AAD joined device no longer receiving apps

McKeeman, Samuel 1 Reputation point
2021-04-14T13:59:17.31+00:00

Having an issue with an AAD joined device that is no longer receiving client apps and updates. Under Managed Apps for the device, they are showing "Waiting for Install Status". Apps and updates were previously installing without issue.

I've gone through the following logs below and keep seeing errors over and over, most having to do with getting an AAD token. Does anyone have advice on how to resolve this issue?

IntuneManagementExtension log

Failed to get AAD token. len = 336 using client id fc0f3af4-6835-4174-b806-f7db311fd2f3 and resource id 0000000A-0000-0000-C000-000000000000, errorCode = 3399614476

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '0000000a-0000-0000-c000-000000000000'.
Trace ID: 33d4e9f3-9cec-4b71-b9fd-0590843e1900
Correlation ID: 06186d47-771a-4dd0-93f9-096c42bfdd71
Timestamp: 2021-03-13 19:56:48Z

Failed to Get UserToken For Web Request with Intune Management Extension Error.
Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenInternalAsync>d__41.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneTokenManager.<GetTokenForNewRequestAsync>d__39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<<SendWebRequestInternal>b__17_1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.ImpersonateHelper.<DoActionWithImpersonation>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d__17.MoveNext()

Also noticed:
[Win32App] start: app workload is not switched from SCCM, skip app check in. now check ESP status.
Doesn't make sense because device is AAD joined

AgentExecutor log

Errors started 12/2

DNS detection: WinHttpGetProxyForUrl call failed because of error 12167 AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
DHCP detection: WinHttpGetProxyForUrl call failed because of error 12167 AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
C:\Windows\TEMP\IntuneWindowsAgent_Proxy_HIDDEN.txt AgentExecutor 12/2/2020 10:31:36 PM 1 (0x0001)
{0} software distribution gets invoked AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
url is https://fef.msua02.manage.microsoft.com/TrafficGateway/TrafficRoutingService/SideCar/StatelessSideCarGatewayService AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)
True AgentExecutor 12/3/2020 8:55:32 AM 1 (0x0001)

ClientHealth log

Got empty UserToken For Web Request IntuneManagementExtension 3/14/2021 10:09:09 AM 1 (0x0001)

<![LOG[Exception happens during client health Post Process, the exception is System.AggregateException: One or more errors occurred. ---> System.ComponentModel.Win32Exception: An attempt was made to reference a token that does not exist
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequest>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneController.<Put>d__71.MoveNext() --- End of inner exception stack trace --- at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task1.get_Result() at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.CHReporter.SendReport(SideCarHealthReport report, Int32 sessionId, IController serviceProxy) at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.ClientHealthRuleEngine.PostProcess() at Microsoft.Management.EndUser.IntuneWindowsAgent.ClientHealth.ClientHealthManager.Run() ---> (Inner Exception #0) System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestInternal>d__17.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequest>d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.IntuneController.<Put>d__71.MoveNext()<---

Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
969 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,365 questions
0 comments No comments
{count} votes

11 answers

Sort by: Most helpful
  1. Simon Burbery 686 Reputation points
    2023-02-18T05:13:03.66+00:00

    I have had similar symptoms without identifying a specific cause:

    • Intune reports device is AOK and compliant
    • Client can run a Sync successfully
    • Existing and newly deployed apps are NOT available in Company Portal
    • Errors in AAD logs regarding an expired token
    • dsregcmd /refreshprt does NOT work

    In all cases the solution was:

    • disconnect (unjoin) the device from Azure AD
    • delete the device from Intune
    • reboot the device and re-join Azure AD

    That's an okay fix for one machine but not hundreds.

    I'm wondering if an RMM Agent that controls software and update deployment could be messing with some of the stuff Intune uses, but haven't been able to go down that rabbit-hole as of yet =)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.