This has been one of the more frustrating Microsoft Issues I’ve had to deal with recently.

The deployment is relatively straightforward. Set up a GPO to deploy to all workstations and make some minor adjustments in the O365 tenant. It’s well documented so I won’t bother with that here. Just make sure one of the first things you check is that the GPO is being applied to the USER.

The problem is waiting for machines to check in. Once it’s all set up you have to wait for the machines to show up in the Microsoft Endpoint.

Devices –> All Devices

In my case after 2 months on a 60+ PC network spanning 5 sites only 16 machines showed up as being compliant.

These are the bits that I learned to help facilitate finding information, troubleshooting, and ultimately resolving the issues.

First, it’s important to note that Intune Deployment does not like when other MDM-type deployments have been applied to the PC. I guess this makes sense, but in my opinion they should make it easier to figure out what’s wrong.

Logging for this is found here: Event Viewer –> Application and Services Logs –> Microsoft –> Windows –> DeviceManagement-Enterprise-Diagnostics-Provider –> Admin

Commands:

“dsregcmd” is the go-to command for determining the status of the machine with Intune.

dsregcmd /status

This tells you the current status of the machine.

Troubleshoot Windows 10 auto-enrollment in Intune – Microsoft Intune | Microsoft Docs

This site tells you to find these entries:

• Device State:
  • AzureAdJoined: YES
  • DomainJoined: YES
• SSO State:
  • AzureAdPrt: YES

In each machine I checked, both checking in successfully and those not appearing at all in Endpoint, none showed AzureAdPrt: YES.

I didn’t really find the Microsoft Article to be terribly helpful.

Reviewing the logs gave me the kernel I needed to start searching for why the machines weren’t being picked up. I stumbled across a number of sites that tried to address it, but were difficult to follow.

Ultimately I found this process to work:

1. Look in the Registry for an entry in ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftEnrollments
   1. There will be numerous entries but the majority of them will have only the following sub-entries
      1. Altitude
      2. EnrollmentState
      3. EnrollmentType
   2. The entry will be a hexadecimal key like 18DCFFD4-37D6-4BC6-87E0-4266FDBB8E49 but they appear to be pretty random so check them all
   3. The entry we’re looking for will have way more information in it
      1. AADOpaqueID
      2. AADResourceID
      3. CurKeyContainer
      4. DiscoveryService…
      5. ProviderID
      6. UPN
      7. Etc…
   4. Delete this key and any others like it
   1. It’s possible there will be more than one – check them all
   5. Execute this command on the affected workstation: dsregcmd /leave
   6. Reboot the PC
2. Locate the PC in Azure AD under Devices and delete it
3. Re-run the AD Sync – PowerShell Command:
   1. Start-ADSyncSyncCycle -PolicyType Delta
   1. Wait for the Sync to complete and give Azure AD a couple of minutes to pick up the changes
4. Log in to the PC and open a CMD prompt and re-run “gpupdate /force“
5. Run dsregcmd /status
   
   1. The status should not show any connectivity (URL/URI entries) to Office yet but they will populate
6. Log out of the PC and wait for the licensed Intune user to log in
7. Check status of Endpoint – the PC should now be showing up