The Trials and Tribulations of InTune Auto-Enrollment – Tips and Tricks

The Trials and Tribulations of InTune Auto-Enrollment – Tips and Tricks

Navigating the complexities of InTune auto-enrollment errors might feel like trying to find your way through a maze without guidance. However, there’s no need to fret. We’re equipped to offer you the navigational aids and the tools required to master this challenge. By breaking down these prevalent errors and outlining clear solutions, we aim to simplify your InTune enrollment process, transforming a potentially overwhelming experience into a manageable task.

(Yeah, I know, show me your script.)

Identifying Common Enrollment Errors:

  • Error with Auto MDM Enroll: Device Credential (0x0), Failed: This error, indicated by an Unknown Win32 Error code: 0x8018002a, often puzzles users.
  • Toast Notification Failure during Auto MDM Enrollment: Encountered as “DmRaiseToastNotificationAndWait Failure” with the same Unknown Win32 Error code: 0x8018002a.
  • OMA-DM Message Delivery Failures: These are signified by unauthorized messages (401) or failed attempts to obtain AAD Tokens, marked by Unknown Win32 Error codes: 0xcaa2000c for user tokens and a successful operation message for device tokens.
  • ConfigurationManager Caller Issues: Specified by a lack of user impersonation and a NULL targeted user SID, resulting in an Unknown Win32 Error code: 0x86000022.
  • Spurious Background Task Activation: This Event ID 76 Error signifies a failed Auto MDM Enroll with Device Credential (0x0).

Diagnostic Toolkit for Error Analysis:

To uncover the root of these issues, engaging in a bit of detective work is essential:

  • Investigate Scheduled Tasks: Utilize schtasks /query /fo LIST /v | findstr /i "InTune MDM Enroll" to identify potential enrollment tasks.
  • Registry Exploration: Delve into HKLM:\SOFTWARE\Microsoft\Enrollments with Get-ChildItem to locate outdated registrations.
  • Event Log Examination: Use Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 100 | sort TimeCreated | ft -AutoSize -Wrap for a detailed analysis of event logs.

Strategic Solutions for Error Resolution:

  • Eliminate Old Registrations: Start by purging obsolete device registrations in Azure AD under Identity -> Devices to prevent conflicts.
  • Implement the Cleanup Script: Execute a specialized script to remove residual UPNs from the system. Typically, this doesn’t require a system restart.
  • Force Direct Enrollment: Apply direct enrollment commands as the InTune-entitled user via Business Premium or an InTune plan. Use gpupdate /force and %windir%\system32\deviceenroller.exe /c /AutoEnrollMDMUsingAADDeviceCredential followed by %windir%\system32\deviceenroller.exe /c /AutoEnrollMDM. Post-execution, monitor device activity logs, restart, and attempt the enrollment again.

Post-Intervention Evaluation:

After implementing the suggested fixes, it’s crucial to review the event logs again to verify that the errors have been resolved and no new issues have emerged.

Leave a Reply

Your email address will not be published. Required fields are marked *