AUTOENROLLMENT FAILS WITH UNKNOWN ERROR 0x80180001 & 0x8018002a

Recently a customer called, that the Automatic Enrollment for MDM is not working as excepted and the clients are getting some errors during MDM Autoenrollment. Easy I thought, let’s have a look…

Within the Eventlog under Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider the error Unknown Win32 Error code: 0x80180001 was triggerd.

Usually you configure MDM Automatic enrollment using a GPO after your devices are Hybrid Joined (to do so, check that post here).

Since Windows 10 1903 this GPO policy got a change. You can now select Device or User Authentication. If you select Device Authentication, a device token will be used to enroll the device, but this is not supported for Intune, based on this Docs article.

Also, another error caused in the Eventlog which indicates, that the GPO setting must be misconfigured:

MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(Device based token is not supported for enrollment type OnPremiseGroupPolicyCoManaged 

As soon this GPO policy is applied to a device, a scheduled task is created and triggers the enrollment process every 5 minutes.

You can find this task under \Microsoft\Windows\EnterpriseMgmt. If you check the arguments for this specific task, you probably realize that the argument uses the string:

/c /AutoEnrollMDMUsingAADDeviceCredential

So, still device authentication is used. This causes our error. Let’s change that to User authentication.

To test the enrollment with user auth, you can ether changing the GPO to user authentication (this did not change the scheduled task arguments in my case, even after reboots, gpupdate, etc.) or just manually changing the string to:

/c /AutoEnrollMDMUsingAADUserCredential

After that, the devices started to auto enroll into Intune. Be aware, that auto enrollment, enrollment restriction and Azure AD device registration needs to be enabled and configured for that.

Your users will receive a toast message that some account settings has been changed.

If you use Azure MFA maybe another error will popup in the event log but not displayed to the enduser:

Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a)

This will also block the enrollment process. You can avoid that, by configuring an exclusion in Conditional Access for the “Microsoft Intune Enrollment” cloud app.

Hope this helps!

DISABLE EXTERNAL SHARING FOR A SPECIFIC TEAMS

If you use Microsoft Teams, then is external sharing one of the option you probably love. You can share a whole Team with your Co-workers like customers or partners.

But in some cases you would like to disallow external sharing for a specific Teams. Maybe to protect accidental sharing of sensitive information located in a specific channel – Data under NDA, Management, HR and so on. Of course you would use AIP/Senitivity labels to protect your data, but here we will block the Teams external sharing option.

The easiest way to achieve this, is using PowerShell. First of all you need to install the Microsoft Exchange Online PowerShell Modules. To do so, login to your Exchange Online Portal by browsing to https://outlook.office365.com/ecp/ Hybrid – and click configure to download the Application.

Install the application and launch Microsoft Exchange Online PowerShell Module from your Windows Start Menu. Follow the next view steps to block external sharing in your Teams:

STEP 1: CONNECT EXCHANGE ONLINE

Use Exchange Online Modules
Set a Groups/Teams to 'AllowToAddGuests' == $False
Connect-EXOPSSession -UserPrincipalName 

STEP 2: GET TEAMS GUID

Get-UnifiedGroup
#If you have many Teams, you can select the Teams by name
Get-UnifiedGroup | select "<name of your Teams>"

STEP 3: WRITE TO VARIABLE
Write the ExternalDirectoryObjectId property to an variable.

$group = Get-UnifiedGroup -Identity "<GUID of your Teams>" | select "external" -ExpandProperty ExternalDirectoryObjectId

STEP 4: ADD THE AZURE AD TEMPLATE TO VARIABLE
The Get-AzureADDirectorySettingTemplate cmdlet gets a directory setting template from Azure Active Directory (AD). We need the group.unified.guest for our goal and adding the settings also to variables.

$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False 

STEP 5: FIRE THE COMMAND
Now we need to fire the command against our Teams.

New-AzureADObjectSetting -TargetType Groups -TargetObjectId $group -DirectorySetting $settingsCopy

RESULT: NO EXTERNAL SHARING POSSIBLE
Within the specific Teams, you wont be able anymore to add guest accounts (even if they are already enrolled in your AzureAD) or share with people outside of your organization. In the picture bellow, I tried to add an external account to the Teams:

Maybe this helps. Let me know if you have any suggestions on this!

EDIT GROUP TAG AND COMPUTER NAME IN WINDOWS AUTOPILOT

Since a while we’re waiting for this change in Windows Autopilot. We can now edit and change the Group Tag and Computer Name filed within the UI or trough PowerShell. This is part of the Intune release 1911 (November 2019).

Open the Device management portal: devicemanagement.microsoft.com
Navigate to Devices – Device enrollment – Windows enrollment – Devices and select the device you like to rename. The option blade now allows you to change both entries, Device Name and Group Tag.

This is very useful for doing changes on the device or assign a different Autopilot profile. If you use dynamic groups, the device will automatically be reassigned to the new Profile as long you have a dynamic group which is queering the new Group Tag.

Also, a new PowerShell module was published by Michael Niehaus to edit and change those values. Make sure you upgrade to the latest version (at least version 3.9).

Update-Module -Name WindowsAutoPilotIntune -RequiredVersion 3.9

Use Set-AutoPilotDevice to rename the device or change the Group Tag after you have connected to MS Graph using Connect-MSGraph. Here is an example of the command:

Set-AutoPilotDevice -id 8afc147f-8893-441b-a47d-3c0f3652c1a4 -groupTag "PartnerCtrRegistered-AP" -ComputerName MasterWayne

Force a sync of the Autopilot service to see the changes or wait until the service has synced. You’re all set now. Enjoy!

MY UPCOMING SPEAKING ENGAGEMENT

It is going to be a busy time until the end of November!
I’m very proud to be a part of some great conferences and user groups to present about Modern Workplace stuff like Modern Device Management and Microsoft 365 Governance.

AZURE USER GROUP ZURICH
Already next week you can join me at the Azure User Group in Zurich. There is a full track about Digital Cloud Workplace and how to move from a “legacy” management to a modern cloud (enabled) management or better I say, to a Modern Workplace! Of course, using tools from the Microsoft 365 products. If you like to join check out the agenda and register now for the MeetUp in Zurich:

Tuesday, October 29, 2019
Digital Cloud Workplace at Azure Zurich User Group

EXPERTS LIVE EUROPE
I am happy to let you know that I will be speaking at Experts Live Europe 2019 in Prague. The conference will be held in from November 20-22 2019. This is huge for me and I’m very happy to be a part of this conference, specially as a speaker in this year. If you’re interested to join, you can find more details about the conference here:

Wednesday – Friday, November 20-22, 2019
Experts Live Europe 2019, Prague
My session – 10:30, Club E!

GEEKMANIA
Also in November, at the 29th, we will be at a community event called Geekmania in Zurich, Switzerland. This event covers two tracks, one for Azure and another one for Microsoft 365. I’m happy to provide two sessions in the afternoon.
In the first session I will show, why and how you can use Microsoft 365 and in the second session we will talk about Modern Device Management. Would be cool to see you there and if you have, bring some questions!

Friday, November 29, 2019
geekmania 2019, Zurich, Switzerland

#COMMUNITYPOWER

SPEAKING ENGEMENT

INTEGRATE AZURE INFORMATION PROTECTION (AIP) INTO CLOUD APP SECURITY (MCAS)

If you use the Microsoft 365 Security platform and you have the licences to use Microsoft Cloud App Security (MCAS), I recommend to implement Azure Information Protection (AIP) into MCAS.

Azure Information Protection allows you to label and protect your documents also in an automated way. There are two ways to do that. First: You can use the AIP labels in Azure or second, you migrate your labels to the Office 365 Security & Compliance Center also called Unified Labels. Before you migrate your labels, be aware of some limitations of Unified Labels. Find a detailed overview in this article here.

First of all, assign a licence to your user to use MCAS (usually E5 or the Microsoft 365 Security Add-In) and then login to the MCAS portal. portal.cloudappsecurity.com
From there use the gear in the top right to configure or check your organization settings. They should already be filled out, as this information’s are tenant wide settings.

Navigate to Investigate and select Connected apps. On the plus sign add Office 365 as app and Connect the platform to MCAS.

Also make sure you have enabled Office 365 Auditing in the Security & Compliance portal. Browse to protection.office.com – Search – Audit Log search. If audit log is not yet enabled, enable it. It should be on by default. You can find more details regarding audit log here

Back in MCAS, under settings, select Azure Information Protection. Tick the box Automatically scan new files for AIP labels and content inspection warnings and save it.

MCAS can also inspect protected files using file policies. Grant these permissions to MCAS by activating the option in the settings.

To ignore classification labels set external to your organization, in the Cloud App Security portal, go under Settings and Azure Information Protection. Select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.

Now from Files page and under Investigate you can select the file you like to label. Click the three dots at the right side of the file and choose Apply classification label to apply a label.

Be aware: It takes some time to sync your labels into Cloud App Security and Cloud App Security can apply Azure Information Protection on files that are up to 50 MB.

In the next post I will show you how to apply labels in an automated way to a SharePoint library.

ENABLE MICROSOFT KAIZALA COMPLIANCE

Kaizala is a simple and secure mobile chat app for work. If you need more information about the product, navigate to the product description https://products.office.com/en/business/microsoft-kaizala.
During May 2019, Microsoft started to rollout the Kaizala admin management portal worldwide. To reach the portal, open your browser and browse to manage.kaiza.la.

If you would like to enable the complaint settings, you need to meet some pre-requisites. Those pre-requisites you can find on flowing page:

https://docs.microsoft.com/en-us/Office365/Kaizala/backup-export-org-data#prerequisites

If you check your current licences trough PowerShell, you will see that there is no Kaizala Licence assigned, even if you use Microsoft 365 licences (SPE_E3):

Connect-AzureAD
$userUPN="your admin account here"

$licensePlanList = Get-AzureADSubscribedSku

$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID 

$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } }

Output from the script:

This results in the following error message if you try to enable the compliance for Kaizala:
Error : “Please make sure your organization has Kaizala Pro, Microsoft Exchange and Microsoft SharePoint licenses.”

To enable the compliance on the portal, you need a Kaizala Pro licence.
I started a trial on the page https://products.office.com/en/business/microsoft-kaizala and assigend a licence to my admin account:

Shows as Kaizala_Standrad licence
Assigend is a Kaizala Pro licence to the admin account

However, after correcting the licence for the admin account, I was able to configure the compliance settings within the Kaizala portal.

Let me know if you have similar experience or facing other issues.

SPEAKING AT EXPERTS LIVE SWITZERLAND 2019

I’m excited to be chosen as a speaker at Experts Live Switzerland 2019. Experts Live Switzerland 2019 will take place on June 20 in the Workspace Welle 7 in Bern Switzerland. Experts Live Switzerland is a one-day event with 17 sessions in three parallel tracks focusing on Microsoft Cloud, Datacenter and Modern Workplace opics, with Microsoft MVPs, speakers from Microsoft and other industry experts.

I am happy to speak about Modern Workplace and how you can move from a classic or legacy deployment to a new Modern Device deployment. This will cover some Microsoft 365 features like Windows 10, Autopilot & Intune.

Check out the Experts Live Switzerland for more detailed information’s. Would be cool to see you there!