This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 91%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
I'm having an issue auto enrolling all devices to EndPoint Manager/Intune, the devices are successfully joining as Azure AD joined devices.
I have recently configured EndPoint Manager with Hybrid autoenrollment, i have configured the following:
dsregcmd /status clearly shows the devices joined as Azure AD Joined
Joining the device manually (Enrol only in device management) via Access and work or school joins the device successfully.
Checking the logs DeviceManagement Logs i get event ID 81 (warning) and 76 (error)
Auto MDM Enroll Impersonation Failure (Unknown Win32 Error code: 0x82aa0008)
Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x82aa0008)
Edited: now seeing error Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x80192ee2)
I have rebooted a device several times
disjoined and removed the AAD
removed the sync scope of AAD
then repeated to join process (moving it back into the Sync OU)
Will appreciate any help
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
If the device shows as Azure AD Joined when you run dsregcmd /status then it should be Hybrid Azure AD Joined (you can verify the device in the Azure portal). How long have you waited for the device to enrol? From my experience the event log fills up with enrolment errors, and then the device enrols hours later. Is the user that is logged on assigned an Azure AD Premium and an Intune license?
I have waited several hours and yes the user has the Enterprise Mobility+E3 license applied which also includes Azure AD P1.
There is a schedule task in Windows\EnterpriseMgmgt named 'Schedule to created by enrollment client for automatic enrolling' i have ran this manually with no success.
@psshutdown Thanks for posting in our Q&A.
The "Schedule created by enrollment client for automatically enrolling in MDM from AAD" task may not start in the following situations:
For more detailed information, we can read the following article as a reference:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-auto-enrollment#troubleshooting
Hope it will help.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for the info.
I have ran gpupdate /force and get the error, however the following link states it can be ignored?
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/windows-failed-to-apply-mdm-policy
The following warnings were encountered during computer policy processing:
Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the "More information" link.
User Policy update has completed successfully.
For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
@psshutdown Thanks for your response.
Given this situation, it is needed to check more background information. So we suggest to open a case to check on this. It is free. The following link describes how to open a case, we can refer to it:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
Hope this issue will be solved as soon as possible.
I have done some further digging and found the MDM Url's are not the same when running dsregcmd /status
MdmUrl : https://mydomain.com.xm.cloud.com:8443/zdm/wpe
MdmTouUrl : https://mydomain.com.xm.cloud.com:8443/zdm/wpe/tou
MdmComplianceUrl : https://complianceUrl
This is Citrix MDM and autoDiscovery is configured, next step find out where this is configured so i can change it.
Is it possible to change these URLs manualy on a single device to test?
It is configured here, but that will affect all users enrolling depending on the group you used, so be careful. I am not aware how to change it individually on a device (I don't think its possible) https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#configure-automatic-mdm-enrollment
I have managed to fix the URLs, simply removed the Citrix Azure AD Enrolment (MAM /MEM) pane
Event ID 201 - MDM Session: OMA-DM message failed to be sent. Result: (Unknown Win32 Error code: 0x80072f78).
Event ID 208 - MDM Session: OMA-DM session started for EnrollmentID (977F4BA8-B3BE-4EBF-9734-015B0FBFBD77) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x26), Initiator: (0x0), Mode: (0x2), SessionID: (0x1D), Authentication Type: (0x3).
Event ID 209 - MDM Session: OMA-DM session ended with status: (Unknown Win32 Error code: 0x80072f78).
The device Sync status is: The sync could not be initiated ()x80072f78)
@psshutdown Please understand that for such kind of issue, the error logs is not enough to analyze and find the root cause, we may need more logs to analyze the whole process. It is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support