In this post, you will learn how you can fix Invalid_Client Error experienced while registering Windows Devices to Intune. The error may appear when you attempt to provision a device using Windows Autopilot or connect the device to Azure AD joined or registered using the manual process.
The error invalid_client, here I came across when trying to initiate Windows Autopilot user driven process. After connecting to a network, The user is prompted for Azure AD credentials and signed in with corp credentials.
There are different methods to enroll Windows 11 PCs in Intune. You can use MDM auto-enrollment option from Azure AD to automatically register Azure AD joined Windows 10/11 PCs. You can also use Intune Group policy to enroll Hybrid Azure AD joined devices to Intune automatically.
If you want to connect your Windows 10 or 11 to your work or school account using Azure Active Directory (AAD), fail to connect the machine using an AAD account. In this case, Users received It Looks like we can’t connect to the URL for your organization’s MDM terms of use message.
- Windows Autopilot Troubleshooting – Beginners Guide
- Windows Autopilot Hybrid Azure AD Join Troubleshooting Tips
Windows AutoPilot Invalid_Client Error
When attempting to authenticate when setting up a device in OOBE, you might get the Something went wrong prompt with the following error:
It looks like we can’t connect to the url for your organization’s MDM terms of use. Try again, or contact your system administrator with the problem information from this page.
- Error: invalid_client
- Error subcode:
- Description: failed%20to%20authenticate%20user.
The first step is to validate the license assignment for the users. You must select the available license for the user. If you don’t assign the user a license, they’ll be unable to connect the device in Intune.
Whether you manually add users or synchronize from your on-premises Active Directory, you must assign each user an Intune license before users can enroll their devices in Intune. Here you can see No license assignments found for the users trying to sign in during the enrollment process.
FIX Intune Windows AutoPilot Enrollment Invalid_Client Error
You can use the Microsoft Intune admin center or Azure Active Directory portal to manually add cloud-based users and assign licenses to both cloud-based user accounts and accounts synchronized from your on-premises Active Directory to Azure AD.
Windows Autopilot depends on specific capabilities available in Windows client and Azure AD. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions, and subscription programs, one of the following subscriptions is required:
- Microsoft 365 Business Premium subscription
- Microsoft 365 F1 or F3 subscription
- Microsoft 365 Academic A1, A3, or A5 subscription
- Microsoft 365 Enterprise E3 or E5 subscription includes all Windows client, Microsoft 365, and EMS features (Azure AD and Intune).
- Enterprise Mobility + Security E3 or E5 subscription includes all needed Azure AD and Intune features.
- Intune for Education subscription includes all needed Azure AD and Intune features.
- Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription (or an alternative MDM service)
In Azure AD Node, Navigate to All users and search for the user. In the left pane, select Licenses and click on Assignments. Select the available license, I chose Enterprise Mobility + Security E5 and, selected all default license options, clicked on Save.
Once the license has been assigned, you should be able to perform Windows Autopilot deployment and join Windows 10 or Windows 11 to Azure AD using work or school accounts.
Author
About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.
Thanks …I have other question .. when I join my window device to Hybrid Azure AD join sometimes MDM status shows None Hybrid Azure AD join device not enrolled in Intune). What is the reason for this?