none
MDM Autoenrol GPO RRS feed

  • General discussion

  • Hi

    Getting a strange error when using the Auto-enroll MDM GPO. The GPO is setting is as below 

    1. Create a Group Policy Object (GPO) and enable the Group Policy Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials

    User are auto-enrolled successfully, however when I run a gpupdate /force on any client machine I get the below error:

    Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the "More information" link.

    Have tried it on several test environments and get the same issue with the GPO. Client are a mixture of Windows 10 1803 and Windows 10 1809.



    Wednesday, January 2, 2019 4:33 PM

All replies

  • Hello,

    I would recommend to verify the enrollment in Intune portal. You can navigate to Devices - All devices, the device should show up if the enrollment is successful.

    In addition, you can review the steps for enrolling using GPO by referring to the following article.

    https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 3, 2019 7:15 AM
  • Hi

    The devices successfully enrol into Intune automatically as desired (they are Hybrid Azure AD joined devices), I can fully manage the devices, push out apps, set config policies, compliance policies etc. However on every client it shows the gpo as not applying when running gpupdate/force, I am guessing it is because the client is already enrolled into Intune so every time you run a gpupdate /force it fails. I have observed this behaviour on multiple deployments that MDM auto-enrol via gpo for Hybrid azure AD joined devices. 

    Rgds

    Matt

    Thursday, January 3, 2019 11:49 AM
  • Hi,

    just seeing exactly the same behaviour on three different deployments. Once the devices successfully registered with Intune the gpo will cause a failure if being reapplied using the force switch.

    Regards,
    Stefan

    Friday, January 4, 2019 9:21 AM
  • Hi

    Thanks for clarifying that you get the same. Have deployed a fresh test environment with the same result, seems to be an issue with the gpo as even gpupdate without the /force switch (so only policy settings that have changed are applied) errors, it doesn't cause any technical issues that I have noticed but clients will question this when deployed.

    Rgds

    Matt

    Monday, January 7, 2019 4:41 PM
  • I have seen this on lots of deployment. I believe its normal behaviour. Group policy updates ok, you just need to check the MDM log for errors if you want.

    Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin

    Monday, January 7, 2019 4:58 PM
  • I have seen this on lots of deployment. I believe its normal behaviour. Group policy updates ok, you just need to check the MDM log for errors if you want.

    Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin

    Where is that log file?
    Tuesday, January 29, 2019 9:55 PM
  • I have seen this on lots of deployment. I believe its normal behaviour. Group policy updates ok, you just need to check the MDM log for errors if you want.

    Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin

    Where is that log file?
    Event Logs.
    Tuesday, January 29, 2019 9:58 PM
  • UPVOTE in Feedback so it is fixed: https://aka.ms/AA3y6bp

    Enabled Debug level for GPservice.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics

    GPSvcDebugLevel DWORD 0x00030002


    Got the logs and found this:

    GPSVC(730.147c) 14:29:04:586 ProcessGPOList:++ Entering for extension MDM Policy
    GPSVC(730.147c) 14:29:04:586 GetWbemServices: CoCreateInstance succeeded
    GPSVC(730.147c) 14:29:04:586 ConnectToNameSpace: ConnectServer returned 0x0
    GPSVC(730.147c) 14:29:04:601 LogExtSessionStatus: Successfully logged Extension Session data
    GPSVC(730.147c) 14:29:04:601 ProcessGPOList: Extension MDM Policy returned 0x8018000a.
    GPSVC(730.147c) 14:29:04:601 CGPAdminEventInitFailure::Initialize(): FormatMessage failed to look up error code (0x8018000a) due to error 317. Can not log error description.
    GPSVC(730.147c) 14:29:04:601 ProcessGPOList: Extension MDM Policy doesn't support rsop logging
    GPSVC(730.147c) 14:29:04:601 ProcessGPOList:--
    GPSVC(730.147c) 14:29:04:601 CPolicyCriticalSectionCollection: Deleting critical section for UserSid <(null)>
    GPSVC(730.147c) 14:29:04:601 Deleting machine
    GPSVC(730.147c) 14:29:04:601 ProcessGPOs(Machine): Extension MDM Policy ProcessGroupPolicy failed, status 0x8018000a.
    GPSVC(730.147c) 14:29:04:601 ProcessGPOs(Machine): -----------------------
    GPSVC(730.147c) 14:29:04:601 ProcessGPOs(Machine): -----------------------


    Which led to this;

    https://docs.microsoft.com/en-us/windows/desktop/mdmreg/mdm-registration-constants



    MENROLL_E_DEVICE_ALREADY_ENROLLED

    0x8018000A

    The device is already enrolled.

    Then I opened a case with Intune/MS support and here is their reply.

    Below is a summary of the support request for your records:

    Issue:

    When you run gpupdate on a co-managed Windows 10 machine (Hybrid Domain Joined, MDM enrolled), you see the error message 'Windows Failed to Apply the MDM Policy Settings'.


    Cause:

    This can occur if an "AutoMDMEnrollment" GPO is deployed to the computer. In this scenario, when you run gpupdate/force it will try to enroll the Windows device. Since the device is already enrolled, this will fail. This is expected behavior.



    Resolution:

    This message can be safely ignored. The error is expected considering that the device is already MDM enrolled.


    Friday, February 1, 2019 11:52 AM
  • Hello,

    i used the mdm policy to deploy hybrid azure ad joined devices to intune.

    Now i removed the group policy from the devices but the gpupdate error message remains.

    How do i get rid of the error message?

    It is not normal behaviour to get every time using gpupdate (/force) an error message.

    Thanks

    Best regards
    Maik

    Monday, November 18, 2019 8:56 AM
  • The only way I managed to get it away was to set "Enable automatic MDM enrollment using default Azure AD credentials" to "Disabled" in local policy. Setting it to "Not Configured" will still throw the same error.

    Monday, November 25, 2019 1:19 PM