This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 85%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I am trying to enroll a Windows laptop into Intune in a hybrid environment. The device is domain-joined, and the enrollment group policy is correctly applied. I have successfully enrolled other devices using the same setup, but this particular device is failing to enroll.
When I run dsregcmd /status, I receive the following output:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES
DomainName : NTE
Virtual Desktop : NOT SET
Device Name : Dxxxx.xxx.local
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
Diagnostics Reference : www.microsoft.com/aadjerrors
User Context : SYSTEM
Client Time : 2025-02-21 09:41:40.000 UTC
AD Connectivity Test : PASS
AD Configuration Test : PASS
DRS Discovery Test : FAIL [0x801c0021/0x801c0012] Request id: 6adb9d00-dd45-4998-9b9b-b154c80413ce
DRS Connectivity Test : SKIPPED
Token acquisition Test : SKIPPED
Fallback to Sync-Join : ENABLED
Fallback to Fed-Join : ENABLED
Previous Registration : 2025-02-20 16:48:28.000 UTC
Error Phase : discover
Client ErrorCode : 0x801c0021
Server ErrorCode : invalid_request
Server ErrorSubCode : ParameterValueInvalid
Server Operation : Discovery
Server Message : UPN suffix parameter contains spaces: 'Nxxxxxxx Txxxxxxx Exxxxx Lxxxxxxx'
Https Status : 400
Request Id : bfe91135-ebcd-4a4d-ba0b-294cd47296d3
+----------------------------------------------------------------------+
| IE Proxy Config for System Account |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| URL Specific Proxy Config |
+----------------------------------------------------------------------+
Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94
Executing Account Name : XXX\DMxxxx$, DMxxxxx$@xxx.local
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
I have already -
Checked DRS Discovery failures (0x801c0021 / 0x801c0012) → Indicates an invalid request due to a UPN suffix mismatch.
Checked Active Directory Domains and Trusts → Only xxxxxxx.co.uk exists as the UPN suffix, which is the correct one.
Ran PowerShell to list all user UPNs (Get-ADUser -Filter * -Properties UserPrincipalName) → No references to "NetSol Technologies Europe Limited" and userPrincipleName is correctly set to ******@xxxx.co.uk
Ran PowerShell to check computer objects in AD (Get-ADComputer -Filter * -Properties dnsHostName, userPrincipalName) → No UPNs set or invalid domain names found.
Verified Azure AD Connect sync settings → No references to "Nxxxx Txxxxxx Exxxx Lxxxxxx" found.
Checked Azure AD verified domains (Get-MsolDomain) → Also no references.
Confirmed enrollment group policy and groups is correctly applied (other devices enroll successfully).
Ran dsregcmd /status → Confirmed Azure AD join is failing and UPN suffix error persists.
Checked local registry settings (reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI") → No reference to "Nxxxx Txxxxxx Exxxxx Lxxxx".
Ran a find on the whole registry to find a reference → No reference to "Nxxxx Txxxxxx Exxxxx Lxxxx".
Ran dsregcmd /leave to force unregistration. Restarted the device and re-ran dsregcmd /join → Issue persists.
Checked WAM authentication errors (0x80070520) and restarted the Web Account Manager service (net stop wlidsvc && net start wlidsvc).
Unjoined it from the domain, deleted all references in azure and rejoined
Any ideas?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ashlee Sims, Thanks for posting in Q&A. From your description I know you are doing GPO enrollments. Some devices can enroll successfully. But some can't. For the affected device, from the information you provided, it shows the issue is that Microsoft Entra Hybrid joined is failed. The AzureADjoined and AzureAdPrt are all NO.
In general, to enroll devices via GPO enrollment, the devices need to be Microsoft Entra hybrid Joined successfully firstly which means the AzureADjoined, Domainjoined and AzureAdPrt are all Yes.
In the Diagnostic Data, it says the issue occurs in Discover phase. and the error message is "UPN suffix parameter contains spaces:". Please double confirm with the user's UPN to see if any space exists. If yes, remove it in AD and sync again to see if it can work.
Meanwhile, here is a troubleshooting link for Microsoft Entra hybrid join. You can read it as a reference.
https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current
In addition, to remove previous enrollment information, please also clean the data under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollment.
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ashlee Sims Hope things are going well. if there's any update, feel free to let us know.