This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 13%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Hi, I have Microsoft Entra hybrid joined windows device that have stopped getting a MDM. I was able to determine that Zoho EPC had assigned a MDM to my devices. I contacted EPC support and they gave me a script to remove the Zoho EPC MDM and that worked for a bit. As I started adding windows machines by enabling secure boot, verifying reagentc was enabled, and the local disk was not encrypted. I also ran the command dsregcmd.exe /debug /leave on these machines. I checked the reg on a couple of these machines for left over MDM information but there was non. I have looked over a couple of the windows machines event logs but nothing stuck out except for one had the message (CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (Access is denied.). I wasn't able to find anything online regarding this issue. When look at the windows device in azure the settings are: Enable = Yes, OS = Windows, Version = 10.0.19405.4046, Join Type = Microsoft Entra hybrid joined, Owner = n/a, user principal name = none, MDM = none, Compliant = n/a, registered = 2/28/24, activity = 2/28/24, group = none. I ran the command dsregcmd /status AzureADjoined = yes, Enterprised joined = no, domain joined = yes. The MDM and MAM are setup according to the documents. I just can't figure out why these machines are not getting a MDM enrolled. Any help would be greatly appreciated.
Update - I did find the Event ID 98 on one of the windows devices, anyone know how to resolve it?
CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (Access is denied.).
Thank you glebgreenspan, this is what has/is happening. I setup everything according to the instructions for Intune and 20 of my windows devices got assigned MDM after changing the BIOS settings for secure boot and enabling reagentc. After the first 20 any additional windows devices stopped getting MDM. After a bit of time, I discovered that Zoho EPC had assigned an MDM to all the remain windows devices. I removed the Zoho EPC MDM and went from 20 windows devices having MDM to 61. As I continued to enable secure boot reagentc none of these window's machines will get a MDM. I have removed these windows devices from Azure and ran the command dsregcmd.exe /debug /leave but yet none will get a MDM. I am stumped at why the any additional machines are not getting the MDM. Any help would be greatly appreciated.
Thanks, this is what has/is happening. I setup Intune according to the MS documentation. After enable secure boot and reagentc 21 of the Windows devices enrolled into Intune MDM. But after the first 21 the windows devices stop enrolloing into Intune MDM. After a bit of time I determined that Zoho EPC had assigned a MDM to the remaining Windows devices. I removed the Zoho EPC MDM and the count for Windows Intune MDM devices enrollment went to 72. As I enable secure boot and reagentc on the rest of the Window devices, but these Windows devices will not get the Intune MDM devices enrollment. I remove these additional Windows devices from our Azure portal and ran the command dsregcmd.exe /debug /leave. These Window device show back up in Azure after a bit of time with the following settings. Enable = Yes, OS = Windows, Version = 10.0.19405.4046, Join Type = Microsoft Entra hybrid joined, Owner = n/a, user principal name = none, MDM = none, Compliant = n/a, registered = 2/28/24, activity = 2/28/24, group = none. I ran the command dsregcmd /status AzureADjoined = yes, Enterprised joined = no, domain joined = yes. I don't know why these Windows devices are now not getting Intune MDM devices enrollment. Any help would be greatly appreciated.
Hello Daniel
It seems like you are facing some challenges in getting your Microsoft Entra hybrid joined Windows devices to enroll in the MDM (Mobile Device Management) system. Here are some troubleshooting steps you can take to resolve this issue:
1. Check MDM Configuration:
o Ensure that the MDM and MAM (Mobile Application Management) settings in Azure AD are correctly configured according to the documentation. Verify that the settings align with the requirements for your devices to enroll in the MDM system.
2. Verify Device Registration:
o Confirm that the Windows devices are properly registered with Azure AD and have the necessary permissions to enroll in the MDM system. Check the device registration status using the dsregcmd.exe /status command to ensure that AzureADjoined is set to "yes".
3. Check Device Compliance:
o Verify the compliance status of the devices in Azure AD. Ensure that the devices meet the compliance policies set in the MDM system. Check the compliance status in the Azure portal to see if there are any issues preventing enrollment.
4. Review Device Event Logs:
o Continue to review the event logs on the Windows devices for any error messages or warnings related to MDM enrollment. Look for any specific error codes or messages that may provide insight into why the devices are not enrolling in the MDM system.
5. Check Group Policies:
o Review any Group Policies that may be affecting MDM enrollment on the Windows devices. Ensure that there are no policies restricting MDM enrollment or conflicting with the MDM settings configured in Azure AD.
Hi Crystal and thank you for your response. I am not using GPO just Intune Windows Compliance Policy. 71 of the Windows devices have MDM using the current configuration.
As for other MDM enrollment those have been removed and I checked the reg key and there was no MDM assigned to the windows device.
The MDM user scope under Automatic enrollment is set as all.
All the users logging into domain joined windows machines have MS 365 office Premium licenses.
If I log into the user Windows 10 Pro machine with my admin AD account, the "AzureAdPrt" is yes with the following info.
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2024-03-06 15:00:01.000 UTC
AzureAdPrtExpiryTime : 2024-03-20 15:00:00.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/46177761-ea6b-4444-b939-0760b03698fd
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342
If I log into the user Windows 10 Pro machine with my non admin AD account the "AzureAdPrt" is no with the following info.
AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : NO
EnterprisePrtAuthority :
I don't know why there is two differnet results?
I did find the Event ID 98 on one of the windows devices, anyone know how to resolve it?
CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (Access is denied.).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Daniel Ronald, Thanks for posting in Q&A. From your description, it seems you are enrolling Microsoft Entra hybrid joined windows devices into Intune. But some are failed. Please confirm if we enroll these devices via GPO enrollment.
In your description, it seems there are other MDM enrollment information may exist on the affected devices. For these affected devices, please remove the registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments to see if the enroll can be successful.
Meanwhile, for Microsoft Entra hybrid joined, I notice AzureADjoined and domainjoined are yes. Please also confirm the "AzureAdPrt" is also yes. If not, please follow the link below to troubleshoot.
https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current
Meanwhile, please ensure MDM user scope under Automatic enrollment is set as all. And the device is login with the domain user which has both Microsoft Intune and Microsoft Entra ID license assigned.
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Hi Crystal and thank for your response.
If I understand this correctly, there are two options for enrollment the device into Intune, "Access school or work" or the way we are using "Using the enrollment options configure in the Intune admin center".
Yes, the 71 Windows devices are enrolled in the Intune portal.
For the Licenses Intune Plan 1 and Microsoft Entra ID P1 are required. The user has both.
The only event ID that I could find was “CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (Access is denied.).”
I am unable to find anything online to resolving this event ID.
Any help would be greatly appreciated
Thanks,
@Daniel Ronald
@Daniel Ronald, Thanks for the reply. For these enrolled devices, please check if they are Microsoft Entra joined. Based as I know, when you choose to configure automatic enrollment and join Microsoft Entra via Access work or school, the device will be Microsoft Entra Joined. For this type, it only allows Azure AD user account not domain user account to login the device. And when you join the device, the login user needs to be local administrator of the device. So you get the error in MDM with permission issue.
But for these affected devices, I notice they are already domain joined. For such scenario, the device needs to do Microsoft Entra Hybrid Join instead of Microsoft Entra Joined. Then the domain user can login the device. And we need to use GPO enrollment or Autopilot Microsoft Entra Joined enrolment method to enroll into Intune.
@Daniel Ronald, Hope the above information can help. If there's anything else we can help, feel free to let us know.
@Daniel Ronald, Thanks for the reply. Based as I know, to apply Compliance policy, we need to enroll the devices into Intune. I notice you don't use GPO enrollment. Could you let us know what steps you are doing to enroll these devices into Intune?
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows
I notice you mentioned 71 of the Windows devices have MDM. Could you let us know if the MDM is Microsoft Intune? Are these devices appearing in Intune portal ?https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/allDevices
For the license, I notice it is not one which include Microsoft Intune Plan 1 license. Please go to double confirm on this.
For the AzureADprt no, it means there was an error acquiring the PRT status from Microsoft Entra ID. And the Microsoft Entra hybrid joined not completed. Please follow the steps to troubleshoot to see if there's any finding.
or you can open case to contact Microsoft Entra support to firstly fix the Microsoft Entra hybrid joined issue.
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support