question

CCNewell-1796 avatar image
0 Votes"
CCNewell-1796 asked saldana-msft edited

Intune Co-Management Enrollment and Hybrid Join Failures

Ok everyone I am at a loss with this....

I have:
1. Co-management configured between SCCM 2010 and Intune
2. AAD Connect configured for Hybrid join devices show up named correctly and as "Pending" (all good)
3. No GPOs in place using SCCM client settings
4. Azure AD P1 licenses and Intune licenses assigned
5. No Proxy or firewall rules in place163303-capture.png

I am testing on 5 pilot devices, all devices are in the same SCCM collection. 1 device is completing the ADD Hybrid join process and is auto enrolling into Intune as expected which leads to believe all Co-management and Hybrid Join settings are correct.

The other 4 devices, after about 8 hours their names change to a Device ID GUID (see image) they also will not auto enroll into Intune as expected.

I have run the connectivity testing tool and the dsregtest as well as done whole dsregcmd /leave and /join. This will fix the device names in AAD but after a time they revert back to the GUID and still no Intune enrollment.

I see the following info and error under Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider/Admin in Event Viewer:
Error:
eventid 201
MDM Session: OMA-DM message failed to be sent. Result: (Unknown Win32 Error code: 0x80072f8f)
Information:
eventid 206
MDM Session: OMA-DM session started for user: (NULL)


azure-active-directorymem-intune-enrollmentmem-cm-co-management
capture.png (1.3 MiB)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CCNewell-1796 avatar image CCNewell-1796 ·

Another weird thing is happening.
I added 2 new test devices to co-management here are the results I am getting

Device 1: Win10 1909
the device is in the SCCM collections to do the AAD Hybrid Join and Intune Autoenrollment
I log into the device with my licensed creds
It shows up in AAD with the correct name (not its devices GUID per the image above)
It shows up in Intune with the correct name and after a re-logon Primary User changes to my account.


Device 2: Win10 20H2
the device is only in the SCCM collection to do the AAD Hybrid Join
I don't log into the device
It shows up in AAD with the correct name, HOWEVER the "Owner" property is populated with the SCCM Domain Join account that used by the Task Sequence when the device was imaged.
Wait about 30 min and logged in with my licensed account but the 'Owner' property never changes.

0 Votes 0 ·
Givary-MSFT avatar image Givary-MSFT ·

@CCNewell-1796:

Thank you for sharing the information, let me research on this issue and will revert back to you in couple of days time.

Apologies for the delay.

0 Votes 0 ·
Givary-MSFT avatar image Givary-MSFT Givary-MSFT ·

@CCNewell:

Apologies for the delay, can you help with the following logs from working & non-working device

%WinDir%\CCM\logs\CoManagementHandler.log

Please send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary and following details in the email body:
Link to this thread/post

We can connect offline and discuss further on this.

0 Votes 0 ·

1 Answer

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered CCNewell-1796 commented

@CCNewell-1796:
Please run this command dsregcmd /status on the system having an issue and share me the output for review.
Also share the operating system details of the client ( working & non-working ).
Compare the dsregcmd /status from working & non-working device.

Refer to these articles to troubleshoot/investigate this issue:
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.





· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CCNewell-1796 avatar image CCNewell-1796 ·

Here is the results from the dsregcmd /status on 1 of the devices with issues. Due to character limit I left out the Tenant details but they are all populated and correct.

Device State

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : Domain
Device Name : W10-AR-ITTest.ejamericas.domain.com

Device Details

DeviceId : 5c677260-d76a-46be-8f8f-8d54f170e818
Thumbprint : DCC4D6905FC3350CE05C52122EB87A5B38B9E74B
DeviceCertificateValidity : [ 2022-01-11 22:59:50.000 UTC -- 2032-01-11 23:29:50.000 UTC ]
KeyContainerId : 7f165190-fefc-400c-b477-c766e67209b9
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : SUCCESS

| User State

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

SSO State

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2022-01-13 18:31:32.000 UTC
AzureAdPrtExpiryTime : 2022-01-27 18:31:31.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/80323a97-e77c-4241-8e08-93a06acXXXXX
EnterprisePrt : NO
EnterprisePrtAuthority :

Diagnostic Data

AadRecoveryEnabled : NO
Executing Account Name : EJAMERICAS\user, user@domain.com
KeySignTest : PASSED

Ngc Prerequisite Check

IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision

0 Votes 0 ·