Not going to do a great introduction on this one, but I think it deserves a mention anyway (I couldn’t find the situation or error explained elsewhere). More specifically, this is about an error I encountered myself in a Co-management scenario, where the computer fails the auto enrollment into Intune MDM. Let’s dig in 🙂
First off some initial relevant knowledge about the enrollment process. Some of this is based on my own findings as well as the official documentation.
- Users needs permissions to enroll devices into MDM: https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment
- The enrollment process is initiated by the SCCM client as the logged on user
- The actual enrollment is randomized based on the total amount of clients in the environment (SCCM 1806)
- A schedule for the enrollment is created when a user logs on
- Or when the ccmexec service is restarted once a user is logged on
- If the enrollment fails, SCCM will retry 2 times every 15 mins
- A new schedule for enrollment after this is created at relog or if the ccmexec service is being restarted
Below illustration is from the SCCM console, displaying the setting that instructs the SCCM client to automatically enroll the device into Intune:
Which translates into below Configuration Baselines (one baseline for production, another for pilot) seen on the device:
So, jumping straight to the failed enrollment. The first place to look is CoManagementHandler.log:
“MDM enrollment failed with error code 0x8018002a ‘The user canceled the operation’. Will retry in 15 minutes…”
The next place to dig into is the event log: DeviceManagement-Enterprise-Diagnostic-Provider:
“Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a)”
An unknown error and a “user canceled the operation”-message is initially not much details to work with, but it did give a hint about this being related to the user.
Also, I knew for a fact that the auto MDM enrollment worked previously, so I spinned up a new device (for good measures) and logged on with a user that I have enrolled several devices into Intune with. All of that worked flawlessly, so I turned my attention on the user.
Turns out that above error is related to the user being affected by a Conditional Access rule enforcing MFA (Multi Factor Authentication) for all Cloud Apps with no other conditions configured.
So what supposedly happens behind the scenes at the enrollment, is authentication and thus prompt for MFA (which isn’t presented for the user). The authentication then fails, being displayed as an unknown error and “user canceled the operation”-message.
Solution: Disable MFA for the affected user or create an exception for MFA for the Microsoft Intune Enrollment app or similar.