question

53158624 avatar image
1 Vote"
53158624 asked JonMercer-8382 answered

Intune Enrollment issues

I am stuck on the Intune enrollment process. The computers in the domain are all AAD, however, when the GPO that i created to enroll AAD devices into Intune runs, it fails with the multiple errors:
Event ID: 71 - MDM Enroll: Failed
Event ID: 76 - Auto MDM Enroll: Device Credentials (0x0) Failed
Event ID: 11 - MDM Enrollment: Failed to receive or parse cert enroll response.
Event ID: 52 - MDM Enroll: Server returned Fault/code/subcode/value=(messageformat) fault/reason/text=(device based token is not supported for enrollment type onpremisegrouppolicycomanaged).
Event ID: 59 - MDM Enroll: server context

The one thing that is different about this environment, is that their local domain is: CompanyA.local and their tenant domain is Company123.com. Under the local domain, i made sure that the new UPN for the tenant was there. But that did not make a difference when i manually resync'd the process. This is a hybrid environment with an AD connect server.

As for the GPO, i have set it from Device to Client to see if it makes a difference - and nothing.
By the way, this new GPO object has an application id. Not sure what that is, so i left it blank.

When i run a dsregcmd /status - AzureAD joined is YES and so is DomainJoined. What is a bit strange, is that under Tenant Details, the mdmurl section is blank.

I have pretty much done everything that i can find on this forum and elsewhere but i cannot get the devices to enroll successfully into Intune/Endpoint manager.

Thanks in advance.

mem-intune-enrollment
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jackchentoronto avatar image jackchentoronto ·

Getting the same sequences now:
76
71
11
52
59

          AzureAdJoined : YES
       EnterpriseJoined : NO
           DomainJoined : YES

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : *** Inc
TenantId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :


| SSO State |
+----------------------------------------------------------------------+

             AzureAdPrt : YES
          EnterprisePrt : NO
 EnterprisePrtAuthority :




GPO is configured to use "User credentials". but the event always show "Auto MDM Enroll Get AAD Token: Device Credential" .

Any help is appreciated.



0 Votes 0 ·

6 Answers

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered 53158624 commented

The computers in the domain are all AAD

This is not possible. A system can only be joined to a single domain whether that's an on-prem AD or an AAD domain doesn't matter. There is the cioncpet of hybrid Azure AD join (HAADJ) which is an on-prem AD join + an AAD registration at a device level.

When i run a dsregcmd /status - AzureAD joined is YES and so is DomainJoined.

This is an HAADJ device.

when the GPO that i created to enroll AAD devices into Intune runs

Based on the log, you've configured the GPO to use device credentials but that's not supported for anything except use by Co-management in ConfigMgr to my knowledge. You need to use User Credentials.




· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

53158624 avatar image 53158624 ·

Jason, so what is best practice for a hybrid environment?

Also, something i forgot to mention - if i manually add mdm (through WIN10 accounts page) it works. but for some strange reason, it does not like the GPO.

0 Votes 0 ·
NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered 53158624 commented

It should still work with device credential in the GPO. Have you confirmed that the synced users have an Intune license and an Azure AD Premium license? Is Autoenrollment set up in in Intune?

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

53158624 avatar image 53158624 ·

Nick, Yes, Auto Enrollment is set to ALL. Not sure what you mean by setup - all the urls are there. There are licenses available for Intune. Do i need to assign them manually?

0 Votes 0 ·
NickHogarth-MVP avatar image NickHogarth-MVP 53158624 ·

The licenses need to be assigned. If you go into the Azure AD portal (aad.portal.azure.com) and go to Users, select an example user, then Licenses. What type of Licenses do the users have assigned?

0 Votes 0 ·
53158624 avatar image 53158624 NickHogarth-MVP ·

Just confirmed and they all have business premium licenses and the user i am testing with has the Intune license assigned. What's strange is that there are 2 intune options. so i am unchecking one and running my tests again.

0 Votes 0 ·
Andrejus-3716 avatar image
0 Votes"
Andrejus-3716 answered Andrejus-3716 published

Hey, did you manage to resolve your issue? Im experiencing exactly the same problem and my scenario is identical to yours.
Thanks in advance

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EdgarSerrano-9191 avatar image
0 Votes"
EdgarSerrano-9191 answered Andrejus-3716 commented

The issue in my case is a bit. Yes it ended up working correctly in Lab. What ended u being the problem was MFA. The user we were testing with had MFA enabled, we disabled it and then EVERYTHING started to work.

Now that i am applying it to the entire company it's now not working. I attached the GPO to the correct OU but i am still checking logs....

I really wished that Microsoft made a product that did not give out so many issues.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andrejus-3716 avatar image Andrejus-3716 ·

Thanks Edgar for your reply. This is very strange... We have OKTA in our environment which provides MFA but I believe I have now set it up now which should not cause any problems.

However, I think what could be the problem in our situation is actual user's username...

How do your users login to their computers? Is it something like contoso.local\username? Do you get MDM URL when you run dsregcmd /status ? Also, what is your AzureADPrt status? Is it yes or no?

0 Votes 0 ·
jackchentoronto avatar image
0 Votes"
jackchentoronto answered

I got the exact same problem yesterday. All three MDM urls were empty. I found https://twitter.com/richardhicks/status/1212104113002934272?lang=en and it somehow worked for him later. https://www.anoopcnair.com/intune-enrollment-error-unknown-win32-error/ mentioned need to wait a bit.

I finally gave up yesterday. This morning when I checked it again, I noticed those URLs are filled:

157512-image.png


I checked event log and see it got enrolled after 3~4 hours:

157522-image.png



So I guess it does take time.


image.png (7.3 KiB)
image.png (16.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonMercer-8382 avatar image
0 Votes"
JonMercer-8382 answered

I am curious about this also. I have two test systems, that I tried it on, and had no issue. They were basically brand new out of the box.

Then I tested on a work laptop that has been used for a year or so. It went through Azure AD Connect, has Hello for Business setup on it, and is showing as AAD Hybrid Joined since October.

It is getting the same event log errors as above.

It is AAD Hybrid Joined
AD and M365 are the same password due to how AAD Connect was configured
It did at one point go through the setting up windows, which means the policy pushed, and shows the entry in Task Scheduler.
The GP is set to use User Credentials
I don't remember linking a group that my UPN/alias would need to be part of, except for installing applications.
I tried it with my Hello pin (wasn't paying enough attention), and with my full UPN (alias@domain.com).

Ran dsregcmd /status
All three MDM have their info and it shows domain and azure joined, and AzureADPRT says yes

Something I noticed different, was that NGCSet under user state is showing as Yes on this system, but the others were showing No.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.