DeviceState Unregistered for Entra ID joined device

Manish Chaudhary 6 Reputation points
2024-04-10T18:15:41.02+00:00

Trying to implement conditional access policy to only allow high risk targets, like executives, to access from a TrustedDevice, otherwise 'block' access. However, finding that when they are on a Entra Joined Windows Laptop device, they are getting Error Code: 53003, DeviceState shows as unregistered, the device is compliant and healthy in Intune. dsregcmd /status shows everything is good, AzureAdjoined AzurePrt yes etc.

Intention is if the users are coming from a Entra Hybrid joined, Entra Joined, Entra registered Device, or a Corporate owned cellphone device, they're allowed access to 'All Cloud apps'.

I'm using this filter to exclude devices from being blocked if they are coming from a trusted device and have access to all cloud apps with expression filter - (device.trustType -eq "AzureAD" -or device.trustType -eq "ServerAD" -or device.trustType -eq "Workplace" -or device.deviceOwnership -eq "Company" -or device.isCompliant -eq True)

Microsoft Security | Intune | Configuration
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
{count} votes

1 answer

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
    2024-04-11T05:37:40.5666667+00:00

    @Manish Chaudhary,Thanks for posting in Q&A.

    For the Conditional access error 53003, it means BlockedByConditionalAccess. Please check the user Sign-in logs which locate in Intune admin center > Devices > Conditional access > Sign-in logs and see which setting is blocked.

    Here is a link about how to troubleshoot Conditional Access Policy problem:

    Troubleshooting sign-in problems with Conditional Access - Microsoft Entra | Microsoft Learn

    I notice the device is compliant in Intune.  Please also check which compliant status of the affected device In Azure AD.  

    Moreover, to achieve your goal, we can create a new filter for devices including Entra Hybrid joined, Entra Joined, Entra registered Device and corporate owned devices, then create a new Conditional Access policy to block all Cloud apps and add filters to exclude the above devices.

    Please try above information, if there is any unclear, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.