Intune Enrollment Issues? Troubleshoot Existing Configuration Manager Devices Auto-Enrollment

Table of Contents

This article provides guidance and troubleshooting steps for issues encountered when configuring co-management by automatically enrolling existing Configuration Manager-managed devices into Microsoft Intune. This scenario allows organizations to continue managing Windows 10 devices with Configuration Manager while selectively transitioning workloads to Intune as needed. Understanding and resolving enrollment problems is a critical step in successfully adopting a co-managed environment.

When setting up co-management, the goal is to register the Configuration Manager-managed devices with Microsoft Entra ID and then automatically enroll them into Intune. This process involves configuration steps in both Configuration Manager and the Microsoft Entra ID/Intune portal. Issues can arise at various points in this flow, from device registration to the final Intune enrollment.

Before You Start: Checking Prerequisites¶

Before diving into specific troubleshooting steps, it is essential to confirm that all the necessary configuration steps have been completed correctly. Many enrollment issues stem from overlooked prerequisites or misconfigurations in the initial setup phase. Gathering basic information about your environment and verifying settings can significantly speed up the resolution process.

Consider the following checklist to ensure your environment is prepared for co-management auto-enrollment:

• Do you have the required permissions and roles in both Configuration Manager and Microsoft Entra ID/Intune to configure co-management settings? Proper administrative rights are fundamental.
• Which Microsoft Entra hybrid identity option have you selected and implemented (e.g., synchronized hash synchronization, pass-through authentication, federation)? This impacts how devices register.
• What is your current Mobile Device Management (MDM) authority set to in Intune? For co-management with Configuration Manager, it should be Intune.
• Have you successfully installed and configured Microsoft Entra Connect (formerly Azure AD Connect) to synchronize identities and device objects from your on-premises Active Directory to Microsoft Entra ID? Synchronization is key for hybrid join.
• Have you assigned Microsoft Entra ID P1 or P2 licenses to the User Principal Name (UPN) used for the co-management configuration? Licensing is required for certain features like conditional access and hybrid join.
• Have you assigned Intune licenses to the users who will be utilizing co-managed devices? User licensing is often required for successful enrollment and policy assignment.
• Have you configured Microsoft Entra hybrid join correctly for your domain type (managed or federated)? This process registers devices in Microsoft Entra ID and links them to their on-premises Active Directory identity.
• Have you configured the necessary Configuration Manager client agent settings to direct clients to register with Microsoft Entra ID and initiate the co-management process? These settings push the initial configuration to the clients.
• Have you configured automatic MDM enrollment (specifically for Microsoft Intune) within your Microsoft Entra ID tenant under the Mobility (MDM and MAM) settings? This setting dictates which users/groups are automatically enrolled into Intune.
• Have you enabled co-management within the Configuration Manager console, targeting the appropriate collection of devices for auto-enrollment?

Completing these steps is crucial. If any step was missed or configured incorrectly, revisit the official documentation for enabling co-management for existing Configuration Manager clients. The majority of auto-enrollment problems originate from issues in one or more of these prerequisite areas.

To aid in troubleshooting client-side co-management issues on Windows 10 devices, the primary log file to examine is %WinDir%\CCM\logs\CoManagementHandler.log. This log file records the actions and outcomes related to the co-management handler component of the Configuration Manager client.

Troubleshooting Hybrid Microsoft Entra Configuration¶

Successful co-management auto-enrollment heavily relies on a correctly configured hybrid identity environment and successful Microsoft Entra hybrid join for the devices. Issues with Microsoft Entra Connect synchronization or the hybrid join process itself can prevent devices from reaching the stage where they can enroll in Intune.

Here are some common areas and associated troubleshooting points related to Microsoft Entra identity and hybrid join that are relevant to co-management enrollment:

• Microsoft Entra Connect Installation and Synchronization Errors: Problems during the installation of Microsoft Entra Connect or errors occurring during synchronization cycles can prevent user and device objects from being correctly replicated to Microsoft Entra ID. Without the correct device object in Microsoft Entra ID, hybrid join and subsequent Intune enrollment will fail.
• Microsoft Entra Seamless Single Sign-On (SSO) or Pass-Through Authentication Issues: While not directly causing enrollment failure in all cases, issues with authentication methods can sometimes indirectly impact device registration depending on the configuration.
• Active Directory Federation Services (AD FS) Issues: If you are using a federated domain, problems with your AD FS infrastructure can prevent devices from authenticating correctly to Microsoft Entra ID during the hybrid join process.

For issues specifically affecting Microsoft Entra hybrid join on managed or federated domains, common problems include devices not showing as ‘Hybrid Azure AD joined’ when running dsregcmd /status. Troubleshooting steps for hybrid join often involve checking device registration status using dsregcmd, reviewing relevant event logs on the client (Applications and Services Logs > Microsoft > Windows > User Device Registration and Microsoft Entra ID operational logs), and verifying the Microsoft Entra Connect configuration for device writeback or device synchronization.

Common Issues and Solutions¶

This section covers specific issues frequently encountered during the auto-enrollment of Configuration Manager devices into Intune and provides steps to resolve them.

Clients Did Not Receive the Policy from Configuration Manager Management Point¶

Symptom: Devices intended for co-management are not attempting to register with Microsoft Entra ID or initiate the enrollment process. The Configuration Manager client log files do not show any indication that the co-management policy has been received or processed.

Cause: This issue is typically related to the Configuration Manager infrastructure and client policy delivery, rather than Intune itself. The Configuration Manager client settings enabling hybrid join and co-management are not reaching the targeted devices.

Solution: Troubleshoot Configuration Manager client policy issues. Verify that the client settings policy is correctly configured to enable hybrid join/co-management and that it is deployed to the correct collection containing the target devices. Check Configuration Manager client logs (like PolicyAgent.log, PolicyEvaluator.log, ClientIDManagerStartup.log, Locationservices.log, ccmexec.log) on the affected clients to understand why policy isn’t being received or applied. Ensure the client can communicate with its assigned management point and retrieve policy.

Configuration Manager Client Installed, Device Not Registering with Microsoft Entra ID, No Errors Seen¶

Symptom: The Configuration Manager client is functioning correctly, but the device doesn’t appear to be attempting or completing registration with Microsoft Entra ID for hybrid join. There are no specific errors immediately apparent in client logs related to this process.

Cause: This often indicates that the Configuration Manager client agent settings that direct clients to register with Microsoft Entra ID were not configured or deployed correctly. The client simply doesn’t know it’s supposed to start the registration process.

Solution: Review and verify the Configuration Manager client settings configuration for co-management or cloud services. Ensure that the option to “Automatically register new Windows 10 domain joined devices with Azure Active Directory” (or a similar setting depending on your Configuration Manager version) is enabled and part of a client settings policy applied to the devices. Confirm the policy is deployed to the correct collection and has been received and applied by the clients (check client logs like ClientIDManagerStartup.log and CoManagementHandler.log).

Configuration Manager Client Installed, Device Registered with Microsoft Entra ID, Not Auto-Enrolling in Intune, No Errors Seen¶

Symptom: Devices successfully complete the Microsoft Entra hybrid join process and appear correctly registered in Microsoft Entra ID. However, they do not automatically enroll into Microsoft Intune, and there are no explicit errors indicating an enrollment failure on the client side related to Intune.

Cause: This usually happens when the automatic MDM enrollment configuration in the Microsoft Entra ID/Intune portal is misconfigured. The settings that tell devices registered in Microsoft Entra ID to enroll into Intune based on user or group membership are incorrect or missing.

Solution: Navigate to Microsoft Entra ID > Mobility (MDM and MAM) in the Azure portal. Select Microsoft Intune. Verify that the MDM user scope is configured correctly. Ensure that the “MDM user scope” is set to “Some” or “All” and that the relevant user group (containing users of the co-managed devices) is included if set to “Some”. Confirm that the “MDM Terms of use URL,” “MDM Discovery URL,” and “MDM Compliance URL” are correctly set to the default Intune URLs.

Co-management Node Missing in Configuration Manager Console¶

Symptom: You are unable to find the “Co-management” node under “Administration” > “Cloud Services” in the Configuration Manager console.

Cause: The co-management feature was introduced in Configuration Manager version 1710, but significant enhancements and the dedicated “Co-management” node became prominent in later versions, especially 1906 and newer, which introduced the device-based auto-enrollment via device tokens. If your Configuration Manager version is older than 1906, the console experience and features for co-management auto-enrollment might be different or the node might not exist as expected.

Solution: Update your Configuration Manager environment to version 1906 or a later, supported version. This will enable access to the latest co-management features and the dedicated console node for easier configuration and monitoring.

Microsoft Entra Hybrid Joined Devices Fail to Enroll (0x8018002a) with MFA Errors¶

Symptom: Microsoft Entra hybrid joined devices fail to automatically enroll in Intune, and client logs (DeviceManagement-Enterprise-Diagnostic-Provider Admin log) show error 0x8018002a (Unknown Win32 Error code). Concurrent errors in the Microsoft Entra ID Operational log (0xCAA2000C, interaction_required, AADSTS50076) indicate an issue related to Multi-Factor Authentication (MFA).

Cause: Error 0x8018002a often translates to CSP_AUTHMGR_DEVICE_AUTH_ERROR, indicating a failure during the device authentication part of enrollment. The related AADSTS50076 error explicitly states that MFA is required due to configuration changes. When MFA is set to Enforced for all users or for the user account attempting enrollment, the silent, device-centric enrollment process initiated by the Configuration Manager client using logged-in user credentials fails because it cannot interactively prompt for MFA.

Solution: The automatic enrollment process initiated by Configuration Manager requires a non-interactive authentication flow. If MFA is enforced, it blocks this flow. To resolve this:
1. Adjust MFA State: If possible, change the user’s MFA state from Enforced to Enabled. When MFA is Enabled but not Enforced, it is only required for new sign-ins or when the user is prompted, not necessarily for device enrollment attempts initiated by the system.
2. Use Trusted IPs (Temporary): Configure Azure AD Trusted IPs to exclude MFA requirements when authenticating from trusted network locations. This can allow enrollment to succeed when the device is on the trusted network. Caution: Carefully consider the security implications of bypassing MFA.
3. Exclude Intune App from Conditional Access (if applicable): If MFA is required by a Microsoft Entra Conditional Access policy targeting “All cloud apps,” consider creating an exclusion for the “Microsoft Intune” application from this policy for the target users/groups during the enrollment phase.

Devices Fail to Sync After Auto-Enrollment¶

Symptom: Devices appear successfully auto-enrolled in Intune (they show up in the Intune portal), but they fail to sync policy or configurations. In Windows Settings > Accounts > Access work or school, there’s a sync error message like “Sync wasn’t fully successful because we weren’t able to verify your credentials.” Client logs (DeviceManagement-Enterprise-Diagnostic-Provider Admin log) may show 0xcaa2000c errors during sync attempts.

Cause: This issue typically occurs after successful enrollment when the Intune service attempts to establish a user association or perform user-context syncs. If MFA is Enabled or Enforced, or if a Conditional Access policy requires MFA for accessing cloud apps (including Intune), the user-centric sync fails because it requires interactive authentication or bypass.

Solution: Similar to the enrollment failure scenario with MFA, post-enrollment sync issues often point back to MFA requirements interfering with the user’s ability to authenticate silently for sync purposes.
1. Review MFA State: If legacy per-user MFA is used and set to Enabled or Enforced, consider disabling it and migrating to Conditional Access-based MFA policies for more granular control. Disabling legacy per-user MFA might resolve this specific sync issue.
2. Use Trusted IPs: As before, configuring Trusted IPs in Azure AD can bypass MFA requirements when the device is on a trusted network, potentially allowing syncs to complete.
3. Exclude Intune from Conditional Access: If Conditional Access policies require MFA for “All cloud apps,” exclude the “Microsoft Intune” cloud app from this policy for the affected users/groups. This allows devices to sync policies from Intune using the user’s credentials without triggering an MFA prompt.

Hybrid Joined Windows 10 Device Fails to Enroll (0x800706D9 or 0x80180023)¶

Symptom: A Microsoft Entra hybrid joined device fails the Intune auto-enrollment process, reporting errors like 0x800706D9 (The firewall has blocked some features) or 0x80180023 (Unknown Win32 Error code, often related to provisioning failure). Event Viewer logs (DeviceManagement-Enterprise-Diagnostic-Provider Admin log) may show provisioning failed errors (0x80180023) and unenrollment errors mentioning dmwappushservice.

Cause: Error 0x800706D9 is a generic firewall error, but in the context of MDM enrollment alongside 0x80180023, it often points to an issue with the dmwappushservice. This service (Microsoft DM Session Manager) is crucial for the Windows MDM client to communicate with the Intune service. If this service is missing, corrupted, or disabled, enrollment will fail. Error 0x80180023 specifically relates to the MDM provisioning step failing, which depends on this service.

Solution: Verify the presence and state of the dmwappushservice service on the affected device (services.msc). If the service is missing, it indicates system file corruption or an issue with the Windows installation or update process that failed to install/register the service correctly.
1. Find a working Windows 10 device running the same version as the affected device.
2. Export the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice from the working device.
3. Copy the exported .reg file to the affected device.
4. Log on as a local administrator and import the .reg file into the affected device’s registry.
5. Restart the affected device.
6. After restarting, ensure the dmwappushservice service is present and its startup type is set correctly (usually Automatic).
7. Delete the old, failed Microsoft Entra registration on the device if it exists (dsregcmd /leave in an elevated command prompt).
8. Update Group Policy (gpupdate /force).
9. Restart the device again. This should trigger a new attempt at Microsoft Entra registration and Intune auto-enrollment.

Microsoft Entra Hybrid Join Fails in a Managed Domain (0x801c03f2)¶

Symptom: Devices in a managed domain fail the Microsoft Entra hybrid join process. Running dsregcmd /status shows the device is domain joined but not Azure AD joined. The User Device Registration Admin log in Event Viewer shows error 0x801c03f2 and a message like “The public key user certificate is not found on the device object.”

Cause: Error 0x801c03f2 (DSREG_E_DEVICE_ADFS_RT_TOKEN_INVALID) indicates a problem with device authentication during registration. In managed domains using Microsoft Entra Connect device registration, this specific error, combined with the “public key user certificate is not found” message, means that the device object in Microsoft Entra ID does not have the public key of the device certificate. This certificate is written to the Usercertificate attribute of the device object in on-premises Active Directory and then synced to Microsoft Entra ID by Microsoft Entra Connect. If the attribute is missing, empty, or the sync hasn’t occurred, Microsoft Entra ID cannot verify the device’s identity during registration.

Solution: This requires verifying and potentially re-initiating the device certificate process and synchronization.
1. Verify On-Premises AD Attribute: On a domain controller, check the properties of the computer object for the affected device in Active Directory Users and Computers. Ensure the Usercertificate attribute is populated and contains the device’s public key certificate.
2. Verify Microsoft Entra ID Object: Check the corresponding device object in Microsoft Entra ID (via PowerShell or the Azure portal if possible, though the Usercertificate attribute isn’t directly visible in the portal). Ensure the device object exists and is marked as ‘Hybrid Azure AD joined’ (eventually).
3. Re-initiate Registration and Sync: If the Usercertificate attribute is missing or incorrect in AD, or if you suspect sync issues:
* On the client device, open an elevated Command Prompt and run dsregcmd /leave. This removes the existing Microsoft Entra registration.
* Open the local computer certificate store (certlm.msc) and verify that the certificate issued by “MS-Organization-Access” is deleted.
* Restart the client device. This triggers a new device registration attempt.
* After restarting, check the computer object in on-premises AD again to confirm the Usercertificate attribute is now populated with a new certificate. If you have multiple domain controllers, allow time for replication.
* Manually trigger a delta synchronization cycle on your Microsoft Entra Connect server using the Synchronization Service Manager or PowerShell (Start-ADSyncSyncCycle -PolicyType Delta).
* Once the delta sync is complete and the device object with the Usercertificate is synced to Microsoft Entra ID, the device should be able to complete the hybrid join. You can trigger this by restarting the client again, running dsregcmd /join, or waiting for the scheduled task “Automatic-Device-Join” under “Task Scheduler Library” > “Microsoft” > “Windows” > “Workplace Join” to run (it runs every hour).

Automatic Device Registration Fails (0x80280036)¶

Symptom: Automatic device registration or hybrid join fails with error code 0x80280036. Event Viewer logs (User Device Registration Admin log) show “The TPM is attempting to execute a command only available when in FIPS mode.”

Cause: Error 0x80280036 (DSREG_E_TPM_FIPS_ERROR) specifically indicates an issue with the device’s Trusted Platform Module (TPM). The error message points to FIPS (Federal Information Processing Standards) mode being enabled on the TPM chip. Microsoft Entra device registration and modern authentication processes are not compatible with TPMs operating in FIPS mode.

Solution: Disable FIPS mode on the device’s TPM. Microsoft generally recommends against enabling FIPS mode for Windows clients due to compatibility and performance issues with modern cryptographic standards. Consult your organization’s security policies before disabling FIPS mode. The method to disable FIPS mode depends on how it was enabled (e.g., Group Policy, local security policy, BIOS/UEFI settings). The recommended approach is to manage cryptographic settings via modern policies that don’t rely on the legacy FIPS compliance mode.

Microsoft Entra Hybrid Join Fails (0x80090016)¶

Symptom: Microsoft Entra hybrid join fails with error 0x80090016. The error message displayed to the user might be “Something went wrong… error code 0x80090016.”

Cause: Error 0x80090016 (NTE_BAD_KEYSET) signifies that the cryptographic keys required for the device registration process could not be accessed or generated, typically because the device’s TPM keys were inaccessible. This often happens when Windows does not have proper ownership or initialization of the TPM chip on the device. Windows 10 is designed to automatically initialize and take ownership of the TPM, but sometimes this process fails.

Solution: Clearing the TPM and allowing Windows to re-initialize it is often the fix for this issue.
1. Backup Critical Data: Important: Clearing the TPM is a security-sensitive operation. It will erase all keys stored on the TPM, including those used for BitLocker, virtual smart cards, and logon PINs. Ensure you have backups and recovery keys (especially for BitLocker) before proceeding.
2. Disable BitLocker: If BitLocker is enabled on the device, suspend or decrypt the drive before clearing the TPM.
3. Clear TPM:
* Open the Windows Security app.
* Go to Device security.
* Click Security processor details.
* Click Security processor troubleshooting.
* Click Clear TPM.
4. Restart Device: Restart the computer when prompted. You might need to follow on-screen prompts during the boot process (often in the UEFI/BIOS) to confirm the TPM clear action.
5. TPM Re-initialization: After the restart, Windows should detect the cleared TPM and automatically re-initialize and take ownership.
6. Verify Hybrid Join: Once the device has booted back into Windows, allow some time for the hybrid join process to re-attempt. You can check the status by opening an elevated Command Prompt and running dsregcmd /status. A successful hybrid join will show AzureAdJoined : YES and the correct DomainName.

For a deeper understanding of TPM issues and troubleshooting, refer to documentation on initializing and configuring TPM ownership.

Visualizing the Auto-Enrollment Flow¶

Understanding the steps involved in co-management auto-enrollment can help pinpoint where issues might be occurring. The process generally flows from the on-premises environment towards the cloud services.

```mermaid
graph TD
A[On-Premises AD Device] → B(Microsoft Entra Connect Sync);
B → C(Microsoft Entra ID Device Object);
A → D(ConfigMgr Client Installed);
D → E(ConfigMgr Client Settings for Co-management);
E → F{Direct Client to Register?};
F – Yes → G(Device Initiates Azure AD Registration);
G → H(Azure AD Hybrid Join Process);
H – Success → I(Device is Hybrid Azure AD Joined);
I → J{Intune Auto-Enrollment Configured?};
J – Yes → K(Device Initiates Intune Enrollment);
K – Success → L(Device is Intune Enrolled);
L → M(Device is Co-managed);
F – No → N[Troubleshoot ConfigMgr Settings];
J – No → O[Configure Intune Auto-Enrollment];
H – Failure → P[Troubleshoot Hybrid Join];
K – Failure → Q[Troubleshoot Intune Enrollment];

N --> E;
O --> J;
P --> H;
Q --> K;

subgraph Cloud Services
    C
    I
    J
    K
    L
    M
end

subgraph On-Premises Infrastructure
    A
    D
    E
end

```
This diagram illustrates that the device must successfully navigate the path from being an on-premises device managed by ConfigMgr, through registration and joining in Microsoft Entra ID, before it can proceed to the final step of auto-enrolling into Intune. Failure at any stage will prevent subsequent steps from succeeding.

More Information¶

Troubleshooting co-management can involve various layers of the Microsoft 365 and Configuration Manager stack. While this article focuses on the auto-enrollment phase for existing devices, other co-management scenarios and aspects also have dedicated troubleshooting guides. These include bootstrapping new devices with modern provisioning and managing workload transitions between Configuration Manager and Intune. Familiarizing yourself with these areas can provide a broader understanding of potential issues in a co-managed environment.

Understanding how workloads like Compliance Policies, Windows Update for Business, Endpoint Protection, Resource Access policies (Wi-Fi, VPN, certificate profiles), Device configuration policies, and Client apps are managed in a co-managed setup is key once devices are enrolled.

Engage and Share¶

We hope this guide helps you resolve common issues encountered during the auto-enrollment of existing Configuration Manager-managed devices into Intune for co-management. Troubleshooting these types of issues often involves examining client logs, server configurations, and identity synchronization status.

Did these steps help resolve your enrollment problems? Do you have other specific error codes or scenarios you’ve encountered? Share your experiences and questions in the comments below! Your insights can help others in the community navigating their co-management journey.