Windows 10 device not enrolling into Intune/MDM after ADMT migration

Scenario:

  • Machines and user accounts were migrated using ADMT
  • Previous UPN was different then new UPN due to domain migration
  • Account source anchor is ms-DS-ConsistencyGuid
  • All the devices azureadjoin and pull down the mdmurl
  • User state when running dsregcmd /status shows error in wamdefaultset
  • Many user wamdefaultset shows yes and enrols the device into Intune

Error message when running dsregcmd /status:

Removed all instances of the device in Azure and ran the delta sync on AD connect to re-establish the machine as hybrid joined in azure but the error still exists

Also ran the dsregcmd /leave which removes the device from azure and then re-joins on the next delta sync, but this made no difference

Event logs showing the following two errors:

If another user logs on the device then the user state error clears and turns to Yes, the device then enrols into Intune however the existing user account still fails on their own machine.

Looking at the possible errors with the defaultwamset this leads to three possible resolutions:

  • Bad storage key (STK) in TPM associated with the device upon registration (check the KeySignTest while running elevated).
  • Alternate Login ID
  • HTTP Proxy not found

Bad storage key (STK) never failed on the machines when running the status as elevated:

Alternate Login ID – the new UPN was matching the primary SMTP and username in office 365 which was linked to the new migrated AD object by using the ms-DS-ConsistencyGuid source anchor. Could not determine if the login account was causing the issue due to the user state working for multiple users post migration.

HTTP Proxy not found – http proxy would not be the root cause otherwise this would fail for everyone, users were able to successfully enrol the devices and other devices

The only option remaining out the three was to further investigate the Alternate Login ID due to the user previously having a non-matched UPN

The error logs for the user state issue was consistent in the event logs but research was not finding distinctive results however we decided to investigate in the device category of the event log rather than the event ID which is where we found the resolution. 

Research indicated that AADTokenBrokerPlugin is a folder in the users appdata.

When researching this I found that the Token Broker setting.dat file also contains the accounts which are used for enrolment and if the new domain account is not registered then it will not use the account and hence the error:

A specified login session does not exist

FIX:

Browse to the two locations and remove all entries

Once the accounts and the settings file were removed, reboot the machine.

Once logged back in run the dsregcmd /status and the user state no longer show error

The AADTokenBrokerPlugin folder in the users appdata also creates a new setting.dat file The device now successfully enrols into Intune, this has been tested on all the accounts which showed wamdefaultset error and now all the devices are enrolled