![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 41%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKJ%3C/text%3E%3C/svg%3E)
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,570 questions
Hello
It sounds like you're encountering issues with Azure Active Directory (AAD) Hybrid Join and Intune enrollment after setting up your Group Policy Object (GPO). The error messages you're seeing in the Event Viewer are often indicative of token issues or permission/consent issues with the applications involved. Here’s a structured approach to troubleshoot and resolve the problems:
- Verify Group Policy Configuration:
Make sure that your GPO settings for automatic enrollment and hybrid join are configured correctly. Check for the following settings:
- Automatic Enrollment: Ensure that "Automatic Enrollment in Intune" is enabled in the GPO under
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> MDM. - Hybrid Azure AD Join: Ensure that the settings under
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Automatic Certificate Request Settings, are correctly configured to allow hybrid join.
- Check Azure AD Credentials:
Double-check that the user accounts you're using to log in to the devices are licensed for Intune and are part of AAD. Ensure that the users are also part of the relevant security groups if you have any role-based access control (RBAC) implemented.
- Review Token Configuration:
The error you’re encountering indicates a token broker issue:
- Make sure that the users are consented properly to enroll devices in Intune.
- Check if there’s any conditional access policy or restrictions that may be preventing the users from obtaining tokens.
- Ensure that the required permissions are granted for the applications linked to the Intune registration.
- Verify Conditional Access Policies:
If you have any Conditional Access policies configured in Azure AD, ensure they permit device registration and enrollment. You may have policies that are blocking or restricting access based on device status, location, or other factors.
- Check Licensing:
Confirm that the users logging in indeed have a valid Microsoft 365 Business Premium license. Go to the Azure AD portal, and under the Users section, check the licenses assigned to each user.
- Check for Multifactor Authentication (MFA):
If MFA is enabled, ensure that it is working properly. Sometimes, users need to complete MFA before they can get the necessary tokens for Intune.
- Manually Trigger Intune Enrollment:
After logging into the device with the proper user, try manually triggering the Intune enrollment:
- Open Settings -> Accounts -> Access work or school.
- Click the connected account and go to Info.
- Click Sync to force the sync process.
- Utilize Logs for Deeper Diagnosis:
You have already checked logs; capturing logs from the Intune management extension and Event Viewer can provide more insights:
- Look under the Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider for detailed logs.
- Consider using the Health Attestation service or Azure AD Diagnostics to gather more insight.It sounds like you're encountering issues with Azure Active Directory (AAD) Hybrid Join and Intune enrollment after setting up your Group Policy Object (GPO). The error messages you're seeing in the Event Viewer are often indicative of token issues or permission/consent issues with the applications involved. Here’s a structured approach to troubleshoot and resolve the problems:
- Verify Group Policy Configuration:
- Automatic Enrollment: Ensure that "Automatic Enrollment in Intune" is enabled in the GPO under
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> MDM. - Hybrid Azure AD Join: Ensure that the settings under
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Automatic Certificate Request Settings, are correctly configured to allow hybrid join.
- Check Azure AD Credentials:
- Review Token Configuration:
- Make sure that the users are consented properly to enroll devices in Intune.
- Check if there’s any conditional access policy or restrictions that may be preventing the users from obtaining tokens.
- Ensure that the required permissions are granted for the applications linked to the Intune registration.
- Verify Conditional Access Policies:
- Check Licensing:
- Check for Multifactor Authentication (MFA):
- Manually Trigger Intune Enrollment:
- Open Settings -> Accounts -> Access work or school.
- Click the connected account and go to Info.
- Click Sync to force the sync process.
- Utilize Logs for Deeper Diagnosis:
- Look under the Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider for detailed logs.
- Consider using the Health Attestation service or Azure AD Diagnostics to gather more insight.