Device Compliance issues with Outlook/Teams

You are unable to access Outlook/Teams from devices when you have Intune as your MDM with compliance policies added as well, when you check the servers your get this:

Click on one of the computers and then choose Device Compliance......

This will tell you where the device or server is failing compliance:

This means we are failing the "Default" compliance policy which means that the computer account is not synced to AAD from AD as it fails the "Is Active" and "Enrolled user exists"

This in turn will probably cause a conditional access policy to fail if its set like this:

This means you need to ensure the OU in your local AD that the object sits under is being synced to Azure AD using AD-Connect, which in this case it is not......to confirm that you can use this command:

dsregcmd /status

This will give you this:

+----------------------------------------------------------------------+

| Device State |

+----------------------------------------------------------------------+

AzureAdJoined : NO

EnterpriseJoined : NO

DomainJoined : YES

DomainName : BEAR

Device Name : SmallGrizzly.bear.local

+----------------------------------------------------------------------+

| User State |

+----------------------------------------------------------------------+

NgcSet : NO

WorkplaceJoined : YES

WorkAccountCount : 1

WamDefaultSet : NO

+----------------------------------------------------------------------+

| SSO State |

+----------------------------------------------------------------------+

AzureAdPrt : NO

AzureAdPrtAuthority : NO

EnterprisePrt : NO

EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+

| Work Account 1 |

+----------------------------------------------------------------------+

WorkplaceDeviceId : <Workplace ID>

WorkplaceThumbprint : <work thumbprint>

DeviceCertificateValidity : [ 2023-07-21 09:46:50.000 UTC -- 2033-07-21 10:16:50.000 UTC ]

KeyContainerId : 2633fb63-78f0-4ebd-9d11-a866e95276cc

KeyProvider : Microsoft Software Key Storage Provider

TpmProtected : NO

WorkplaceIdp : login.windows.net

WorkplaceTenantId : <Tenant ID>

WorkplaceTenantName : Magical World of Bears

WorkplaceMdmUrl :

WorkplaceSettingsUrl :

NgcSet : NO

+----------------------------------------------------------------------+

| Diagnostic Data |

+----------------------------------------------------------------------+

Waiting for Diagnostics Task to complete. This could take a few minutes...

Diagnostics Reference : www.microsoft.com/aadjerrors

User Context : SYSTEM

Client Time : 2023-07-21 10:33:43.000 UTC

AD Connectivity Test : PASS

AD Configuration Test : PASS

DRS Discovery Test : PASS

DRS Connectivity Test : PASS

Token acquisition Test : SKIPPED

Fallback to Sync-Join : ENABLED

Previous Registration : 2023-07-21 10:23:50.000 UTC

Registration Type : sync

Error Phase : join

Client ErrorCode : 0x801c03f3

Server ErrorCode : invalid_request

Server ErrorSubCode : error_missing_device

Server Operation : DeviceRenew

Server Message : The device object by the given id (93f2d808-3f8c-4319-9443-f10540464f0a) is not found.

Https Status : 400

Request Id : 686ae643-cc83-4c76-b751-6c954637af60

+----------------------------------------------------------------------+

| IE Proxy Config for System Account |

+----------------------------------------------------------------------+

Auto Detect Settings : YES

Auto-Configuration URL :

Proxy Server List :

Proxy Bypass List :

+----------------------------------------------------------------------+

| URL Specific Proxy Config |

+----------------------------------------------------------------------+

Auto Detect PAC Status : Failed to auto detect the Proxy Auto-Configuration (PAC) script using WPAD. code: 0x80072f94

Executing Account Name : <NETBIOS name>$, <UPN Name>

+----------------------------------------------------------------------+

| IE Proxy Config for Current User |

+----------------------------------------------------------------------+

Auto Detect Settings : NO

Auto-Configuration URL :

Proxy Server List :

Proxy Bypass List :

+----------------------------------------------------------------------+

| WinHttp Default Proxy Config |

+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+

| Ngc Prerequisite Check |

+----------------------------------------------------------------------+

IsDeviceJoined : NO

IsUserAzureAD : NO

PolicyEnabled : NO

PostLogonEnabled : YES

DeviceEligible : NO

SessionIsNotRemote : NO

CertEnrollment : none

PreReqResult : WillNotProvision

However we need to look at the error which is this:

Server Message : The device object by the given id (93f2d808-3f8c-4319-9443-f10540464f0a) is not found.

This means that the object in your AD is not synced to AAD from AD and needs to be, so you will need to add this OU to the sync list (this usually only applies when you are selective with what is synced to AAD)

If you do a metaverse search for the device with the displayName of the device name, you will notice nothing is returned....as below:

Once you have added the OU from PowerShell you will need to complete a full sync using this command:

Start-ADSyncSyncCycle -PolicyType Initial

Once that completes if you run the same search in Metaverse you will notice you now get some results....

Once they are all listed, Hybrid Join will take care of iteself after a moment or two but if you are impatient you can do this:

Reregister Basic Steps

Start a command prompt (elevated)
dsregcmd.exe /debug /leave

Sign out and sign in back to the device to complete the recovery.
dsregcmd.exe /debug /join

Reregister Force Recovery Method

If you will get no dice you need to force a recovery like this:

Start a command prompt (elevated)
dsregcmd /forcerecovery
Click "Sign in" in the dialog that opens up
Continue with the sign in process.
Sign out and sign in back to the device to complete the recovery.

Then when you get the workplace join status you will notice all is well with the report, the command to check the status is:

dsregcmd /status

This should return something like this:

+----------------------------------------------------------------------+

| Device State |

+----------------------------------------------------------------------+

AzureAdJoined : YES

EnterpriseJoined : NO

DomainJoined : YES

DomainName : BEAR

Device Name : SmallGrizzy.bear.local

+----------------------------------------------------------------------+

| Device Details |

+----------------------------------------------------------------------+

DeviceId : <device ID>

Thumbprint : 3186E5FCC66F4A89B125F4B358A493D7C02D487B

DeviceCertificateValidity : [ 2023-07-21 11:46:01.000 UTC -- 2033-07-21 12:16:01.000 UTC ]

KeyContainerId : 8a7d8dcc-55cb-4401-a299-d8a6604bf2aa

KeyProvider : Microsoft Software Key Storage Provider

TpmProtected : NO

DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+

| Tenant Details |

+----------------------------------------------------------------------+

TenantName :

TenantId : e15c1e99-7be3-495c-978e-eca7b8ea9f31

Idp : login.windows.net

AuthCodeUrl : https://login.microsoftonline.com/magical-bear-hidden/oauth2/authorize

AccessTokenUrl : https://login.microsoftonline.com/magical-bear-hidden/oauth2/token

MdmUrl :

MdmTouUrl :

MdmComplianceUrl :

SettingsUrl :

JoinSrvVersion : 2.0

JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/

JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net

KeySrvVersion : 1.0

KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/

KeySrvId : urn:ms-drs:enterpriseregistration.windows.net

WebAuthNSrvVersion : 1.0

WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/magical-bear-hidden/

WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net

DeviceManagementSrvVer : 1.0

DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/magical-bear-hidden/

DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+

| User State |

+----------------------------------------------------------------------+

NgcSet : NO

WorkplaceJoined : YES

WorkAccountCount : 1

WamDefaultSet : YES

WamDefaultAuthority : organizations

WamDefaultId : https://login.microsoft.com

WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+

| SSO State |

+----------------------------------------------------------------------+

AzureAdPrt : YES

AzureAdPrtUpdateTime : 2023-07-21 11:18:15.000 UTC

AzureAdPrtExpiryTime : 2023-08-04 11:19:16.000 UTC

AzureAdPrtAuthority : https://login.microsoftonline.com/magical-bear-hidden

EnterprisePrt : NO

EnterprisePrtAuthority :

OnPremTgt : YES

CloudTgt : YES

KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+

| Work Account 1 |

+----------------------------------------------------------------------+

WorkplaceDeviceId : <workplace-id>

WorkplaceThumbprint : A5A4BD00F7FE56F89F70DF2490F78C628B8E227E

DeviceCertificateValidity : [ 2023-07-21 10:58:57.000 UTC -- 2033-07-21 11:28:57.000 UTC ]

KeyContainerId : 956e12ff-be0b-45c9-9616-48158c7fbef9

KeyProvider : Microsoft Software Key Storage Provider

TpmProtected : NO

WorkplaceIdp : login.windows.net

WorkplaceTenantId : <tenant-id>

WorkplaceTenantName : Magical World of Bears

WorkplaceMdmUrl :

WorkplaceSettingsUrl :

NgcSet : NO

+----------------------------------------------------------------------+

| Diagnostic Data |

+----------------------------------------------------------------------+

AadRecoveryEnabled : NO

Executing Account Name : <hidden data>

KeySignTest : PASSED

DisplayNameUpdated : Managed by MDM

OsVersionUpdated : Managed by MDM

HostNameUpdated : YES

Last HostName Update : NONE

+----------------------------------------------------------------------+

| IE Proxy Config for Current User |

+----------------------------------------------------------------------+

Auto Detect Settings : NO

Auto-Configuration URL :

Proxy Server List :

Proxy Bypass List :

+----------------------------------------------------------------------+

| WinHttp Default Proxy Config |

+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+

| Ngc Prerequisite Check |

+----------------------------------------------------------------------+

IsDeviceJoined : YES

IsUserAzureAD : YES

PolicyEnabled : NO

PostLogonEnabled : YES

DeviceEligible : YES

SessionIsNotRemote : NO

CertEnrollment : none

PreReqResult : WillNotProvision

That now completes the registration and the dsregcmd join, however are you will getting errors about compliance ????

Compliance says, NO

When now we can move on to the compliance errors like this, the error will be like this

Click the more details then the copy info to clipboard and you will get this:

Error Code: 53000

Request Id: 17fbfb9f-d86a-4ed6-8fb0-3cbe22520900

Correlation Id: 8bf80c42-dfd2-4b5a-a08c-ba01d25e1ee5

Timestamp: 2023-07-21T11:22:46.105Z

App name: Microsoft Office

Device platform: Windows 10

Device state: DomainJoined

This will then give you the reason why, which is 53000 which means that a Conditional Access policy requires a compliant device, and the device is not compliant. Have the user enrol their device with an approved MDM provider like Intune.

This means the policy is now being blocked by "non compliant" users policy, so if you cannot get the computer compliant for one reason or another in conditional access you need to exclude the user, so lets find the policy causing this it will look like this:

Then you need to exclude that user from conditional access to get the connection working.....

MFA was unhappy

I also observed that MFA was required for these particular accounts as well, MFA it’s a fantastic leap forward for security in many cases, however, that comes certain scenarios where MFA is not acceptable, for example, if you have an automation accounts, that does not handle MFA then it’s very hard to enforce MFA.

In this particular scenario, we would need to work with the vendor or software development team to get MFA working, however, in the interim, you would need to disable MFA to enable functionality within the software, however, ensure you have a randomly generated very secure password.

What about fixing compliance?

Absolutely, so far we’ve only focused on how to get the account working for its intended purpose, however, as you can see from above, we had a couple of problems with the device computer account and the management account, mainly paying the device objects, were not synced to AAD, then the management account, which is unique to your environment was also disabled in our local Active Directory, meaning the effect of state in AAD was also disabled.

This is exactly why compliance was failing on the default configuration - which for many will be if it’s not active within 30, therefore once the management accounts are enabled this resolved that particular problem.

Note the “Last Check-in” in Intune

I also noticed that in my lab, the lost check in time was from a couple of months ago, which essentially means the devices are unable to talk to Intune - this intern means Intune cannot assess if the device is compliant or not.

if you are using pinhole security, or for that matter anyway of dropping traffic that’s not in your allow list you will need to ensure that you have a loud the relevant websites and IP addresses for intune to actually be able to maintain communication with your devices.

I personally recommend these commands, and that will give you a list of all the host names, and IP addresses:

IP Addresses

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips

Hostnames

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls

Device Compliance issues with Outlook/Teams

نموذج الاتصال