This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 50%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
I am stuck on the Intune enrollment process. The computers in the domain are all AAD, however, when the GPO that i created to enroll AAD devices into Intune runs, it fails with the multiple errors:
Event ID: 71 - MDM Enroll: Failed
Event ID: 76 - Auto MDM Enroll: Device Credentials (0x0) Failed
Event ID: 11 - MDM Enrollment: Failed to receive or parse cert enroll response.
Event ID: 52 - MDM Enroll: Server returned Fault/code/subcode/value=(messageformat) fault/reason/text=(device based token is not supported for enrollment type onpremisegrouppolicycomanaged).
Event ID: 59 - MDM Enroll: server context
The one thing that is different about this environment, is that their local domain is: CompanyA.local and their tenant domain is Company123.com. Under the local domain, i made sure that the new UPN for the tenant was there. But that did not make a difference when i manually resync'd the process. This is a hybrid environment with an AD connect server.
As for the GPO, i have set it from Device to Client to see if it makes a difference - and nothing.
By the way, this new GPO object has an application id. Not sure what that is, so i left it blank.
When i run a dsregcmd /status - AzureAD joined is YES and so is DomainJoined. What is a bit strange, is that under Tenant Details, the mdmurl section is blank.
I have pretty much done everything that i can find on this forum and elsewhere but i cannot get the devices to enroll successfully into Intune/Endpoint manager.
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 44%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFC%3C/text%3E%3C/svg%3E)
Getting the same sequences now:
76
71
11
52
59
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : *** Inc
TenantId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
EnterprisePrt : NO
EnterprisePrtAuthority :
GPO is configured to use "User credentials". but the event always show "Auto MDM Enroll Get AAD Token: Device Credential" .
Any help is appreciated.
The computers in the domain are all AAD
This is not possible. A system can only be joined to a single domain whether that's an on-prem AD or an AAD domain doesn't matter. There is the cioncpet of hybrid Azure AD join (HAADJ) which is an on-prem AD join + an AAD registration at a device level.
When i run a dsregcmd /status - AzureAD joined is YES and so is DomainJoined.
This is an HAADJ device.
when the GPO that i created to enroll AAD devices into Intune runs
Based on the log, you've configured the GPO to use device credentials but that's not supported for anything except use by Co-management in ConfigMgr to my knowledge. You need to use User Credentials.
Jason, so what is best practice for a hybrid environment?
Also, something i forgot to mention - if i manually add mdm (through WIN10 accounts page) it works. but for some strange reason, it does not like the GPO.
I got the exact same problem yesterday. All three MDM urls were empty. I found https://twitter.com/richardhicks/status/1212104113002934272?lang=en and it somehow worked for him later. https://www.anoopcnair.com/intune-enrollment-error-unknown-win32-error/ mentioned need to wait a bit.
I finally gave up yesterday. This morning when I checked it again, I noticed those URLs are filled:
I checked event log and see it got enrolled after 3~4 hours:
So I guess it does take time.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
It should still work with device credential in the GPO. Have you confirmed that the synced users have an Intune license and an Azure AD Premium license? Is Autoenrollment set up in in Intune?
Nick, Yes, Auto Enrollment is set to ALL. Not sure what you mean by setup - all the urls are there. There are licenses available for Intune. Do i need to assign them manually?
The licenses need to be assigned. If you go into the Azure AD portal (aad.portal.azure.com) and go to Users, select an example user, then Licenses. What type of Licenses do the users have assigned?
Just confirmed and they all have business premium licenses and the user i am testing with has the Intune license assigned. What's strange is that there are 2 intune options. so i am unchecking one and running my tests again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hey, did you manage to resolve your issue? Im experiencing exactly the same problem and my scenario is identical to yours.
Thanks in advance
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 79%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
The issue in my case is a bit. Yes it ended up working correctly in Lab. What ended u being the problem was MFA. The user we were testing with had MFA enabled, we disabled it and then EVERYTHING started to work.
Now that i am applying it to the entire company it's now not working. I attached the GPO to the correct OU but i am still checking logs....
I really wished that Microsoft made a product that did not give out so many issues.
Thanks Edgar for your reply. This is very strange... We have OKTA in our environment which provides MFA but I believe I have now set it up now which should not cause any problems.
However, I think what could be the problem in our situation is actual user's username...
How do your users login to their computers? Is it something like contoso.local\username? Do you get MDM URL when you run dsregcmd /status ? Also, what is your AzureADPrt status? Is it yes or no?