Reputation: 7
Windows Laptop Failing to Enroll in Intune (Hybrid Join Issue)
I am trying to enroll a Windows laptop into Intune in a hybrid environment. The device is domain-joined, and the enrollment group policy is correctly applied. I have successfully enrolled other devices using the same setup, but this particular device is failing to enroll.
When I run dsregcmd /status, I receive the following output:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES
DomainName : NTE
Virtual Desktop : NOT SET
Device Name : Dxxxx.xxx.local
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
Diagnostics Reference : www.microsoft.com/aadjerrors
User Context : SYSTEM
Client Time : 2025-02-21 09:41:40.000 UTC
AD Connectivity Test : PASS
AD Configuration Test : PASS
DRS Discovery Test : FAIL [0x801c0021/0x801c0012] Request id: 6adb9d00-dd45-4998-9b9b-b154c80413ce
DRS Connectivity Test : SKIPPED
Token acquisition Test : SKIPPED
Fallback to Sync-Join : ENABLED
Fallback to Fed-Join : ENABLED
Previous Registration : 2025-02-20 16:48:28.000 UTC
Error Phase : discover
Client ErrorCode : 0x801c0021
Server ErrorCode : invalid_request
Server ErrorSubCode : ParameterValueInvalid
Server Operation : Discovery
Server Message : UPN suffix parameter contains spaces: 'Nxxxxxxx Txxxxxxx Exxxxx Lxxxxxxx'
Https Status : 400
Request Id : bfe91135-ebcd-4a4d-ba0b-294cd47296d3
+----------------------------------------------------------------------+
| IE Proxy Config for System Account |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| URL Specific Proxy Config |
+----------------------------------------------------------------------+
Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94
Executing Account Name : XXX\DMxxxx$, [email protected]
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
I have already -
Checked DRS Discovery failures (0x801c0021 / 0x801c0012) → Indicates an invalid request due to a UPN suffix mismatch.
Checked Active Directory Domains and Trusts → Only xxxxxxx.co.uk exists as the UPN suffix, which is the correct one.
Ran PowerShell to list all user UPNs (Get-ADUser -Filter * -Properties UserPrincipalName) → No references to "Nxxxxx Txxxxxxx Exxxx Lxxxx" and userPrincipleName is correctly set to [email protected]
Ran PowerShell to check computer objects in AD (Get-ADComputer -Filter * -Properties dnsHostName, userPrincipalName) → No UPNs set or invalid domain names found.
Verified Azure AD Connect sync settings → No references to "Nxxxx Txxxxxx Exxxx Lxxxxxx" found.
Checked Azure AD verified domains (Get-MsolDomain) → Also no references.
Confirmed enrollment group policy and groups is correctly applied (other devices enroll successfully).
Ran dsregcmd /status → Confirmed Azure AD join is failing and UPN suffix error persists.
Checked local registry settings (reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI") → No reference to "Nxxxx Txxxxxx Exxxxx Lxxxx".
Ran a find on the whole registry to find a reference → No reference to "Nxxxx Txxxxxx Exxxxx Lxxxx".
Ran dsregcmd /leave to force unregistration. Restarted the device and re-ran dsregcmd /join → Issue persists.
Checked WAM authentication errors (0x80070520) and restarted the Web Account Manager service (net stop wlidsvc && net start wlidsvc).
Unjoined it from the domain, deleted all references in azure and rejoined
Tried reaching out to Microsoft support and could only reach a bot.
Tried asking this question in Microsoft's Q&A but it got immediately deleted for some how violating the code of conduct policy!
Would anyone be able to help with this?
Upvotes: -1
Views: 54
Answers (0)
Related Questions
- Intune Remediation detection script issue
- Azure AD is not redirecting to the MDM term of use URL
- How can I push 1903 to1909 windows update through Intune on hybrid env?
- Lock down Windows PC with InTune to block cmd and regedit etc
- Issue with Hybrid Azure AD join of Windows 7 devices
- WCF in Azure claims I have a cert mismatch but I don't think I do