This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 56.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Having an issue with an AAD joined device that is no longer receiving client apps and updates. Under Managed Apps for the device, they are showing "Waiting for Install Status". Apps and updates were previously installing without issue.
I've gone through the following logs below and keep seeing errors over and over, most having to do with getting an AAD token. Does anyone have advice on how to resolve this issue?
IntuneManagementExtension log
Failed to get AAD token. len = 336 using client id fc0f3af4-6835-4174-b806-f7db311fd2f3 and resource id 0000000A-0000-0000-C000-000000000000, errorCode = 3399614476
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '0000000a-0000-0000-c000-000000000000'.
Trace ID: 33d4e9f3-9cec-4b71-b9fd-0590843e1900
Correlation ID: 06186d47-771a-4dd0-93f9-096c42bfdd71
Timestamp: 2021-03-13 19:56:48Z
Failed to Get UserToken For Web Request with Intune Management Extension Error.
Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenInternalAsync>d__41.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenForNewRequestAsync>d__39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<<SendWebRequestInternal>b__17_1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.ImpersonateHelper.<DoActionWithImpersonation>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d__17.MoveNext()
Also noticed:
[Win32App] start: app workload is not switched from SCCM, skip app check in. now check ESP status.
Doesn't make sense because device is AAD joined
AgentExecutor log
Errors started 12/2
DNS detection: WinHttpGetProxyForUrl call failed because of error 12167 AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
DHCP detection: WinHttpGetProxyForUrl call failed because of error 12167 AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
C:\Windows\TEMP\IntuneWindowsAgent_Proxy_HIDDEN.txt AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
{0} software distribution gets invoked AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
url is https://fef.msua02.manage.microsoft.com/TrafficGateway/TrafficRoutingService/SideCar/StatelessSideCarGatewayService AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
True AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
ClientHealth log
Got empty UserToken For Web Request IntuneManagementExtension 3/14/2021 10:09:09 AM 1 (0x0001)
<![LOG[Exception happens during client health Post Process, the exception is System.AggregateException: One or more errors occurred. ---> System.ComponentModel.Win32Exception: An attempt was made to reference a token that does not exist
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequest>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneController.<Put>d__71.MoveNext() --- End of inner exception stack trace --- at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task1.get_Result() at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.CHReporter.SendReport(SideCarHealthReport report, Int32 sessionId, IController serviceProxy) at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.ClientHealthRuleEngine.PostProcess() at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.ClientHealthManager.Run() ---> (Inner Exception #0) System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d__17.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequest>d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneController.<Put>d__71.MoveNext()<---
@Lu Dai-MSFT Thanks, I'll go ahead and make a ticket.
@Rahul Jindal [MVP] Yes, company portal is installed. Apps that show as available can be installed. The main issue is we use PatchMyPC to push app updates as required, but those are not getting installed.
Then this is a issue with how your PatchMyPC is setup and not Intune per say. You should probably contact their support. They are pretty prompt in their response.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 68%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
I am having exactly same issue and trying to fix sine last 4 weeks.
Did anyone have any solutions for this issue . My devices are Intune manged only and local updates no 3rd party or Confg mgr. My devices are purely Intune managed.
Hi @Tofeeq Hussain & @McKeeman, Samuel
On the endpoint, can you do a sync and then observe .
The client might need MFA to generate the token.
Note:Sync from console might not work as MFA would been enforced to users.
Please confirm if this works
Regards
Aravinth M
Hi @Aravinth Mathan , Thanks for response. I have done sync from endpoint and from MEM several time but no luck.
My devices are Teams Meeting room devices Win10 ent and are exempted from MFA. I am still struggling to understand the core issue. there are nothing showing in logs. IME runs as normal and can successfully complete a Software inventory send to Intune. I can successfully send command from Intune to endpoint i.e restart, sync etc. and all other compliance and config polices are successful. I am completely clueless why only IME not able to detect assigned application, download and install.
Hello McKeemanSamuel-3321,
Were you able to get it resolved?
I have the same problem with Azure AD only joined laptop devices.
I wonder if PatchMyPC could be the issue because all of the updates from PatchMyPC are showing as "Waiting for install status" in Intune> Devices>...> Managed Apps even when there is no base application installed to be patched on the windows device like VMware Workstation which is not installed, nor Beyond Compare, nor Wireshark, etc for a total of over 400 apps?
For me, when I excluded PatchMyPC updates from my test device by putting in a test group, and then excluded patches from the test group; it resolved the issue, and the Required apps started installing within 5 minutes.