Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,057 questions
-- Removed --
Devices appear to unexpectedly attempt Intune Enrollment when adding Work Account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 77%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
Adrian Forrester
20
Reputation points
On attempting to Add a Work account on a device that is included in Entra, the user will see our SSO screen and enter their credentials:
After clicking "Sign In" it then unexpectedly pops up a secondary sign-in screen, containing their username:
On picking the account it show a message "Hold on while we register the device and apply policy" but errors out with:
CAA301F4 doesn't appear on the provided WAMERRORS page. So I cannot understand what is going on.
For reference, we are using Entra Hybrid Sync as we are looking at deploying Intune. Users are still only on Microsoft 365 Business Standard, but would be upgraded before we aim to migrate to Intune. We have turned off all the Enrollment functions both in Intune and GPO we could find to see if this was part of the problem, as felt that this would be the cause, but we are still getting this issue.
The device is listed in Entra with a status of Pending. Trying to approach the issue using dsregcmd /join the operation completes, but looking at the dsregcmd /status output it shows a couple of errors:
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR (0x80070520)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
AcquirePrtDiagnostics : PRESENT
Previous Prt Attempt : 2024-07-27 20:04:58.650 UTC
Attempt Status : 0xc000023c
User Identity : username@domain.com
Credential Type : Password
Correlation ID :
Endpoint URI : https://login.microsoftonline.com/common/UserRealm/?user=domain.com&api-version=1.0&checkForMicrosoftAccount=false&fallback_domain=domain.onmicrosoft.com
HTTP Method :
HTTP Error : 0x80072ee7
HTTP status : 0
Server Error Code :
Server Error Description :
EnterprisePrt : NO
EnterprisePrtAuthority :
The endpoint URI, identity and correlation ID have been sanitised, however the Endpoint URI is accessible, which means the HTTP Error 80072ee7 doesn't make a whole lot of sense, but as it's an SSO error this seems to allude to there being an issue with how this is configured. This obviously blocks any additional attempt to sign-in to a work account, however if the user signs into Office or Teams they get the same CAA301F4 error message.
Is there anything that I should be looking at to resolve this, as this is affecting newly configured hardware, or users who haven't completed the Work sign-in, or have had to sign-out and back in to accounts.
{count} votes
-
Rahul Jindal [MVP] 10,116 Reputation points MVP2024-07-28T11:28:17.6633333+00:00 Let’s look at Hybrid join issue first. What does it say it say under user device registration event logs? Also, is your Azure connector running v.2.x or later version? Have you included user certificate attribute in the synchronisation settings? Is password hash enabled?
-
Adrian Forrester 20 Reputation points
2024-07-28T13:23:39.8533333+00:00 Hi. The connector is version 2.3.8, and I have Password Hash and Password Writeback enabled. I'm not sure which logs would be "User Device Registration", but I have the following:
The below are from the device:
AAD shows Error Event 1098
0xCAA90014But it is not in a federated environment, so I am not sure what it means. and Warning 1097
Error 0x007054BException of Type 'class DSReqException' at AcquireTokenContext.cpp line: 236, method: AcquireTokenContext::GetFallbackDomainLog: 0xcaac03f1 Failed to get the DC registration data, Cannot get the domain name.DeviceManagement-Enterprise-Diagnostics-Providor shows Error Event 76,
Auto MDM Enroll: Device Credential (0x0) Failed (The system tried to delete the JOIN of a drive that is not joined).Workplace Join logs are empty.
This is occurring even if the dsregcmd /leave has been run, I've tried removing the device in Entra and resyncing using Entra Connect, but the issue persists.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 6,430 Reputation points Microsoft Vendor2024-08-01T20:53:23.8333333+00:00 Hello @Adrian Forrester,
Thank you for posting your query on Microsoft Q&A.
From your description, it seems you are trying to add a work or school account to a device by navigating to System settings >> Accounts >> Access work or school account >> Connect. This method will register the device with Microsoft Entra if it is unmanaged.
Since you mentioned that the device appears with a "Pending" status in Entra, it seems that the device is already synced with Entra as a Microsoft Entra Hybrid join. Can you check if the MDM column in Entra shows "None" or "Microsoft Intune" for that device?
Based on the error screenshot, this issue occurs when a user tries to join or register a Windows device, and the device falls under the scope of the MDM Enrollment policy. During device registration, the token may contain information about automatically enrolling in Intune. This can result in failure either due to navigation issues (as indicated by the error CAA301F4) or because the user does not have an Intune license assigned.
If the user does not have an Intune license, they should not be included in the MDM Enrollment policy scope. To resolve this issue, you can either assign an Intune license to the user or adjust the MDM Enrollment policy scope to include only those users who have Intune licenses.
As you confirmed, you have deactivated any enrollment policies and it was still going through Intune enrollment, I would like to check this up offline with you to understand the scenario to see why this kind of behavior is occurring and please send us an email on azcommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.
Thanks,
Raja Pothuraju. -
Raja Pothuraju 6,430 Reputation points Microsoft Vendor
2024-08-05T06:45:38.38+00:00 Hello @Adrian Forrester,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Raja Pothuraju 6,430 Reputation points Microsoft Vendor
2024-08-06T08:39:06.9533333+00:00 Hello @Adrian Forrester,
Following up to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Xenia-MSFT 2,260 Reputation points Microsoft Vendor2024-07-29T02:33:28.81+00:00 @Adrian Forrester Thanks for posting in our Q&A.
For this issue, we appreciate your help to collect some information:
1.Which method did you use to enroll this device? GPO enrollment?
2.Please run "dsregcmd /status" to check the join status.
DomainJoined YES
WorkplaceJoined NO
AzureAdJoined YES
3.Please show the screen shot of the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output.
If there is anything update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Xenia-MSFT 2,260 Reputation points Microsoft Vendor
2024-07-31T02:25:11.2333333+00:00 @Adrian Forrester Is there anything update? If yes, please let us know and we will continue to discuss this issue
-
Adrian Forrester 20 Reputation points
2024-07-31T08:03:12.46+00:00 Hi @Xenia-MSFT it does appear that the issues were related to a misconfiguration of Intune Auto-Enrollment, we have users that are on Business Standard and Business Premium licenses, and it appears that even though we had tried to set it so that only appropriate people were registered there must have been a parameter set incorrectly as it was showing up for Business Standard users.
Subsequently, we have deactivated any enrollment policies while we work to update both licenses and complete further configuration testing.
Sign in to comment -