none
Co-Management Some Devices Fail enrollment

    Question

  • For the life of me I cannot figure out why this is happening.  I have my SCCM and Intune set up for Co-management. I have Group Policy set to "Enable automatic MDM enrollment using default Azure AD credentials" and in my limited testing I have found some devices sign right in after the "Setting up your device for work" screen and others fail on Security Policies.

    I exported the error logs and they are in a MDMDiagReport.cab file which I extracted to find the MDMDiagReport.xml file but that is unreadable to find out where the error is happening.  

    I don't understand how enrollment can be so inconsistent when it is really not much that needs to be set to make this happen.  If it didn't work at all that would be one thing but it does work on some devices and not others.  

    Any advice on how to determine the cause would be much appreciated.

    Tuesday, May 14, 2019 6:48 PM

All replies

  • What are you actually doing? When you refer to "Setting up your device for work" are you referring to the enrollment status page in Autopilot? And you are also using co-managment in SCCM?

    Can you see any more info in the Event Logs in Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin?


    Tuesday, May 14, 2019 10:36 PM
  • What are you actually doing? When you refer to "Setting up your device for work" are you referring to the enrollment status page in Autopilot? And you are also using co-managment in SCCM?

    Can you see any more info in the Event Logs in Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin?


    Yes the enrollment status page.  Basically we deploy an OS using SCCM and then sign in using an admin account without an Intune License so that we can just run a round or two of Windows updates before handing it off to a user.  Once handed to the user we have been having them sign in using their Azure AD name/email address which matches their OnPrem AD UPN since we are federated with Office365.  Sometimes the enrollment status page goes by real quick and the user gets in and policies are set.  Other times it sits at the enrollment status page for the full 30 minutes set as the timeout in Intune and fails on applying security policies.

    I do see some errors in the event log.  Stuff like:
    Event ID 76 - Auto MDM Enroll: Failed (0x80180018)
    Event ID 11 - MDM Enroll: Failed to receive or parse certificate enroll response. Result: (Unknown Win32 Error code: 0x80180018).
    Event ID 52 - MDM Enroll: Server Returned Fault/Code/Subcode/Value=(UserLicense) Fault/Reason/Text=(Failed to issue token: UserValidation. 

    Tuesday, May 14, 2019 11:03 PM
  • Looking into those errors I am thinking it may have something to do with our ADFS configuration. Still not sure how to fix it or what area to look in for the conflict.
    Tuesday, May 14, 2019 11:45 PM
  • Hello,

    Based on my experience, if I configured the co-management in SCCM, and deploy the policy on the client device, I don't need to deploy the GPO for automatic enrollment on the client devices any more.

    Once the co-management setting takes effect, the device can be enrolled automatically after the user sign in.

    On the client device, please open the Configuration Manager Properties, and make sure the co-management has already been enabled.

    In addition, please check the devices and AD user accounts has been synced to the Azure AD successfully, and you have assigned the Intune license to these accounts.

    Please refer here for more details about how to configure co-management.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 15, 2019 3:29 AM
  • Hello,

    Based on my experience, if I configured the co-management in SCCM, and deploy the policy on the client device, I don't need to deploy the GPO for automatic enrollment on the client devices any more.

    Once the co-management setting takes effect, the device can be enrolled automatically after the user sign in.

    On the client device, please open the Configuration Manager Properties, and make sure the co-management has already been enabled.

    In addition, please check the devices and AD user accounts has been synced to the Azure AD successfully, and you have assigned the Intune license to these accounts.

    Please refer here for more details about how to configure co-management.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Andy,

    I am not sure it matters how the enrollment happens.  I have begun with devices slowly being added to my pilot device collection to get Intune Managed workloads.   I suppose that would enroll them too but I have been enrolling devices using the Group Policy as I was only going to make the laptops used by teachers and students to have Intune Managed workloads while keeping my labs and office desktops managed by ConfigManager.   I am phasing devices in and testing right now.  

    I spoke with a Microsoft training rep on how to set up Intune and Co-Management and she said to set the Group Policy which is why I did it that way.   I don't think that is causing any conflict as the error logs all seem to point to some possible DNS issue with ADFS.   Investigating that now.

    Wednesday, May 15, 2019 1:40 PM
  • Andy,

    Just an FYI.  I confirmed that adding a device to my pilot collection for Intune co-management also enrolls the device even without the group policy.   I may go this route in the future so thank you for the info.  Lots of different information on how to use Intune out there. 

    I still would like to get a handle on why devices show errors when signing in though.   I will change my enrollment method to not use the Group Policy for future devices I am phasing in and see what happens.

    Wednesday, May 15, 2019 2:22 PM
  • Hello,

    For the devices with errors, could you please also verify the enrollment in Intune portal?

    You can choose the devices at the following two locations:

    Devices - Azure AD devices

    Devices - All devices

    If the devices were enrolled in Intune successfully, they should show up in the two places above.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 2:45 AM