Share via

User not recieveing MDM url for Intune automatic enrollment

Rookie{} 61 Reputation points
2022-09-12T14:30:09.527+00:00

Hey everyone,

We have been going through the process of enrolling our existing Windows domain joined machines to Intune MDM, we had about 180 users and most of them have been enrolled fine. These are all Hybrid AAD Joined machines.
A quick summary of procedure we followed:

  • Made sure we had the machine object in Azure AD as Hybrid Joined and registered (this is how we check if the machine is Azure AD joined)
  • Check on the machine for dsregcmd /status and see if the MDM url is populated
  • Apply the Automatic enrollment GPO on the machine

We have had most success when we have followed the above method.
But we have one machine which is failing at the second point where it is not getting the MDM url. I have checked and made sure that the user who is logged into the machine has an Intune license. I understand this usually takes time, but for this user it has been more than two weeks. The machine is joined to Azure AD successfully, it has an hybrid Azure AD record with a registered date and an activity date. This is the first user among 150+ users we have enrolled who is having this issue.

I have noticed with previous enrolments that without MDM url, the machine won't automatically enroll into intune even if the intune automatic enrollment GPO is applied on the machine.

What we have done for troubleshooting:

  • Remove/unjoin the machine from Azure AAD using dsregcmd /leave
  • Made sure the Hybrid Azure AD object was deleted
  • Rejoined the machine back to Azure AD

This process didn't help, it has been 5 days since we did this troubleshooting steps.

Any help would be appreciated.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,415 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,533 questions
0 comments

13 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rookie{} 61 Reputation points
    2022-09-13T15:05:00.097+00:00

    Hi @Jason Sandys , the license is O365 E3, but my question is we have had all successful Intune Automatic enrollments with same licenses assigned to all users (O365 E3, Intune License).

    Here is the dsregcmd /status of the machine for reference

    +----------------------------------------------------------------------+
    | Device State |
    +----------------------------------------------------------------------+
    AzureAdJoined : YES
    EnterpriseJoined : NO
    DomainJoined : YES
    DomainName : *******
    Device Name : ********
    +----------------------------------------------------------------------+
    | Device Details |
    +----------------------------------------------------------------------+
    DeviceId : 504a2832-922a-4f45-825d-48c1d4ae4f66
    Thumbprint : 5551301D7AEF24CD5AFE08EF19372EC49E89E9C0
    DeviceCertificateValidity : [ 2022-09-07 16:18:14.000 UTC -- 2032-09-07 16:48:14.000 UTC ]
    KeyContainerId : 8948564b-0a70-4bbc-a3f7-fdb21907fa98
    KeyProvider : Microsoft Platform Crypto Provider
    TpmProtected : YES
    DeviceAuthStatus : SUCCESS
    +----------------------------------------------------------------------+
    | Tenant Details |
    +----------------------------------------------------------------------+
    TenantName :
    TenantId : b478bc94-d415-4d83-94b7-583909ce5099
    Idp : login.windows.net
    AuthCodeUrl : https://login.microsoftonline.com/b478bc94-d415-4d83-94b7-583909ce5099/oauth2/authorize
    AccessTokenUrl : https://login.microsoftonline.com/b478bc94-d415-4d83-94b7-583909ce5099/oauth2/token
    MdmUrl :
    MdmTouUrl :
    MdmComplianceUrl :
    SettingsUrl :
    JoinSrvVersion : 2.0
    JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
    JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
    KeySrvVersion : 1.0
    KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
    KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
    WebAuthNSrvVersion : 1.0
    WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/b478bc94-d415-4d83-94b7-583909ce5099/
    WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/b478bc94-d415-4d83-94b7-583909ce5099/
    DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
    +----------------------------------------------------------------------+
    | User State |
    +----------------------------------------------------------------------+
    NgcSet : NO
    WorkplaceJoined : YES
    WorkAccountCount : 1
    WamDefaultSet : NO
    +----------------------------------------------------------------------+
    | SSO State |
    +----------------------------------------------------------------------+
    AzureAdPrt : NO
    AzureAdPrtAuthority :
    EnterprisePrt : NO
    EnterprisePrtAuthority :
    +----------------------------------------------------------------------+
    | Work Account 1 |
    +----------------------------------------------------------------------+
    WorkplaceDeviceId : 63997042-cc90-44eb-9e5c-b6f927741580
    WorkplaceThumbprint : 524FC722E53D4D2A2B2F13289883D6FBFD218589
    DeviceCertificateValidity : [ 2021-02-01 16:56:12.000 UTC -- 2031-02-01 17:26:12.000 UTC ]
    KeyContainerId : 71d48f6d-f95b-4339-9d47-04c13e50d62a
    KeyProvider : Microsoft Platform Crypto Provider
    TpmProtected : YES
    WorkplaceIdp : login.windows.net
    WorkplaceTenantId : b478bc94-d415-4d83-94b7-583909ce5099
    WorkplaceTenantName : *****
    WorkplaceMdmUrl :
    WorkplaceSettingsUrl :
    NgcSet : NO
    +----------------------------------------------------------------------+
    | Diagnostic Data |
    +----------------------------------------------------------------------+
    AadRecoveryEnabled : NO
    Executing Account Name : *****
    KeySignTest : PASSED
    +----------------------------------------------------------------------+
    | IE Proxy Config for Current User |
    +----------------------------------------------------------------------+
    Auto Detect Settings : YES
    Auto-Configuration URL :
    Proxy Server List :
    Proxy Bypass List :
    +----------------------------------------------------------------------+
    | WinHttp Default Proxy Config |
    +----------------------------------------------------------------------+
    Access Type : DIRECT
    +----------------------------------------------------------------------+
    | Ngc Prerequisite Check |
    +----------------------------------------------------------------------+
    IsDeviceJoined : YES
    IsUserAzureAD : NO
    PolicyEnabled : NO
    PostLogonEnabled : YES
    DeviceEligible : YES
    SessionIsNotRemote : YES
    CertEnrollment : none
    PreReqResult : WillNotProvision

    0 comments
  2. Jason Sandys 31,391 Reputation points Microsoft Employee
    2022-09-13T15:26:21.44+00:00

    the license is O365 E3

    O365 is for Microsoft 365 Apps only (formerly Office 365) and does not include EMS/Intune rights or AAP1.

    AzureAdPrt : NO

    This is indicative of the device not actually being successfully HAADJ. There is an AAD event log that may be helpful to troubleshoot in addition to the info in the article I linked to previously.

    0 comments
  3. Rookie{} 61 Reputation points
    2022-09-13T17:03:01.543+00:00

    Thanks @Jason Sandys for the swift responses.

    In terms of licenses we are using combinations of O365 E3 and Intune License. I believe the Intune license gives the user the rights on Intune. In terms of AAP1 license , based on a brief reading it is required only for co-managed devices which is not the case for us. Again can't confirm this but just based it on quick reading of the license requirement page for Intune.

    I have a meeting with this user in next hour, so will try to go through the logs, see the documentation for troubleshooting and post further results here. Thank you again for helping me with this.

    0 comments
  4. Jason Sandys 31,391 Reputation points Microsoft Employee
    2022-09-13T17:19:27.077+00:00

    Auto-enrollment into Intune requires an AADP1+. Co-management requires this because co-management leverages auto-enrollment into Intune but it is not the only auto-enrollment scenario. Using a GPO is also auto-enrollment and thus also requires AADP1. Reference: https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows

    0 comments
  5. Rookie{} 61 Reputation points
    2022-09-13T18:27:44.033+00:00

    @Jason Sandys I am with the user now, on checking the logs in based on the troubleshooting guide Applications and Services Log > Microsoft > Windows > AAD, I don't see the events 1006 and 1007, I only see two particular event

    Event 1097:
    Error: 0x8007054B
    Exception of type 'class DSRegException' at AcquireTokenContext.cpp, line: 234, method: AcquireTokenContext::GetFallbackDomain.
    Log: 0xcaac03f1 Failed to get the DC registration data. Cannot get the domain name.
    Logged at AcquireTokenContext.cpp, line: 234, method: AcquireTokenContext::GetFallbackDomain.

    Event 1098:

    Error: 0xCAA20003 Authorization grant failed for this assertion.
    Code: invalid_grant
    Description: SubError: token_expired V2Error: invalid_grant AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2022-07-11T13:37:48.6354859Z and the maximum allowed lifetime for this request is 864000.
    Trace ID: 5fbb8b49-50af-4bd3-b91a-b0891d603501
    Correlation ID: fbc48453-6c88-4ca7-9d8c-61e46847087d
    Timestamp: 2022-09-07 15:43:18Z
    TokenEndpoint: https://login.microsoftonline.com/b478bc94-d415-4d83-94b7-583909ce5099/oauth2/token
    Logged at OAuthTokenRequestBase.cpp, line: 449, method: OAuthTokenRequestBase::ProcessOAuthResponse.
    Request: authority: https://login.microsoftonline.com/b478bc94-d415-4d83-94b7-583909ce5099, client: ab9b8c07-8f02-4f72-87fa-80105867a763, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/ab9b8c07-8f02-4f72-87fa-80105867a763, resource: , correlation ID (request): fbc48453-6c88-4ca7-9d8c-61e46847087d

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.