Windows failed to apply the MDM Policy settings on hybrid Azure AD-joined devices
This article discusses the Windows failed to apply the MDM Policy settings error message that occurs when you run the gpupdate /force command on an enrolled Windows device in Microsoft Intune.
Symptoms
When you run the gpupdate /force command on a hybrid Azure Active Directory (Azure AD)-joined Windows device that's enrolled in Intune, you receive the following warning message:
Updating policy...
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the "More information" link.
User Policy update has completed successfully.For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy.
Cause
This issue occurs if the Auto MDM Enrollment with AAD Token Group Policy Object (GPO) is applied to the Windows device. In this case, it tries to enroll the device in MDM when you run the gpupdate /force command. Because the device was already enrolled, you receive the warning message.
This behavior is expected. You can safely ignore the warning message.
More information
Below is an example of the %windir%\debug\usermode\Gpsvc.log file entry when you enable Group Policy Service debug logging by following the steps in A Treatise on Group Policy Troubleshooting–now with GPSVC Log Analysis!
ProcessGPOs(Machine): Processing extension MDM Policy
CheckGPOs: No GPO changes but called in force refresh flag or extension MDM Policy needs to run force refresh in foreground processing
ProcessGPOList:++ Entering for extension MDM Policy
ProcessGPOList: Passing in the force refresh flag to Extension MDM Policy
ProcessGPOList: Extension MDM Policy returned 0x8018000a.
ProcessGPOList: Extension MDM Policy doesn't support rsop logging
ProcessGPOs(Machine): Extension MDM Policy ProcessGroupPolicy failed, status 0x8018000a.
The 0x8018000a error means that the device is already enrolled.