question

ThomasBaumannzbitsGmbH-7305 avatar image
0 Votes"
ThomasBaumannzbitsGmbH-7305 asked Amandayou-MSFT edited

MECM Co-Management, Error MDM-Enroll 0x80192f7d

Hi @ all,
we are using the mecm 2103 current branch and have error with the mdm rollout and windows 10 20H2 for our deployment.
all prerequisites are in place.
- mecm client settings
- intune auto enrollment to only one specific group (not ALL!!) which is synced from on-prem to cloud via AD Sync and the client is member of this group
- in MECM the test computers are in an specific collection and this collection is configured as pilot collection in the mecm CoMgmtSettingsProd
- In this settings, also the same Intune Pilot Collection is configured as Intune Auto enrollment Collection setting

The OS Deployment will be done via MECM, and some workloads will be handled via Intune.

When I check the state via dsregcmd /status, the client is: AzureADJoined: YES and DomainJoined: YES and i cannot identify any errors.

In the Evenlog there are two errors:

Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x80192f7d
MDM Enroll: Failed (Unknown Win32 Error code: 0x80192f7d)

Any ideas? Thanks for your help.

Regards,
Tom



mem-cm-co-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT edited

Hi @ThomasBaumannzbitsGmbH-7305

In addition to checking AzureADJoined: YES and DomainJoined: YES, please verify if the SSO State section displays AzureAdPrt as YES.

101003-531.png

Could we know which path to co-management? Is Auto-enroll existing Configuration Manager-managed devices into Intune or Bootstrap the Configuration Manager client with modern provisioning?

Here is the article about paths to co-management:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/quickstart-paths



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



531.png (17.6 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Amandayou-MSFT , sorry for my late response!

first - I saw that you gave an answer, but I cannot find it. Maybe you can write me again.,

Thanks,
Tom

First: The setting AzureAdPrt ist set to YES on my clients.

First we deploy the Clients via SCCM OSD. In SCCM Co-Management is configured only for a specific Pilot Collection. Several testclients are member of this collection. In the SCCM Client Settings under CLoud Services all three options (cloud dp, auto register in AAD, cmg usage) are set to YES.

Thanks for your help.

Regards,
Tom

0 Votes 0 ·

According to our description, the problem is more related to Intune. It need to do the log analysis to find the root cause. With Q&A limitation, Q&A is not the best channel for such log analysis case. So it is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

0 Votes 0 ·

HI @Amandayou-MSFT ,thanks for your replay.

I think the problem is located to the device type restrictions. In the DEFAULT restriction the setting of Windows (MDM) is set to Block. Now we created a new group and a new restriction where the setting is Windows (MDM) = Allow and assigned it to the new created group.

But the new restriction, which is the only one custom restriction with priority 1, will not worked.

It seems, if in the default restriction a setting is blocked, in a custom restriction with a higher priority cannot be activated. Like once blocked always blocked :-)

Can you confirm this? Or should a device restriction with a higher priority should always overwrite a setting in the default restriction.

Thank you!

Regards,
Tom

0 Votes 0 ·
Show more comments

Hey @Amandayou-MSFT @Jason-MSFT

the Problem is solved, the device restriction with the higher priority allows the MDM Join. It takes about 12 hours till the settings works on a client :-(

Thanks for your help!

Tom

0 Votes 0 ·
Show more comments