Do not use the built-in Administrator account when performing MDM enrollment

Recently I worked with a customer who was implementing a MDM solution and was running into an issue performing MDM enrollment on a Windows 8.1 system. The issue that they were running into was that the enrollment was failing with an error message which said:

“Confirm you are using the correct sign-in info, and that your workplace uses this feature. Also, the connection to your workplace might not be working right now. Please wait and try again.”

Note: To enroll into an MDM server from a Windows 8.1 system, you need to open PC Settings –> Network –> Workplace –> and click Join.

image

Collecting a network trace during this issue did not show any errors during network communication and collecting MDM traces did not report any errors at all, meaning that the issue was not related to the MDM Agent (C:\Windows\System32\mdmagent.exe) or the network.

To understand the root cause of the issue, we had to collect traces for the Web Authentication broker. When you click on the “Turn on” button in the enrollment screen, the MDM Agent should start sending a HTTP request to the server and following the discovery of the Authentication URL (<AuthenticationServiceUrl> parameter in the XML server response), the Web Authentication broker should start communication with the Authentication URL and complete the authentication.

The issue was that the enrollment was being performed from the “Built in” Administrator account. The Web Authentication broker runs in AuthHost.exe (C:\Windows\System32\authhost.exe) which is an appContainer similar to modern apps, and its security model is designed to NOT work in the built in Administrator account. AppContainers are not allowed to talk to processes running in the built-in admin context. If you try to do this, you will receive an Access is Denied error; which results in the above message being displayed to the user. Actually, the above error message itself does not specify anything about the access being denied, so it is not quite easy to understand what the issue is without deeper level of debugging/troubleshooting.

To resolve this issue, the solution is - do not use the built in Administrator account, but instead create a new account which has Administrator rights, logon to the system as that user and then perform the Enrollment. That should allow the Web Authentication broker to run successfully without any errors.

Note: The built-in Administrator account is “disabled” by default, so unless you enable it manually and try to login from the built-in Administrator account, you won’t run into this issue. To check/confirm if you are using the built-in Administrator or if it is disabled or not, you can reference the following screenshot:

image

Hopefully this blog throws some light on one of the issues you may encounter during MDM enrollment.

- Prashant H Phadke