MDM enrollment fails with error 0xcaa9001f for co-managed Windows devices

This article fixes an issue in which MDM enrollment fails and generates error 0xcaa9001f for co-managed Windows devices that are hybrid Azure AD-joined and managed by using Configuration Manager.

Original product version:   Microsoft Intune
Original KB number:   4471480

Symptoms

MDM enrollment fails for co-managed Windows devices that are hybrid Azure AD-joined and managed by using Microsoft System Center Configuration Manager. The following error messages are logged:

  • In %WinDir%\CCM\logs\CoManagementHandler.log:

    MDM enrollment failed with error code 0xcaa9001f 'Integrated Windows authentication supported only in federation flow.'. Will retry in 15 minutes...

  • In logs under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin in the Event Viewer:

    System Migration Task Started.
    Impersonation result. Result: (An attempt was made to reference a token that does not exist.).
    Auto MDM Enroll: Failed (Unknown Win32 Error code: 0xcaa9001f)

  • In logs under Applications and Services Logs > Microsoft > Windows > AAD > Operational in the Event Viewer:

    Http request status: 400. Method: POST Endpoint Uri: https://login.microsoftonline.com/\/oauth2/token Correlation ID: <ID>
    OAuth response error: invalid_grant
    Error description: AADSTS70002: Error validating credentials. AADSTS50155: Device is not authenticated.

Note

Bring your own device (BYOD) enrollment or auto-enrollment by using Group Policy works successfully.

Cause

This issue occurs when integrated Windows authentication is tried by the Configuration Manager client against Azure AD while the verified domain isn't federated.

This issue occurs in one of the following situations:

  • The Cloud Management Azure service isn't configured in Configuration Manager.
  • Either AD User Discovery or Azure AD User Discovery isn't enabled for the affected users. Both discovery methods must be enabled.

Resolution

To fix the issue, configure Azure Services for Cloud Management, and make sure that both AD User Discovery and Azure AD User Discovery are enabled for the users.