MDM Hybrid AD - PRT

Question

Hi All,

We are trying to enroll machines in to Intune using auto enrollment. The devices are Hybrid but for some reason the PRT status is No which is blocking the enrollment to Intune. Below is the event, please advice

Error: 0xCAA90056 Renew token by the primary refresh token failed.
Logged at RefreshTokenRequest.cpp, line: 150, method: RefreshTokenRequest::AcquireToken.

Request: authority: https://login.microsoftonline.com/d7b73558-73e6-4d99-aea1-2240e5bd1c65, client: ab9b8c07-8f02-4f72-87fa-80105867a763, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/ab9b8c07-8f02-4f72-87fa-80105867a763, resource: , correlation ID (request): e55ff6cd-4717-4d5a-b459-7f0e320b7c60

Answer 1

Hi Karthik,

Do you have MFA enabled on the environment and to understand the issue a complete log will be required and also the setup of the environment, meanwhile please go through this detailed workflow and config of how PRT token works in the background.

concept-primary-refresh-token

Hope this helps.

---
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello @karthik palani ,

Kindly try the following:

• Launch CMD via "Run", and execute dsregcmd /status
• Look for AzureAdJoined status, it must be "No"
• Look for the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output. This section is displayed only if the device is domain-joined and unable to hybrid Azure AD-join.
• The various checks could be done by following: https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#step-4-check-for-possible-causes-and-resolutions
• Once all above checks are validated kindly capture fiddler with following steps: Install and configure fiddler on one of the impacted devices: https://docs.telerik.com/fiddler/configure-fiddler/tasks/installfiddler

Start fiddler trace

Launch CMD and run "dsregcmd /join"

A window with AAD credentials should pop up, try to signin with impacted user/aad/EMS license holding account.

See if the join completes, if yes. Then capture fiddler while running the enrollment task manually.

• On comparing the two fiddler you should be able to confirm what endpoint is not reachable during autoenrollment.
  • On the Intune side please validate Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin and what errors do you see as PRT failure could happen due to bad MDM configuration.
  • Please validate the GPO deployment. Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials.
  • Ref link https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-auto-enrollment#verify-the-configuration

Thanks,
Akshay Kaushik

Please "Accept the answer" and "Upvote" if the above-mentioned suggestion works as per your business need. This will help us and others in the community as well. https://learn.microsoft.com/en-us/answers/support/accepted-answers