WamDefaultSet : ERROR

[GitHubbrr]

I am seeing WamDefaultSet : ERROR under User State. Any insight? Also seeing IsUserAzureAD : NO, which is not the case, user has an AAD account.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: b9f81d74-8dcb-e644-9647-0d1d0817f975
• Version Independent ID: e249cc9d-2120-8868-dbca-bc3b85f38b4b
• Content: Troubleshooting hybrid Azure Active Directory joined devices
• Content Source: articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md
• Service: active-directory
• Sub-service: devices
• GitHub Login: @MicrosoftGuyJFlo
• Microsoft Alias: joflore

[neeleshray-msft]

@PaulEstevesAtPEX Thanks for the question. We are currently investigating and will update you shortly.

[souravmishra-msft]

@PaulEstevesAtPEX, The WamDefaultSet is usually set to YES if the WebAccountManager has a default single-sign-in account available for the current user who is logging in. If the current user is signed-in to the device with an Azure AD user account, the default single-sign-in account will be their Azure AD user account.

Now, since WamDefaultSet is showing as ERROR, it looks like somewhere it fails to fetch the details about the user account and because of that it's also showing IsUserAzureAD set to NO.

It would be hard to share the details as what might be causing this issue. To fix this or understand the cause, getting a support case opened would be good so that a support technician can take a look at your environment and help you fix it.

Do let us know if any more quereis around this.

[soldevi]

I am seeing the same error. Strangely enough this is only happening on a couple of devices... These devices are having trouble showing up in Intune. We're currently piloting all of our devices to Intune via co-mgmt. Any idea as to where to log a ticket? SCCM support? Intune support? Azure support?

[soldevi]

Additional comment as I'm unable to edit above comment apparently. Currently trying out "dsregcmd.exe /leave" as per this article https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting#verify-the-device-registration-status

[GitHubbrr]

I have a ticket open with Intune support, he's saying that because this is a hybrid setup Intune support isn't covering this.

Also looking for the best place to log a ticket for this

[GitHubbrr]

Another note, AzureADPRT = NO This particular user does not have TPM. On other machines that also do not have TPM the PRT seems fine and the device is automatically registered.

[GitHubbrr]

Aha! I was trying to be fancy and using winRM to run the commands remotely.

When I log into the machine locally I do see the PRT and Wam being OK.

[soldevi]

Hmm so everything's okay then over there? I've also noticed I get different results depending on remote prompt...

Devices still aren't joining though. The "dsregcmd /leave" did trigger a duplicate entry in my AAD on one of those devices. Weird stuff. Either way. WAM isn't it. Going to contact support for this one.

[GitHubbrr]

Update, seems like I had to change the gpo from using the 'device credentials' to use 'user' instead. I think I originally had 'user' and it wasn't' working. Not sure what changed.

[souravmishra-msft]

@PaulEstevesAtPEX and @arcum, It looks like this issue would need proper investigation to understand where things are failing. Hence I would request you to create a support ticket with Azure AD support, so that they can get on call and help you further.

Closing this thread for now.

[csando]

Had the same issue here on some hybrid joined machines. I tried both with the MDM policy set to Device or User, it was the same result. I've typically used the user mod so I set it back to that.

I resolved it some problematic laptops with the following lengthy procedure:

Open regedit as admin on the affected laptop. HKLM\SOFTWARE\MICROSOFT\enrollments

Make sure its enrollmentS and not enrollment, as both of those exist.

Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined.

Then:

• remove the user's workplace account from the laptop, sign out of Office
• admin CMD prompt: dsregcmd /leave
• resync AD, while you're doing that, reboot the laptop
• ensure device is back in azure ad, the log in as the user
• wait for it to register (if you have the policy set to do so) or admin CMD promt: dsregcmd /join
• ensure it is listed as registered in Azure AD now
• sign the user back into the workplace account either through the account menu or through an office app like Excel
• complete the enrollment workflow
• reboot the laptop again

If you're lucky, when you sign back in as the user, dsregcmd /status (run as the user) will now show: WAMdefaultSet YES AzureADPrt YES IsDeviceJoined YES IsUserAzureAD YES

One one laptop, it STILL hadn't appeared in Intune or as MDM managed in Azure AD Devices. So I left it to open a case with MS and let the user get on with their work.

In the meantime, sometime between 12 and 24h later, it magically enrolled itself and is now happily managed by Intune without any duplicates in the Azure AD.

The next laptop I tried this on appeared almost immediately in Intune. So if it doesn't appear right away, have some patience before doing more troubleshooting.

Maybe that can help you

[soldevi]

Hey @csando - yesterday I did only this "Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined." -part

And today the device is co-managed. Woohoo! Superb. Thanks.

EDIT - btw before anyone asks, I contacted various support teams (SCCM - Intune) no one could help.

[Multiconecta]

Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined.

What? Deleting stuff without knowing what it does? Only if I've tried every other alternative before. Well, that was my case and it worked wonderfully. Thank you.

I didn't left and/or joined via dsregcmd. If I remember well, I was not logged in Office apps and in Settings - Accounts there was only local AD joined. After boot and user logon, I've got WAMdefaultSet YES, AzureADPrt YES, IsDeviceJoined YES and IsUserAzureAD YES. My scenario was a little different, as my WamDefaultSet was NO, instead of ERROR. All other behaviors identical.

I'm not on company's site (Covid) and discovered the lack of connection with on premises AD Controller was part of the problem. I think I solved it connecting via VPN before logon.

Now I'm just hoping for your Post's last part is as correct as the rest of it:

In the meantime, sometime between 12 and 24h later, it magically enrolled itself and is now happily managed by Intune without any duplicates in the Azure AD.

[cosminmocan]

Had the same issue here on some hybrid joined machines. I tried both with the MDM policy set to Device or User, it was the same result. I've typically used the user mod so I set it back to that.

I resolved it some problematic laptops with the following lengthy procedure:

Open regedit as admin on the affected laptop. HKLM\SOFTWARE\MICROSOFT\enrollments

Make sure its enrollmentS and not enrollment, as both of those exist.

Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined.

Then:

• remove the user's workplace account from the laptop, sign out of Office
• admin CMD prompt: dsregcmd /leave
• resync AD, while you're doing that, reboot the laptop
• ensure device is back in azure ad, the log in as the user
• wait for it to register (if you have the policy set to do so) or admin CMD promt: dsregcmd /join
• ensure it is listed as registered in Azure AD now
• sign the user back into the workplace account either through the account menu or through an office app like Excel
• complete the enrollment workflow
• reboot the laptop again

If you're lucky, when you sign back in as the user, dsregcmd /status (run as the user) will now show: WAMdefaultSet YES AzureADPrt YES IsDeviceJoined YES IsUserAzureAD YES

One one laptop, it STILL hadn't appeared in Intune or as MDM managed in Azure AD Devices. So I left it to open a case with MS and let the user get on with their work.

In the meantime, sometime between 12 and 24h later, it magically enrolled itself and is now happily managed by Intune without any duplicates in the Azure AD.

The next laptop I tried this on appeared almost immediately in Intune. So if it doesn't appear right away, have some patience before doing more troubleshooting.

Maybe that can help you

This worked for us aswell , however it will be extremely uncomfortable to do in our azure vdi environment... Did your ticket advance by any chance ?

Thank you for posting a workaround!

[csando]

This worked for us aswell , however it will be extremely uncomfortable to do in our azure vdi environment... Did your ticket advance by any chance ?

Thank you for posting a workaround!

Hey, no sorry that was the end of the ticket. Support didn't really have anything to tell em that I hadn't already tried. Their ultimate solution was this which works but I didn't really like it much:

• remove work/school account connection from user's profile.
• dsregcmd /leave
• reboot
• dsregcmd /join (as admin)
• log in as admin user, use settings menu or download company portal app to enroll machine in intune
• go back to regular user's account and sign them into office or work/school account as usual

However this left us with 1 azure AD device registered to the user, and a duplicate device which was enrolled in Intune. While it worked I suppose I wasn't satisfied with having duplicates!

Cheers!

[kbjohny]

Hi all :)

Try this: 1.Log in as problematic user and run as user command in powershell : dsregcmd /status if in User State section is error , logout from user and do next step. 2.Log as administrator , gop to c:\Users folder and change name profile of problematic user example kbjohny.b -> kbjohny.b_old . Logout from administrator account.

3. Login as problematic user and you loged as temporary profile. After few seconds logout from temporary profile.
4. Log in administrator and change name of problematic user back example kbjohny.b_old -> kbjohny.b. Logout from administrator account.
5. Login user account and WAMDefaultSet should work now fine.

Give feedback if works for You.

[bzfred]

Hi all :)

Try this: 1.Log in as problematic user and run as user command in powershell : dsregcmd /status if in User State section is error , logout from user and do next step. 2.Log as administrator , gop to c:\Users folder and change name profile of problematic user example kbjohny.b -> kbjohny.b_old . Logout from administrator account. 3. Login as problematic user and you loged as temporary profile. After few seconds logout from temporary profile. 4. Log in administrator and change name of problematic user back example kbjohny.b_old -> kbjohny.b. Logout from administrator account. 5. Login user account and WAMDefaultSet should work now fine.

Give feedback if works for You.

Hello,

We've had issues with work or school accounts in a hybrid environment for a long time

The symptoms are: outllok need password no popup the work or school account has disappeared and no popup to recreate it WamDefaultSet: Error in Dsregcmd /status

The solution was to delete the user profile and recreate it losing all user and programs customizations

Your solution works perfectly, it allows to recover quickly the user session and the possibility of recreating a professional or school profile without losing any user and programs settings

Thank you very much for sharing this solution.

Best regards