Tier II:

Okta:

Search for the computer in Okta Admin Console under Directory -> Devices.  If it's not there, enroll the user in Okta Verify using the directions in :https://afge.helpjuice.com/employee-technology-use-guides/signing-into-okta-verify?from_search=184870913 

If it is listed but unmanaged, skip to the Intune section of this document.  If it shows both managed and unmanaged users, have the user log out of Okta and then log back in using the Fastpass option.  Please note, you will probably need to click “Back to sign in” on the Okta signin page, as it will usually default to other sign-in methods.

If the user still shows unmanaged, open Okta Verify, select the User, and select Remove account.  Follow the above steps to re-enroll and then do another Fastpass login.  If the problem persists, escalate to tier III.

If Okta Verify doesn't open, end it in Task Manager and try again.  If Okta Verify continues to not open, uninstall with the Microsoft Uninstall tool https://support.microsoft.com/en-us/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d  

Reboot, and reinstall with a fresh copy from the Okta Admin portal's Download section.

Once the computer is enrolled in Okta, if it still shows unmanaged, continue to the Intune section.

Intune:

In the Office 365 Admin Portal, search for the user.  Make sure they have an E3 license assigned and that the Microsoft Intune Plan 1 app is selected.

In Ninja, run the InTune Enrollment task, let it complete, and then run the Manually Add to Intune task.

Open Task Scheduler as admin, go to the Task Scheduler Library, and run the MDMAutoEnroll task.

To verify a successful enrollment, open Event Viewer as admin and expand Applications and Service Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider, then select the Enrollment logs.  You should see several event logs ending in “successful” or “succeeded”; event ID 58 shows the final enrollment.  If you do not see these, escalate to tier III.

If enrollment succeeded, it can take up to 1 hour for the device to be fully joined to Intune.  Once you have verified in Intune, log into Okta with Fastpass and the issue should be resolved.  If device trust continues to fail, engage tier III.

Tier III:

Okta:

If a specific user is unmanaged but other users are working, evaluate the user's Okta and Office 365 accounts.  If they both look good, open an Okta ticket.

Entra:

If the computer itself is the failure, check first in Entra; if the device is not enrolled, nothing else will work.  If the device isn't there, open an elevated command prompt and run “dsregcmd /leave”.  Reboot the workstation, log back in, wait a couple minutes, open an elevated commany prompt, and run “dsregcmd /join”.  Once this completes, run “dsregcmd /status”.

In the text that appears, there is a lot of information, but the most important bit is the Tenant Details, and specifically the Mdm info.  If that is empty, then Intune can't enroll and the machine is not properly enrolling.  If the results don't look like the screenshot below, review the System logs for errors and/or engage Microsoft support.

Intune:

If everything else looks good, Intune will typically just enroll.  If the computer still doesn't appear, re-run Intune Enrollment in Ninja, then open Task Scheduler as admin and run the MDMAutoEnroll task again.  Once that completes, review the logs in Applications and Service Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider→Enrollment for further information and troubleshooting.