locked
Azure AD registered & hybrid AAD joined - but no MDM RRS feed

  • Question

  • Hello,

    I'm pulling my hair out and need some assistance. These are my "players": 

    • SCCM 1902 with a cloud management gateway. 
    • Users with 'Microsoft 365 E5 Security'-licences.
    • windows 10 client (1809)

    From the Azure portal->Intune blade:

    I am able to see the device under 'Azure AD devices'. I can actually see both a Hybrid Azure AD joined device & a Azure AD registered device. None of them have 'MDM' option. 

    Result from dsregcmd show two settings which I've found could be related, but I do not know how to remidiate them:

    • AzureAdPrt : NO
    • WamDefaultSet : NO

    This is the full result from dsregcmd:

    :

    +----------------------------------------------------------------------+
    | Device State                                                         |
    +----------------------------------------------------------------------+

                 AzureAdJoined : YES
              EnterpriseJoined : NO
                  DomainJoined : YES
                    DomainName : <domain>

    +----------------------------------------------------------------------+
    | Device Details                                                       |
    +----------------------------------------------------------------------+

                      DeviceId : 5f27a32a-7b5a-45c1-a291-yyyyyyyyyyyy
                    Thumbprint : 4C2EA7931A2ADE74CEFBF6ACCyyyyyyyyyyyy
     DeviceCertificateValidity : [ 2019-08-26 07:51:17.000 UTC -- 2029-08-26 08:21:17.000 UTC ]
                KeyContainerId : ef566e24-3b88-43c3-8820-yyyyyyyyyyy
                   KeyProvider : Microsoft Platform Crypto Provider
                  TpmProtected : YES

    +----------------------------------------------------------------------+
    | Tenant Details                                                       |
    +----------------------------------------------------------------------+

                    TenantName : 
                      TenantId : d87c80fa-0b2e-408b-bd54-yyyyyyyyyy
                           Idp : login.windows.net
                   AuthCodeUrl : https://login.microsoftonline.com/d87c80fa-0b2e-408b-bd54-yyyyyyyyyy/oauth2/authorize
                AccessTokenUrl : https://login.microsoftonline.com/d87c80fa-0b2e-408b-bd54-yyyyyyyyyy/oauth2/token
                        MdmUrl : 
                     MdmTouUrl : 
              MdmComplianceUrl : 
                   SettingsUrl : 
                JoinSrvVersion : 1.0
                    JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                     JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
                 KeySrvVersion : 1.0
                     KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                      KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
            WebAuthNSrvVersion : 1.0
                WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/d87c80fa-0b2e-408b-bd54-yyyyyyyyyy/
                 WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
        DeviceManagementSrvVer : 1.0
        DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/d87c80fa-0b2e-408b-bd54-yyyyyyyyyy/
         DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

    +----------------------------------------------------------------------+
    | User State                                                           |
    +----------------------------------------------------------------------+

                        NgcSet : NO
               WorkplaceJoined : YES
              WorkAccountCount : 1
                 WamDefaultSet : NO

    +----------------------------------------------------------------------+
    | SSO State                                                            |
    +----------------------------------------------------------------------+

                    AzureAdPrt : NO
           AzureAdPrtAuthority : 
                 EnterprisePrt : NO
        EnterprisePrtAuthority : 

    +----------------------------------------------------------------------+
    | Work Account 1                                                       |
    +----------------------------------------------------------------------+

             WorkplaceDeviceId : d8c9adda-d0cd-4ca6-a025-yyyyyyyyyy
           WorkplaceThumbprint : 708803EAB395DC2186BDB3F49yyyyyyyyyy
                  WorkplaceIdp : login.windows.net
             WorkplaceTenantId : d87c80fa-0b2e-408b-bd54-yyyyyyyyyy
           WorkplaceTenantName : <mydomain>
               WorkplaceMdmUrl : https://wip.mam.manage.microsoft.com/Enroll
          WorkplaceSettingsUrl : 
                        NgcSet : NO

    +----------------------------------------------------------------------+
    | Diagnostic Data                                                      |
    +----------------------------------------------------------------------+

             AadRecoveryNeeded : NO
                   KeySignTest : MUST Run elevated to test.

    +----------------------------------------------------------------------+
    | Ngc Prerequisite Check                                               |
    +----------------------------------------------------------------------+

                IsDeviceJoined : YES
                 IsUserAzureAD : NO
                 PolicyEnabled : NO
              PostLogonEnabled : YES
                DeviceEligible : YES
            SessionIsNotRemote : YES
                CertEnrollment : none
                  PreReqResult : WillNotProvision

    _______________________________________________________

    Also, the 'CoManagementHandler.log' display the following information:

    <![LOG[Mdm Enrollment Url has not yet been configured.]LOG]!><time="13:00:17.189-120" date="08-26-2019" component="CoManagementHandler" context="" type="2" thread="6800" file="MdmRegLib.cpp:321">

    <![LOG[This device is not enrolled into Intune.]LOG]!><time="13:00:17.189-120" date="08-26-2019" component="CoManagementHandler" context="" type="1" thread="6800" file="MdmRegLib.cpp:1012">

    <![LOG[Device is not MDM enrolled yet. All workloads are managed by SCCM.]LOG]!><time="13:00:17.189-120" date="08-26-2019" component="CoManagementHandler" context="" type="1" thread="6800" file="CcmUtilLib.cpp:2904">

    <![LOG[Co-management is disabled but expected to be enabled.]LOG]!><time="13:00:17.192-120" date="08-26-2019" component="CoManagementHandler" context="" type="2" thread="6800" file="CcmUtilLib.cpp:3011">

    <![LOG[Current workload settings is not compliant. Setting enabled = 1, workload = 255.]LOG]!><time="13:00:17.192-120" date="08-26-2019" component="CoManagementHandler" context="" type="2" thread="6800" file="comgmtagent.cpp:380">

    <![LOG[Updating comanagement registry key to 0xff]LOG]!><time="13:00:17.196-120" date="08-26-2019" component="CoManagementHandler" context="" type="1" thread="6800" file="CcmUtilLib.cpp:3205">

    <![LOG[CoManagement flags registry key updated.]LOG]!><time="13:00:17.196-120" date="08-26-2019" component="CoManagementHandler" context="" type="1" thread="6800" file="CcmUtilLib.cpp:3210">

    <![LOG[Setting co-management RS3 flags]LOG]!><time="13:00:17.200-120" date="08-26-2019" component="CoManagementHandler" context="" type="1" thread="6800" file="CcmUtilLib.cpp:3253">

    <![LOG[This device is not enrolled into Intune.]LOG]!><time="13:00:17.213-120" date="08-26-2019" component="CoManagementHandler" context="" type="1" thread="6800" file="MdmRegLib.cpp:1012">

    _________________________________________________

    Also, I am missing the task schedule under EnterpriseMgmt on the win 10 machine. 

    • Edited by Theodor.Brander Monday, August 26, 2019 12:39 PM another finding
    Monday, August 26, 2019 10:42 AM

All replies

  • HI MrGiraff,

    Did you also enable Automatic Enrollment in Intune? 

    Microsoft Intune -> Device enrollment -> Windows enrollment -> Automatic enrollment. 

    You are missing some MDMurls in DSREGCMD. Mostly is that when Automatic Enrollment is not enabled for MDM. With Automatic Enrollment, the Azure AD joined device will automatically enroll in Intune. 


    • Edited by Albert Neef Monday, August 26, 2019 1:56 PM
    Monday, August 26, 2019 1:53 PM
  • Dear Albert,

    thank you for reaching out. Unfortunatly I've configured this item prior to uploading the this post :(

    Can you think of any other reason these items is missing?

    Best regards

    Theodor

    Tuesday, August 27, 2019 7:00 AM
  • This means the device has registered to Azure AD, but wasn’t enrolled by Intune. Please examine the MDM logs on the device in the following location in Event Viewer:

    Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin

    Look for Event ID 75 (Event message "Auto MDM Enroll: Succeeded"). This event indicates that the auto-enrollment succeeded.

    Also, please make sure that the following pre-requirements are configured correctly:

    1. Verify that a valid Intune license is assigned to the user who is trying to enroll the device.

    2. Verify that the device is running Windows 10, version 1709 or a later version.

    For other pre-requirements, you can refer the following article:

    https://support.microsoft.com/en-sg/help/4494359/troubleshoot-intune-windows-10-group-policy-based-auto-enrollment

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, August 27, 2019 8:25 AM
  • Dear Cici,

    Thanks for your reply. Step 1 & 2 was OK already. However, some kind of policy must have kicked in on the client machine - since I started getting Event ID 76 a few hours ago (Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)). These errors continued for two hours - followed by one 75 successful. Just prior to the error messages I was messing around with my SCCM pilot collection for co-management (administration->cloud service.

    Since 1 machine now is successful I'll try a few more and update this thread with results. 

    BR

    Theodor

    Tuesday, August 27, 2019 11:40 AM
  • Sure, once there is any update, feel free to let me know.

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 28, 2019 5:52 AM
  • It appears my SCCM collections was the issue.

    Thanks for the suggestions :)

    Wednesday, August 28, 2019 12:06 PM