Intune

Hybrid Azure AD Joined Device Fails Intune Auto Enrollment

Symptom

A Windows device is joined to the domain and synchronized to Azure AD (Microsoft Entra). The Registered column for the device in Azure AD shows Pending and the MDM column shows None.

MDM shows None and Registered shows Pending in Azure AD

The device does not show up in Intune since it was not successfully enrolled.

Running dsregcmd /status in CMD shows:

AzureAdJoined : YES [under Device State]

DomainJoined : YES [under Device State]

AzureAdPrt : No [under SSO State]

The problem here is that AzureAdPrt (Primary Refresh Token) is showing No. In a nutshell, this means that the device did not manage to authenticate successfully to Azure. Therefore, Intune auto-enrollment will fail.

You can confirm that device enrollment failed by checking for an error of the sort: “Auto MDM Enroll Device Credential 0x0, Failed” in the Event Viewer at the following location:

Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin

Resolution

  1. Make sure that you have checked all the prerequisites for Intune Auto Enrollment.
  2. In CMD (on the target device) run the following command:

%windir%/System32/deviceenroller.exe /autoenrollmdm

In some cases, this one-liner does its magic and triggers a successful enrollment to Intune. If the device shows up in Intune after a while (5 to 15 minutes), the issue is resolved. If not, move on to the next steps to completely remove the device from your on-premises AD and Azure AD (Entra), re-join, and successfully enroll to Intune.

  1. In CMD (on the target device) run the following command to unregister from Azure AD.

dsregcmd /leave

  1. Delete the device object from Azure AD.
delete device from Azure AD
  1. Disjoin the device from the on-premises Active Directory domain.
  2. Delete the device computer object from Active Directory.
  1. Re-join the device to the domain and wait for the next synchronization cycle to Azure AD or force it through PowerShell on your AD Connect Server:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

  1. The device will show up in Azure AD.
  2. Logon to the device with the target user’s credentials.

After a while (5 to 15 minutes), the device will successfully enroll to Intune via auto-enrollment.

Running dsregcmd /status in CMD now shows:

AzureAdJoined : YES [under Device State]

DomainJoined : YES [under Device State]

AzureAdPrt : YES [under SSO State]

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button