This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 32%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello, I tried to enroll entra hybrid joined devoice to intune enrollment via gpo it is not not happening because of AZURE AD prt:NO showing,I am facing the issue.please find the dsregcmd/status
+----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+
AzureAdJoined : YES EnterpriseJoined : NO DomainJoined : YES DomainName : NTDOMAIN Virtual Desktop : NOT SET Device Name :*******
+----------------------------------------------------------------------+ | Device Details | +----------------------------------------------------------------------+
DeviceId : 88b0c552-63a8-4eed-a201-73c5168bc38a Thumbprint : C4B9941CD15217FBA6F90C2C4CA745434573ABA2 DeviceCertificateValidity : [ 2024-07-29 08:51:56.000 UTC -- 2034-07-29 09:21:56.000 UTC ] KeyContainerId : cf6caf46-39bb-46d2-aff4-1c102fc18250 KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+ | Tenant Details | +----------------------------------------------------------------------+
TenantName : TenantId : c6c0a5d2-9f1f-449c-9e15-b0edad950cdf AuthCodeUrl : https://login.microsoftonline.com/c6c0a5d2-9f1f-449c-9e15-b0edad950cdf/oauth2/authorize AccessTokenUrl : https://login.microsoftonline.com/c6c0a5d2-9f1f-449c-9e15-b0edad950cdf/oauth2/token MdmUrl : MdmTouUrl : MdmComplianceUrl : SettingsUrl : JoinSrvVersion : 2.0 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net KeySrvVersion : 1.0 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/ KeySrvId : urn:ms-drs:enterpriseregistration.windows.net WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/c6c0a5d2-9f1f-449c-9e15-b0edad950cdf/ WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net DeviceManagementSrvVer : 1.0 DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/c6c0a5d2-9f1f-449c-9e15-b0edad950cdf/ DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
+----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+
NgcSet : NO WorkplaceJoined : YES WorkAccountCount : 1 WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+ | SSO State | +----------------------------------------------------------------------+
AzureAdPrt : NO AzureAdPrtAuthority : AcquirePrtDiagnostics : PRESENT Previous Prt Attempt : 2024-07-30 07:17:59.943 UTC Attempt Status : 0xc0090011 User Identity : ******** Credential Type : Password Correlation ID : e7daccb5-2f77-414b-a715-9e978fc7aa58 Endpoint URI : https://login.microsoftonline.com/c6c0a5d2-9f1f-449c-9e15-b0edad950cdf/oauth2/token HTTP Method : HTTP Error : 0x80090011 HTTP status : 200 Server Error Code : Server Error Description : EnterprisePrt : NO EnterprisePrtAuthority :
+----------------------------------------------------------------------+ | Work Account 1 | +----------------------------------------------------------------------+
WorkplaceDeviceId : cd58b67d-a425-43f8-a2d9-7237f568bc1f WorkplaceThumbprint : 0E32BA80D35CBCFD1629D677DC6ECB8C7F29AE5A DeviceCertificateValidity : [ 2023-04-24 10:04:22.000 UTC -- 2033-04-24 10:34:22.000 UTC ] KeyContainerId : d6140c69-9b02-4317-82a6-1dae56a8b434 KeyProvider : Microsoft Software Key Storage Provider TpmProtected : NO WorkplaceTenantId : ********** WorkplaceTenantName : ******** WorkplaceMdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc WorkplaceSettingsUrl : NgcSet : NO
+----------------------------------------------------------------------+ | Diagnostic Data | +----------------------------------------------------------------------+
AadRecoveryEnabled : YES Executing Account Name : ******* KeySignTest : FAILED (transport key)
DisplayNameUpdated : YES OsVersionUpdated : YES HostNameUpdated : YES
Last HostName Update : NONE
+----------------------------------------------------------------------+ | IE Proxy Config for Current User | +----------------------------------------------------------------------+
Auto Detect Settings : YES Auto-Configuration URL : Proxy Server List : Proxy Bypass List :
+----------------------------------------------------------------------+ | WinHttp Default Proxy Config | +----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+
IsDeviceJoined : YES IsUserAzureAD : NO PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : YES SessionIsNotRemote : YES CertEnrollment : none PreReqResult : WillNotProvision
Registering devices with Intune for management and policy enforcement
A cloud-based identity and access management service for securing user authentication and resource access
Hello @srinivas Pasupuleti100,
Thank you for posting your query on Microsoft Q&A.
I see that you are trying to enroll devices into Microsoft Entra using Microsoft Entra hybrid join via Group Policy. Based on the device status you shared, it appears that the device is already joined to Entra as a Microsoft Entra hybrid join:
EnterpriseJoined : NO
You can find more information about device states here: Device state
It looks like AzureADPRT (Primary Refresh Token) has not been issued for the Windows sign-in. Please check if the signed-in user is an on-premises Active Directory (AD) user that is synced with Entra. AzureADPRT will not be issued if the user is not synced with Entra.
Could you please provide a screenshot from Entra Devices by searching with the Device ID? This will help us verify the join type shown in Entra and check the registered timestamp.
I hope this information helps. If you have any further questions, please let me know.
Thanks,
Raja Pothuraju
Hello @srinivas Pasupuleti100,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hello @srinivas Pasupuleti100,
Following up to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
What does it say in the Device management event admin log? Is the enrolling user signed and assigned a license? Is there a CA policy assigned requiring mfa?