Share via

Windows Laptop Failing to Enroll in Intune (Hybrid Join Issue)

Ashlee Sims 0 Reputation points
2025-02-21T12:01:54.1266667+00:00

I am trying to enroll a Windows laptop into Intune in a hybrid environment. The device is domain-joined, and the enrollment group policy is correctly applied. I have successfully enrolled other devices using the same setup, but this particular device is failing to enroll.

When I run dsregcmd /status, I receive the following output:

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
             AzureAdJoined : NO
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : NTE
           Virtual Desktop : NOT SET
               Device Name : Dxxxx.xxx.local
+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+
                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+
                AzureAdPrt : NO
       AzureAdPrtAuthority : NO
             EnterprisePrt : NO
    EnterprisePrtAuthority : NO
+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+
     Diagnostics Reference : www.microsoft.com/aadjerrors
              User Context : SYSTEM
               Client Time : 2025-02-21 09:41:40.000 UTC
      AD Connectivity Test : PASS
     AD Configuration Test : PASS
        DRS Discovery Test : FAIL [0x801c0021/0x801c0012] Request id: 6adb9d00-dd45-4998-9b9b-b154c80413ce
     DRS Connectivity Test : SKIPPED
    Token acquisition Test : SKIPPED
     Fallback to Sync-Join : ENABLED
      Fallback to Fed-Join : ENABLED
     Previous Registration : 2025-02-20 16:48:28.000 UTC
               Error Phase : discover
          Client ErrorCode : 0x801c0021
          Server ErrorCode : invalid_request
       Server ErrorSubCode : ParameterValueInvalid
          Server Operation : Discovery
            Server Message : UPN suffix parameter contains spaces: 'Nxxxxxxx Txxxxxxx Exxxxx Lxxxxxxx'
              Https Status : 400
                Request Id : bfe91135-ebcd-4a4d-ba0b-294cd47296d3
+----------------------------------------------------------------------+
| IE Proxy Config for System Account                                   |
+----------------------------------------------------------------------+
      Auto Detect Settings : YES
    Auto-Configuration URL :
         Proxy Server List :
         Proxy Bypass List :
+----------------------------------------------------------------------+
| URL Specific Proxy Config                                            |
+----------------------------------------------------------------------+
    Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94
    Executing Account Name : XXX\DMORELLI$, DMORELLI$@xxx.local
+----------------------------------------------------------------------+
| IE Proxy Config for Current User                                     |
+----------------------------------------------------------------------+
      Auto Detect Settings : YES
    Auto-Configuration URL :
         Proxy Server List :
         Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config                                         |
+----------------------------------------------------------------------+
               Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+
            IsDeviceJoined : NO
             IsUserAzureAD : NO
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : none
              PreReqResult : WillNotProvision

I've already:

Checked the Domains and Trusts - There is only one domain and it is a .co.uk and not a string with spaces.

Checked the UPNs using PowerShell - there was only one and the same as above
Checked both the users and devices AD attributes - all correct and no sign on this incorrect UPN suffix

Checked the devices local settings
Cleared all the caches related to the dsregcmd

Ran dsregcmd /leave & /join (both with and without a restart)

Unjoined the device from the domain, deleted all traces in Azure AD (where it appears in a pending state) and rejoined
Checked the firewall for errors
Checked Azure AD Connect sync sync rules- theres a reference to userprinciplename = 'userPrincipleName' so this wasn't any help

Ran through a heap of Microsoft documentation

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,431 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.