MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.32k stars 21.51k forks source link

WamDefaultSet : ERROR #51830

Closed GitHubbrr closed 4 years ago

GitHubbrr commented 4 years ago

I am seeing WamDefaultSet : ERROR under User State. Any insight? Also seeing IsUserAzureAD : NO, which is not the case, user has an AAD account.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

neeleshray-msft commented 4 years ago

@PaulEstevesAtPEX Thanks for the question. We are currently investigating and will update you shortly.

souravmishra-msft commented 4 years ago

@PaulEstevesAtPEX, The WamDefaultSet is usually set to YES if the WebAccountManager has a default single-sign-in account available for the current user who is logging in. If the current user is signed-in to the device with an Azure AD user account, the default single-sign-in account will be their Azure AD user account.

Now, since WamDefaultSet is showing as ERROR, it looks like somewhere it fails to fetch the details about the user account and because of that it's also showing IsUserAzureAD set to NO.

It would be hard to share the details as what might be causing this issue. To fix this or understand the cause, getting a support case opened would be good so that a support technician can take a look at your environment and help you fix it.

Do let us know if any more quereis around this.

soldevi commented 4 years ago

I am seeing the same error. Strangely enough this is only happening on a couple of devices... These devices are having trouble showing up in Intune. We're currently piloting all of our devices to Intune via co-mgmt. Any idea as to where to log a ticket? SCCM support? Intune support? Azure support?

soldevi commented 4 years ago

Additional comment as I'm unable to edit above comment apparently. Currently trying out "dsregcmd.exe /leave" as per this article https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting#verify-the-device-registration-status

GitHubbrr commented 4 years ago

I have a ticket open with Intune support, he's saying that because this is a hybrid setup Intune support isn't covering this.

Also looking for the best place to log a ticket for this

GitHubbrr commented 4 years ago

Another note, AzureADPRT = NO This particular user does not have TPM. On other machines that also do not have TPM the PRT seems fine and the device is automatically registered.

GitHubbrr commented 4 years ago

Aha! I was trying to be fancy and using winRM to run the commands remotely.

When I log into the machine locally I do see the PRT and Wam being OK.

soldevi commented 4 years ago

Hmm so everything's okay then over there? I've also noticed I get different results depending on remote prompt...

Devices still aren't joining though. The "dsregcmd /leave" did trigger a duplicate entry in my AAD on one of those devices. Weird stuff. Either way. WAM isn't it. Going to contact support for this one.

GitHubbrr commented 4 years ago

Update, seems like I had to change the gpo from using the 'device credentials' to use 'user' instead. I think I originally had 'user' and it wasn't' working. Not sure what changed.

souravmishra-msft commented 4 years ago

@PaulEstevesAtPEX and @arcum, It looks like this issue would need proper investigation to understand where things are failing. Hence I would request you to create a support ticket with Azure AD support, so that they can get on call and help you further.

Closing this thread for now.

csando commented 4 years ago

Had the same issue here on some hybrid joined machines. I tried both with the MDM policy set to Device or User, it was the same result. I've typically used the user mod so I set it back to that.

I resolved it some problematic laptops with the following lengthy procedure:

Open regedit as admin on the affected laptop. HKLM\SOFTWARE\MICROSOFT\enrollments

Make sure its enrollmentS and not enrollment, as both of those exist.

Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined.

Then:

If you're lucky, when you sign back in as the user, dsregcmd /status (run as the user) will now show: WAMdefaultSet YES AzureADPrt YES IsDeviceJoined YES IsUserAzureAD YES

One one laptop, it STILL hadn't appeared in Intune or as MDM managed in Azure AD Devices. So I left it to open a case with MS and let the user get on with their work.

In the meantime, sometime between 12 and 24h later, it magically enrolled itself and is now happily managed by Intune without any duplicates in the Azure AD.

The next laptop I tried this on appeared almost immediately in Intune. So if it doesn't appear right away, have some patience before doing more troubleshooting.

Maybe that can help you

soldevi commented 4 years ago

Hey @csando - yesterday I did only this "Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined." -part

And today the device is co-managed. Woohoo! Superb. Thanks.

EDIT - btw before anyone asks, I contacted various support teams (SCCM - Intune) no one could help.

Multiconecta commented 4 years ago

Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined.

What? Deleting stuff without knowing what it does? Only if I've tried every other alternative before. Well, that was my case and it worked wonderfully. Thank you.

I didn't left and/or joined via dsregcmd. If I remember well, I was not logged in Office apps and in Settings - Accounts there was only local AD joined. After boot and user logon, I've got WAMdefaultSet YES, AzureADPrt YES, IsDeviceJoined YES and IsUserAzureAD YES. My scenario was a little different, as my WamDefaultSet was NO, instead of ERROR. All other behaviors identical.

I'm not on company's site (Covid) and discovered the lack of connection with on premises AD Controller was part of the problem. I think I solved it connecting via VPN before logon.

Now I'm just hoping for your Post's last part is as correct as the rest of it:

In the meantime, sometime between 12 and 24h later, it magically enrolled itself and is now happily managed by Intune without any duplicates in the Azure AD.

cosminmocan commented 4 years ago

Had the same issue here on some hybrid joined machines. I tried both with the MDM policy set to Device or User, it was the same result. I've typically used the user mod so I set it back to that.

I resolved it some problematic laptops with the following lengthy procedure:

Open regedit as admin on the affected laptop. HKLM\SOFTWARE\MICROSOFT\enrollments

Make sure its enrollmentS and not enrollment, as both of those exist.

Delete as many GUID looking keys in there as possible. Some you can't delete so you can leave them. Backup the keys first if you are so inclined.

Then:

  • remove the user's workplace account from the laptop, sign out of Office
  • admin CMD prompt: dsregcmd /leave
  • resync AD, while you're doing that, reboot the laptop
  • ensure device is back in azure ad, the log in as the user
  • wait for it to register (if you have the policy set to do so) or admin CMD promt: dsregcmd /join
  • ensure it is listed as registered in Azure AD now
  • sign the user back into the workplace account either through the account menu or through an office app like Excel
  • complete the enrollment workflow
  • reboot the laptop again

If you're lucky, when you sign back in as the user, dsregcmd /status (run as the user) will now show: WAMdefaultSet YES AzureADPrt YES IsDeviceJoined YES IsUserAzureAD YES

One one laptop, it STILL hadn't appeared in Intune or as MDM managed in Azure AD Devices. So I left it to open a case with MS and let the user get on with their work.

In the meantime, sometime between 12 and 24h later, it magically enrolled itself and is now happily managed by Intune without any duplicates in the Azure AD.

The next laptop I tried this on appeared almost immediately in Intune. So if it doesn't appear right away, have some patience before doing more troubleshooting.

Maybe that can help you

This worked for us aswell , however it will be extremely uncomfortable to do in our azure vdi environment... Did your ticket advance by any chance ?

Thank you for posting a workaround!

csando commented 4 years ago

This worked for us aswell , however it will be extremely uncomfortable to do in our azure vdi environment... Did your ticket advance by any chance ?

Thank you for posting a workaround!

Hey, no sorry that was the end of the ticket. Support didn't really have anything to tell em that I hadn't already tried. Their ultimate solution was this which works but I didn't really like it much:

However this left us with 1 azure AD device registered to the user, and a duplicate device which was enrolled in Intune. While it worked I suppose I wasn't satisfied with having duplicates!

Cheers!

kbjohny commented 2 years ago

Hi all :)

Try this: 1.Log in as problematic user and run as user command in powershell : dsregcmd /status if in User State section is error , logout from user and do next step. 2.Log as administrator , gop to c:\Users folder and change name profile of problematic user example kbjohny.b -> kbjohny.b_old . Logout from administrator account.

  1. Login as problematic user and you loged as temporary profile. After few seconds logout from temporary profile.
  2. Log in administrator and change name of problematic user back example kbjohny.b_old -> kbjohny.b. Logout from administrator account.
  3. Login user account and WAMDefaultSet should work now fine.

Give feedback if works for You.

bzfred commented 2 years ago

Hi all :)

Try this: 1.Log in as problematic user and run as user command in powershell : dsregcmd /status if in User State section is error , logout from user and do next step. 2.Log as administrator , gop to c:\Users folder and change name profile of problematic user example kbjohny.b -> kbjohny.b_old . Logout from administrator account. 3. Login as problematic user and you loged as temporary profile. After few seconds logout from temporary profile. 4. Log in administrator and change name of problematic user back example kbjohny.b_old -> kbjohny.b. Logout from administrator account. 5. Login user account and WAMDefaultSet should work now fine.

Give feedback if works for You.

Hello,

We've had issues with work or school accounts in a hybrid environment for a long time

The symptoms are: outllok need password no popup the work or school account has disappeared and no popup to recreate it WamDefaultSet: Error in Dsregcmd /status

The solution was to delete the user profile and recreate it losing all user and programs customizations

Your solution works perfectly, it allows to recover quickly the user session and the possibility of recreating a professional or school profile without losing any user and programs settings

Thank you very much for sharing this solution.

Best regards