Edit

MDM enrollment fails with error 0xcaa9001f for co-managed Windows devices

  • Article

This article fixes an issue in which MDM enrollment fails and generates error 0xcaa9001f for co-managed Windows devices that are Microsoft Entra hybrid joined and managed by using Configuration Manager.

Symptoms

MDM enrollment fails for co-managed Windows devices that are Microsoft Entra hybrid joined and managed by using Microsoft System Center Configuration Manager. The following error messages are logged:

  • In %WinDir%\CCM\logs\CoManagementHandler.log:

    MDM enrollment failed with error code 0xcaa9001f 'Integrated Windows authentication supported only in federation flow.'. Will retry in 15 minutes...

  • In logs under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin in the Event Viewer:

    System Migration Task Started.
    Impersonation result. Result: (An attempt was made to reference a token that does not exist.).
    Auto MDM Enroll: Failed (Unknown Win32 Error code: 0xcaa9001f)

  • In logs under Applications and Services Logs > Microsoft > Windows > Microsoft Entra ID > Operational in the Event Viewer:

    Http request status: 400. Method: POST Endpoint Uri: https://login.microsoftonline.com/\<AADTenantID>/oauth2/token Correlation ID: <ID>
    OAuth response error: invalid_grant
    Error description: AADSTS70002: Error validating credentials. AADSTS50155: Device is not authenticated.

Note

Bring your own device (BYOD) enrollment or auto-enrollment by using Group Policy works successfully.

Cause

This issue occurs when integrated Windows authentication is tried by the Configuration Manager client against Microsoft Entra ID while the verified domain isn't federated.

This issue occurs in one of the following situations:

Solution

To fix the issue, configure Azure Services for Cloud Management, and make sure that both AD User Discovery and Microsoft Entra user Discovery are enabled for the users.