This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have a devices enrolled in Intune through co-management in SCCM. For the first couple of days everything is fine, but at some point they just stop applying all configuration and compliance profiles. Sometimes it's a couple of days sometimes it's hours.
All profiles are applied to on-prem AD groups sync'd to AAD. I have confirmed the computer is a member of the on-prem AD group and that after synchronization it is a member of the group in AAD.
When you look at the configuration profile it says it is applied to two computers, but when you check Device Status it only list one computer. Same goes for the compliance profile, says it is applied to 10 devices but when you check Device Status only 9 are listed.
When you look at the computer itself it will have sync'd policy in the past 30 minutes but when you look at device compliance and device configuration it says no data.
Eventviewer looks good, but I do get the following error every 12 hours:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (B2B5E459-8890-47C2-9C8F-7632556E62BB), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
I've checked in IntuneManagementExtension.log and there are errors but Microsoft says they are transient.
Failed to get AAD token. len = 34 using client id fc0f3af4-6835-4174-b806-f7db311fd2f3 and resource id 00000002-0000-0000-C000-000000000000, errorCode = 3399548929
AAD User check is failed, exception is Intune Management Extension Error.
Exception: Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.TokenAquireException: Attempt to get token, but failed.
LogonUser failed with error code : 1008
AAD User check is failed, exception is System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist
AAD User check using device check in app is failed, now fallback to the Graph audience. ex = System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist
This happens to every single box we've enrolled into Intune. They work perfectly for an indeterminate amount of time then they just stop applying all Intune policies. The issues never correct themselves no matter how long we let them set, and they problems actually get worse the longer they set. The only thing we can do is reinstall the boxes but we're at the point where we are reinstalling boxes at least once a day.
Any help would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@MPU , From your description,, I know one co-management device is failed to apply configuration and compliance policy. If there's any misunderstanding, feel free to let us know.
To clarify our issue, could you collect the following information to us.
Thanks!
Like with all things Intune there was a plot twist this morning. This morning this machines seems to be showing some of the configuration and compliance policies. There should be four configuration policies applied and this morning it is showing three with one being Not applicable. But it is only showing one compliance policy, Built-in Device Compliance Policy, instead of two and it is still marked Not compliant because it says it doesn't have a compliance policy applied.
@MPU , Thanks for the reply.
From your description, the last check in time seems to be updated. For the screen shot of boxes, as it seems to be a workaround. So we want to understand what it is.
For our issue, we can also check the logs like CoManagementHandler.log, ComplRelayAgent.log under %WinDir%\CCM\logs to see if there's any finding. If still not, to trouble this case in a more efficient way, we suggest to open case to work on it.
https://learn.microsoft.com/en-us/mem/get-support
Thanks and have a nice day!
At this point we're opening a case. When I get more information I'll update.
@MPU , Thanks for the update. I notice we have opened a case to work on this. Also thanks that you will share the resolution if we get from the case. It can help others you have the same issue. I appreciate it.
Have a nice day!
Hi MPU-9566,
it seems that I‘m seeing exactly the same problems as you.
Did you ever find a solution?
Thank you in advance! :-)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 31%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Same here, although all our devices are AzureAD joined and Intune managed devices - no ConfigMgr involved here, but I'm getting the same errors as seen above in the IntuneMangementExtension.log
Are you connected to your device with RDP or enhanced session mode?
Seems that this is the reason for the "LogonUser failed with error code : 1008". If you log on locally that error will not show up anymore.....
Nope - luckily I have a few test devices lying around here at my homeoffice, so I'm sitting right in front of the device in question looking at the ESP.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 14.000000000000002%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
Is there an update on this issue? We are facing the same issue in our environment.