Intune Autoenrollment not working

psshutdown 1 Reputation point
2021-04-28T03:35:23.133+00:00

I'm having an issue auto enrolling all devices to EndPoint Manager/Intune, the devices are successfully joining as Azure AD joined devices.

I have recently configured EndPoint Manager with Hybrid autoenrollment, i have configured the following:

  1. AAD Connect - Hybrid Azure AD devices
  2. created a GPO to autoenrol the device to Intune - I have configured this to use 'User Credentials'
  3. MFA is not enabled on the account

dsregcmd /status clearly shows the devices joined as Azure AD Joined

Joining the device manually (Enrol only in device management) via Access and work or school joins the device successfully.

Checking the logs DeviceManagement Logs i get event ID 81 (warning) and 76 (error)

Auto MDM Enroll Impersonation Failure (Unknown Win32 Error code: 0x82aa0008)
Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x82aa0008)

Edited: now seeing error Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x80192ee2)

I have rebooted a device several times
disjoined and removed the AAD
removed the sync scope of AAD
then repeated to join process (moving it back into the Sync OU)

Will appreciate any help

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
841 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,071 questions
No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Nick Hogarth 3,411 Reputation points Microsoft MVP
    2021-04-28T03:46:44.507+00:00

    If the device shows as Azure AD Joined when you run dsregcmd /status then it should be Hybrid Azure AD Joined (you can verify the device in the Azure portal). How long have you waited for the device to enrol? From my experience the event log fills up with enrolment errors, and then the device enrols hours later. Is the user that is logged on assigned an Azure AD Premium and an Intune license?


  2. Lu Dai-MSFT 20,911 Reputation points Microsoft Employee
    2021-04-28T06:31:35.903+00:00

    @psshutdown Thanks for posting in our Q&A.

    The "Schedule created by enrollment client for automatically enrolling in MDM from AAD" task may not start in the following situations:

    1. The device is already enrolled in another MDM solution. In this case, Event ID 7016 together with error code 2149056522 is logged in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log.
    2. A Group Policy issue exists.

    For more detailed information, we can read the following article as a reference:
    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-auto-enrollment#troubleshooting

    Hope it will help.


    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  3. psshutdown 1 Reputation point
    2021-04-28T10:48:57.093+00:00

    Thank you for the info.

    I have ran gpupdate /force and get the error, however the following link states it can be ignored?

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/windows-failed-to-apply-mdm-policy

    The following warnings were encountered during computer policy processing:

    Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the "More information" link.
    User Policy update has completed successfully.

    For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.


  4. psshutdown 1 Reputation point
    2021-04-29T03:25:41.92+00:00

    I have done some further digging and found the MDM Url's are not the same when running dsregcmd /status

     MdmUrl : https://mydomain.com.xm.cloud.com:8443/zdm/wpe
     MdmTouUrl : https://mydomain.com.xm.cloud.com:8443/zdm/wpe/tou
     MdmComplianceUrl : https://complianceUrl
    

    This is Citrix MDM and autoDiscovery is configured, next step find out where this is configured so i can change it.

    Is it possible to change these URLs manualy on a single device to test?


  5. psshutdown 1 Reputation point
    2021-04-29T22:20:04.433+00:00

    I have managed to fix the URLs, simply removed the Citrix Azure AD Enrolment (MAM /MEM) pane

    Event ID 201 - MDM Session: OMA-DM message failed to be sent. Result: (Unknown Win32 Error code: 0x80072f78).

    Event ID 208 - MDM Session: OMA-DM session started for EnrollmentID (977F4BA8-B3BE-4EBF-9734-015B0FBFBD77) with server: (MS DM Server), Server version: (NULL), Client Version: (1.2), Origin: (0x26), Initiator: (0x0), Mode: (0x2), SessionID: (0x1D), Authentication Type: (0x3).

    Event ID 209 - MDM Session: OMA-DM session ended with status: (Unknown Win32 Error code: 0x80072f78).

    The device Sync status is: The sync could not be initiated ()x80072f78)