-- Removed --
Devices appear to unexpectedly attempt Intune Enrollment when adding Work Account
On attempting to Add a Work account on a device that is included in Entra, the user will see our SSO screen and enter their credentials:
After clicking "Sign In" it then unexpectedly pops up a secondary sign-in screen, containing their username:
On picking the account it show a message "Hold on while we register the device and apply policy" but errors out with:
CAA301F4 doesn't appear on the provided WAMERRORS page. So I cannot understand what is going on.
For reference, we are using Entra Hybrid Sync as we are looking at deploying Intune. Users are still only on Microsoft 365 Business Standard, but would be upgraded before we aim to migrate to Intune. We have turned off all the Enrollment functions both in Intune and GPO we could find to see if this was part of the problem, as felt that this would be the cause, but we are still getting this issue.
The device is listed in Entra with a status of Pending. Trying to approach the issue using dsregcmd /join the operation completes, but looking at the dsregcmd /status output it shows a couple of errors:
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
AcquirePrtDiagnostics : PRESENT
Previous Prt Attempt : 2024-07-27 20:04:58.650 UTC
Attempt Status : 0xc000023c
User Identity : username@domain.com
Credential Type : Password
Correlation ID :
Endpoint URI : https://login.microsoftonline.com/common/UserRealm/?user=domain.com&api-version=1.0&checkForMicrosoftAccount=false&fallback_domain=domain.onmicrosoft.com
HTTP Method :
HTTP Error : 0x80072ee7
HTTP status : 0
Server Error Code :
Server Error Description :
EnterprisePrt : NO
EnterprisePrtAuthority :
The endpoint URI, identity and correlation ID have been sanitised, however the Endpoint URI is accessible, which means the HTTP Error 80072ee7 doesn't make a whole lot of sense, but as it's an SSO error this seems to allude to there being an issue with how this is configured. This obviously blocks any additional attempt to sign-in to a work account, however if the user signs into Office or Teams they get the same CAA301F4 error message.
Is there anything that I should be looking at to resolve this, as this is affecting newly configured hardware, or users who haven't completed the Work sign-in, or have had to sign-out and back in to accounts.
2 answers
Sort by: Most helpful
-
-
Xenia-MSFT 2,260 Reputation points Microsoft Vendor
2024-07-29T02:33:28.81+00:00 @Adrian Forrester Thanks for posting in our Q&A.
For this issue, we appreciate your help to collect some information:
1.Which method did you use to enroll this device? GPO enrollment?
2.Please run "dsregcmd /status" to check the join status.
DomainJoined YES
WorkplaceJoined NO
AzureAdJoined YES
3.Please show the screen shot of the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output.
If there is anything update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.