This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 50%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
I try to deploy the on-prem HfB. We are running at domain function level of 2012R2. The single AD FS server runs 2019. I followed exactly the microsoft guide. But when I start my domain PC, the enroll process never happen.
Here is the event 1021 messge under ADFS/admin:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Encountered error during OAuth token request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthJWTBearerException: MSIS9426: Received invalid OAuth JWT Bearer request. The JWT Bearer payload must contain 'scope'.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateJWTBearer()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
And under "Device Registration Servcie/DRS/Admin", there is the error event 3036:
The description for Event ID 3036 from source Device Registration Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
none.
System.InvalidOperationException: Invalid or missing tenant information in Active Directory. Make sure you have configured the Service Connection Point (SCP) here: CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,(forest-dn).
Exception (if any): none
at Microsoft.DeviceRegistration.ADAdapter.AdrsTenantInfoUtil.GetTenantInfo(AdrsTenantConfigStore StoreType)
at Microsoft.DeviceRegistration.ADAdapter.AdrsTenantInfoUtil.GetTenantInfo()
at Microsoft.DeviceRegistration.ADAdapter.ADStore.<>c.<LookupTenantNameAsync>b__180_0()
at System.Threading.Tasks.Task`1.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.DeviceRegistration.Utilities.DRServiceManager.<RefreshKeyReceiptPublicCertsAsync>d__114.MoveNext()
The locale specific resource for the desired message is not present
Anybody know what's root cause or how to fix it?
Thanks!!!
What does your SCP object look like? CN=62a0ff2e-97b9-4513-943f-0d221bd30080
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 41%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I can confirm our SCP matches this configuration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 94%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
We are having the same errors here while onboarding Windows 11 clients to Microsoft Intune, did you ever resolved this issue ?
I already add the "ugs" scope as Microsoft asks to do for windows server 2019. still same error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 14.000000000000002%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETK%3C/text%3E%3C/svg%3E)
Hi. Has it not been possible to solve this problem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 7.000000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWE%3C/text%3E%3C/svg%3E)
I met same issue on windows 2022
Same issue here on 2016 ADFS, anyone find a solution even after adding the "ugs" scope?
Same here, I added that scope and it's still putting out that error. Oddly enough, provisioning still works, but only for our desktops reliably - our laptops are a hit or miss if/when the provisioning starts.. it's weird.
It's pretty clear Microsoft doesn't really care about WHfB on-premise; they want you on Entra/Intune.