289 edited Apr 15, '21

@McKeemanSamuel-3321 Thanks for posting in our Q&A.

From the log you provided, I know that app workload is not switched from SCCM. Given this situation, we appreciate your help to collect some information:
1. Is this device a co-management device?
2. Please show the screen shot of the device's workload in intune portal.
Note:Please overwrite private information

If there is anything update, feel free to let us know.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

image.png (116.0 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2021-04-15T16:53:07.817Z

McKeemanSamuel-3321 answered Apr 15, '21

Yes, I was concerned when I saw that about the workload because the device is not co-managed.

dany-laptop-in-portal-1.png (18.0 KiB)

dany-laptop-in-portal-2.png (30.7 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2021-04-16T02:19:31.767Z

LuDaiMSFT-0289 answered Apr 16, '21 TofeeqHussain-2360 commented Feb 8, '22

@McKeemanSamuel-3321 Thanks for your update.

From the screen shots you provided, this device is not co-management and it is only managed by intune.

Please understand that for such kind of issue, the error logs is not enough to analyze and find the root cause, we may need more logs to analyze the whole process. It is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

Hope this issue will be solved as soon as possible.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TofeeqHussain-2360 · Feb 08 at 11:36 AM

I am having exactly same issue and trying to fix sine last 4 weeks.

Did anyone have any solutions for this issue . My devices are Intune manged only and local updates no 3rd party or Confg mgr. My devices are purely Intune managed.

0 ·

Answer 5 · 2021-04-16T05:52:59.927Z

RahulJindal-2267 answered Apr 16, '21

As per your screenshot the device seems to be checking in. I will not go by the status on Intune portal as that is never accurate. However, what you should do is check on the machine locally. Do you have the Company Portal app installed?

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 6 · 2021-04-16T16:33:19.843Z

McKeemanSamuel-3321 answered Apr 16, '21 RahulJindal-2267 commented Apr 16, '21

@LuDaiMSFT-0289 Thanks, I'll go ahead and make a ticket.

@RahulJindal-2267 Yes, company portal is installed. Apps that show as available can be installed. The main issue is we use PatchMyPC to push app updates as required, but those are not getting installed.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 · Apr 16, 2021 at 04:41 PM

Then this is a issue with how your PatchMyPC is setup and not Intune per say. You should probably contact their support. They are pretty prompt in their response.

0 ·

Answer 7 · 2022-02-08T11:36:30.96Z

TofeeqHussain-2360 answered Feb 8, '22

I am having exactly same issue and trying to fix sine last 4 weeks.

Did anyone have any solutions for this issue . My devices are Intune manged only and local updates no 3rd party or Confg mgr. My devices are purely Intune managed.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 8 · 2022-03-11T15:12:40.573Z

AravinthMathan-3183 answered Mar 11, '22 TofeeqHussain-2360 commented Mar 30, '22

Hi @TofeeqHussain-2360 & @McKeemanSamuel-3321

On the endpoint, can you do a sync and then observe .

The client might need MFA to generate the token.

Note:Sync from console might not work as MFA would been enforced to users.

Please confirm if this works

Regards
Aravinth M

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TofeeqHussain-2360 · Mar 30 at 04:42 PM

Hi @AravinthMathan-3183, Thanks for response. I have done sync from endpoint and from MEM several time but no luck.
My devices are Teams Meeting room devices Win10 ent and are exempted from MFA. I am still struggling to understand the core issue. there are nothing showing in logs. IME runs as normal and can successfully complete a Software inventory send to Intune. I can successfully send command from Intune to endpoint i.e restart, sync etc. and all other compliance and config polices are successful. I am completely clueless why only IME not able to detect assigned application, download and install.

0 ·

Answer 9 · 2022-04-18T22:39:19.963Z

kurtgp answered Apr 18, '22

Hello McKeemanSamuel-3321,
Were you able to get it resolved?

I have the same problem with Azure AD only joined laptop devices.

I wonder if PatchMyPC could be the issue because all of the updates from PatchMyPC are showing as "Waiting for install status" in Intune> Devices>...> Managed Apps even when there is no base application installed to be patched on the windows device like VMware Workstation which is not installed, nor Beyond Compare, nor Wireshark, etc for a total of over 400 apps?

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 10 · 2022-04-19T20:04:49.067Z

kurtgp answered Apr 19, '22

For me, when I excluded PatchMyPC updates from my test device by putting in a test group, and then excluded patches from the test group; it resolved the issue, and the Required apps started installing within 5 minutes.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question