Scenario:
All devices are showing in Azure AD as intune managed but not showing in Intune device portal
No firewall or web proxies are blocking ports, telnet proved connection
End users are licenced with Microsoft 365 E3 which includes Intune licence
Some devices (very small amount) are registered in Intune but majority are failing to enrol
No Intune enrolment restrictions set
MDM management set to Intune and ALL users can register devices
Initial steps tried to resolve but no luck:
Add user as local admin
Remove device from Azure AD and re-register
Investigation steps:
Device successfully joined to Azure AD via AAD connect – devices are hybrid joined
User account has been added via GPO to auto enrol the devices but when clicking sync it keeps failing with the error:
Event logs shows the following at the exact times when the sync was initiated:
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Event ID: 201
Checked the SC online certificate and noticed it had expired:
Verify certificate in registry matches the certificate:
Removed the certificate and reboot machine
Upon reboot checked the task scheduler and OMADMClient by client is Running
event logs shows a certificate was requested
Certificate still not showing a new version
Ran dsregcmd /leave (as admin) and confirmed machine was removed from Azure AD
Rebooted device to register device
when machine rebooted checked the dsregcmd /status to confirm it’s not connected to Azure AD
Re-ran AAD connect delta sync to add device into Azure
checked status afterwards and usual behaviour displays, waiting for MDM URLs to pull down
Checked local certificates and one of the remaining 3 has removed itself, now only displaying two certificates
Now seeing new event logs in the Device management
Azure device status before removing certificate
Azure device status after removing certificate then running the dsregcmd /leave, then running AAD connect to provision the device again
NOTE: registration date has updated
Enrollment registry is showing information but the device is still not showing in intune portal
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, gpupdate /force fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log file under event ID 7016. A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot
Investigation above detected the enrolment registry path should be empty, if not the device has been enrolled before and maybe why it’s failing to enrol again, can try running the following script:
$path= "hklm:\SOFTWARE\Microsoft\Enrollments"
$keyname ="SSPHyperLink"
$keyvalue ="http://go.microsoft.com/fwlink/?LinkId=255310"
$KeyDeletion=get-childitem -path $path -recurse | get-itemproperty | where {$_.$keyname -eq $keyvalue}
Remove-Item -Path $KeyDeletion.PSPath The above would run through the registry and remove the whole key which contains the enrolment information allowing the device to re-enrol
Solution:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\[guid]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\[some guid which has the enrolment information]
- removed both reg paths above manually or use script previously mentioned
- ran dsregcmd /leave
- reboot device
- ran AAD connect to provision device
- device now Hybrid joined again and registration date is today’s date and time / MDM set to none
- dsregcmd /status shows information is being pulled down, waiting for MDM URLs to populate
- Info button on settings – user accounts has now disappeared
- Rebooted device again after 10 minutes
- Upon reboot the MDM URLs now populated
- Event logs show device enrolled
- Info button now available and sync status is successful
- Intune policies applying
Tested with another device and left expired certificate and enrolment was still successful
