Device Compliance issues with Outlook/Teams

You are unable to access Outlook/Teams from devices when you have Intune as your MDM with compliance policies added as well, when you check the servers your get this:


Click on one of the computers and then choose Device Compliance......



This will tell you where the device or server is failing compliance:



This means we are failing the "Default" compliance policy which means that the computer account is not synced to AAD from AD as it fails the "Is Active" and "Enrolled user exists"



This in turn will probably cause a conditional access policy to fail if its set like this:



This means you need to ensure the OU in your local AD that the object sits under is being synced to Azure AD using AD-Connect, which in this case it is not......to confirm that you can use this command:

dsregcmd /status

This will give you this:

+----------------------------------------------------------------------+

| Device State                                                         |

+----------------------------------------------------------------------+

             AzureAdJoined : NO

          EnterpriseJoined : NO

              DomainJoined : YES

                DomainName : BEAR

               Device Name : SmallGrizzly.bear.local

+----------------------------------------------------------------------+

| User State                                                           |

+----------------------------------------------------------------------+

                    NgcSet : NO

           WorkplaceJoined : YES

          WorkAccountCount : 1

             WamDefaultSet : NO

+----------------------------------------------------------------------+

| SSO State                                                            |

+----------------------------------------------------------------------+

                AzureAdPrt : NO

       AzureAdPrtAuthority : NO

             EnterprisePrt : NO

    EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+

| Work Account 1                                                       |

+----------------------------------------------------------------------+

         WorkplaceDeviceId : <Workplace ID>

       WorkplaceThumbprint : <work thumbprint>

 DeviceCertificateValidity : [ 2023-07-21 09:46:50.000 UTC -- 2033-07-21 10:16:50.000 UTC ]

            KeyContainerId : 2633fb63-78f0-4ebd-9d11-a866e95276cc

               KeyProvider : Microsoft Software Key Storage Provider

              TpmProtected : NO

              WorkplaceIdp : login.windows.net

         WorkplaceTenantId : <Tenant ID>

       WorkplaceTenantName : Magical World of Bears

           WorkplaceMdmUrl : 

      WorkplaceSettingsUrl : 

                    NgcSet : NO

+----------------------------------------------------------------------+

| Diagnostic Data                                                      |

+----------------------------------------------------------------------+

Waiting for Diagnostics Task to complete. This could take a few minutes...

                                                                                             

     Diagnostics Reference : www.microsoft.com/aadjerrors

              User Context : SYSTEM

               Client Time : 2023-07-21 10:33:43.000 UTC

      AD Connectivity Test : PASS

     AD Configuration Test : PASS

        DRS Discovery Test : PASS

     DRS Connectivity Test : PASS

    Token acquisition Test : SKIPPED

     Fallback to Sync-Join : ENABLED

     Previous Registration : 2023-07-21 10:23:50.000 UTC

         Registration Type : sync

               Error Phase : join

          Client ErrorCode : 0x801c03f3

          Server ErrorCode : invalid_request

       Server ErrorSubCode : error_missing_device

          Server Operation : DeviceRenew

            Server Message : The device object by the given id (93f2d808-3f8c-4319-9443-f10540464f0a) is not found.

              Https Status : 400

                Request Id : 686ae643-cc83-4c76-b751-6c954637af60

+----------------------------------------------------------------------+

| IE Proxy Config for System Account                                   |

+----------------------------------------------------------------------+

      Auto Detect Settings : YES

    Auto-Configuration URL : 

         Proxy Server List : 

         Proxy Bypass List : 

+----------------------------------------------------------------------+

| URL Specific Proxy Config                                            |

+----------------------------------------------------------------------+

    Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94

    Executing Account Name : <NETBIOS name>$, <UPN Name>

+----------------------------------------------------------------------+

| IE Proxy Config for Current User                                     |

+----------------------------------------------------------------------+

      Auto Detect Settings : NO

    Auto-Configuration URL : 

         Proxy Server List : 

         Proxy Bypass List : 

+----------------------------------------------------------------------+

| WinHttp Default Proxy Config                                         |

+----------------------------------------------------------------------+

               Access Type : DIRECT

+----------------------------------------------------------------------+

| Ngc Prerequisite Check                                               |

+----------------------------------------------------------------------+

            IsDeviceJoined : NO

             IsUserAzureAD : NO

             PolicyEnabled : NO

          PostLogonEnabled : YES

            DeviceEligible : NO

        SessionIsNotRemote : NO

            CertEnrollment : none

              PreReqResult : WillNotProvision


However we need to look at the error which is this:

Server Message : The device object by the given id (93f2d808-3f8c-4319-9443-f10540464f0a) is not found.

This means that the object in your AD is not synced to AAD from AD and needs to be, so you will need to add this OU to the sync list (this usually only applies when you are selective with what is synced to AAD)

If you do a metaverse search for the device with the displayName of the device name, you will notice nothing is returned....as below:


Once you have added the OU from PowerShell you will need to complete a full sync using this command:

Start-ADSyncSyncCycle -PolicyType Initial

Once that completes if you run the same search in Metaverse you will notice you now get some results....


Once they are all listed, Hybrid Join will take care of iteself after a moment or two but if you are impatient you can do this:

Reregister Basic Steps

Start a command prompt (elevated)
dsregcmd.exe /debug /leave

Sign out and sign in back to the device to complete the recovery.
dsregcmd.exe /debug /join

Reregister Force Recovery Method

If you will get no dice you need to force a recovery like this:

Start a command prompt (elevated)
dsregcmd /forcerecovery
Click "Sign in" in the dialog that opens up
Continue with the sign in process.
Sign out and sign in back to the device to complete the recovery.

Then when you get the workplace join status you will notice all is well with the report, the command to check the status is:

dsregcmd /status

This should return something like this:

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : BEAR
               Device Name : SmallGrizzy.bear.local

+----------------------------------------------------------------------+
| Device Details                                                       |
+----------------------------------------------------------------------+

                  DeviceId : <device ID>
                Thumbprint : 3186E5FCC66F4A89B125F4B358A493D7C02D487B
 DeviceCertificateValidity : [ 2023-07-21 11:46:01.000 UTC -- 2033-07-21 12:16:01.000 UTC ]
            KeyContainerId : 8a7d8dcc-55cb-4401-a299-d8a6604bf2aa
               KeyProvider : Microsoft Software Key Storage Provider
              TpmProtected : NO
          DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details                                                       |
+----------------------------------------------------------------------+

                TenantName : 
                  TenantId : e15c1e99-7be3-495c-978e-eca7b8ea9f31
                       Idp : login.windows.net
               AuthCodeUrl : https://login.microsoftonline.com/magical-bear-hidden/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/magical-bear-hidden/oauth2/token
                    MdmUrl : 
                 MdmTouUrl : 
          MdmComplianceUrl : 
               SettingsUrl : 
            JoinSrvVersion : 2.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/magical-bear-hidden/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/magical-bear-hidden/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : YES
          WorkAccountCount : 1
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : YES
      AzureAdPrtUpdateTime : 2023-07-21 11:18:15.000 UTC
      AzureAdPrtExpiryTime : 2023-08-04 11:19:16.000 UTC
       AzureAdPrtAuthority : https://login.microsoftonline.com/magical-bear-hidden
             EnterprisePrt : NO
    EnterprisePrtAuthority : 
                 OnPremTgt : YES
                  CloudTgt : YES
         KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+
| Work Account 1                                                       |
+----------------------------------------------------------------------+

         WorkplaceDeviceId : <workplace-id>
       WorkplaceThumbprint : A5A4BD00F7FE56F89F70DF2490F78C628B8E227E
 DeviceCertificateValidity : [ 2023-07-21 10:58:57.000 UTC -- 2033-07-21 11:28:57.000 UTC ]
            KeyContainerId : 956e12ff-be0b-45c9-9616-48158c7fbef9
               KeyProvider : Microsoft Software Key Storage Provider
              TpmProtected : NO
              WorkplaceIdp : login.windows.net
         WorkplaceTenantId : <tenant-id>
       WorkplaceTenantName : Magical World of Bears
           WorkplaceMdmUrl : 
      WorkplaceSettingsUrl : 
                    NgcSet : NO

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

        AadRecoveryEnabled : NO
    Executing Account Name : <hidden data>
               KeySignTest : PASSED

        DisplayNameUpdated : Managed by MDM
          OsVersionUpdated : Managed by MDM
           HostNameUpdated : YES

      Last HostName Update : NONE

+----------------------------------------------------------------------+
| IE Proxy Config for Current User                                     |
+----------------------------------------------------------------------+

      Auto Detect Settings : NO
    Auto-Configuration URL : 
         Proxy Server List : 
         Proxy Bypass List : 

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config                                         |
+----------------------------------------------------------------------+

               Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+

            IsDeviceJoined : YES
             IsUserAzureAD : YES
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : NO
            CertEnrollment : none
              PreReqResult : WillNotProvision

That now completes the registration and the dsregcmd join, however are you will getting errors about compliance ????

Compliance says, NO

When now we can move on to the compliance errors like this, the error will be like this



Click the more details then the copy info to clipboard and you will get this:

Error Code:  53000
Request Id:  17fbfb9f-d86a-4ed6-8fb0-3cbe22520900 
Correlation Id:  8bf80c42-dfd2-4b5a-a08c-ba01d25e1ee5 
Timestamp:  2023-07-21T11:22:46.105Z 
App name: Microsoft Office
Device platform: Windows 10
Device state: DomainJoined

This will then give you the reason why, which is 53000 which means that a Conditional Access policy requires a compliant device, and the device is not compliant. Have the user enrol their device with an approved MDM provider like Intune.

This means the policy is now being blocked by "non compliant" users policy, so if you cannot get the computer compliant for one reason or another in conditional access you need to exclude the user, so lets find the policy causing this it will look like this:



Then you need to exclude that user from conditional access to get the connection working.....


MFA was unhappy

I also observed that MFA was required for these particular accounts as well, MFA it’s a fantastic leap forward for security in many cases, however, that comes certain scenarios where MFA is not acceptable, for example, if you have an automation accounts, that does not handle MFA then it’s very hard to enforce MFA.

In this particular scenario, we would need to work with the vendor or software development team to get MFA working, however, in the interim, you would need to disable MFA to enable functionality within the software, however, ensure you have a randomly generated very secure password.

What about fixing compliance?

Absolutely, so far we’ve only focused on how to get the account working for its intended purpose, however, as you can see from above, we had a couple of problems with the device computer account and the management account, mainly paying the device objects, were not synced to AAD, then the management account, which is unique to your environment was also disabled in our local Active Directory, meaning the effect of state in AAD was also disabled.

This is exactly why compliance was failing on the default configuration - which for many will be if it’s not active within 30, therefore once the management accounts are enabled this resolved that particular problem.

Note the “Last Check-in” in Intune


I also noticed that in my lab, the lost check in time was from a couple of months ago, which essentially means the devices are unable to talk to Intune - this intern means Intune cannot assess if the device is compliant or not.

if you are using pinhole security, or for that matter anyway of dropping traffic that’s not in your allow list you will need to ensure that you have a loud the relevant websites and IP addresses for intune to actually be able to maintain communication with your devices.

I personally recommend these commands, and that will give you a list of all the host names, and IP addresses:

IP Addresses

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips

Hostnames

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„