Hybrid Joined Devices Failing to Register in Intune

Question

We have a few devices that are successfully AzureAdJoined and Domain joined and are manageable from Entra but do not successfully show up in Intune. Every device is enrolled in our MDM policy and has MDM enrollment enabled on their devices. The devices are all showing a WamDefaultSet : ERROR (0x80070520). Attempts to re-register the device using dsregcmd /leave and /join have not been successful. When looking in Entra at Intune compliance for the devices, we see error code 404 that the device is not found.

 

It is worth noting that when setting up our devices we first use a local account to join them to the domain. Th most recent version of Windows 11 tries to prevent that sign in method so we have been using oobe\bypassnro and disconnecting the device from Wi-Fi in order to force a local account creation. We then use elevated credentials to join the device to the domain after we get the device back online.

 

If anyone has some advice for getting these devices properly registered in Intune that would be much appreciated!

Answer 1

Below are a few troubleshooting steps I would suggest/confirm:

1. Azure AD Connect: Do you have Azure AD Connect set up? This would automatically sync your on-prem objects from AD to Azure AD. You can check ity’s health status. - What is Microsoft Entra Connect and Connect Health. - Microsoft Entra ID | Microsoft Learn
2. Configure Automatic Enrollment in Intune (what Intune license do you have) - Check the Azure AD P1 or P2 license Azure AD P1 or P2 licenses for all users. This is required for automatic MDM enrollment to work properly.
3. Scope - Ensure all users are added onto MDM policy

Note:

WamDefaultSet : ERROR (0x80070520), this error is often due to an issue with the user's primary refresh token (PRT). You might want to check if there are any issues with the user's sign-in or with obtaining a PRT.

Answer 2

@Brontie Wright, From your description, it seems you are doing GPO enrollment. Before we do GPO enrollment, we need to ensure Microsoft Entra Hybrid join is successfully. Please run dsregcmd /status to confirm DomainJoined, AzureADjoined and AzureAdprt are all yes. if any is not yes, try to follow the link below to troubleshoot.

https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current

After we confirm the Microsoft Entra Hybrid Joined is successfully, please confirm we have followed the steps in GPO enrollment document to do the enrollment.

To troubleshoot GPO enrollment, here is a link you can refer:

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/troubleshoot-windows-auto-enrollment

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.