AUTOENROLLMENT FAILS WITH UNKNOWN ERROR 0x80180001 & 0x8018002a

Recently a customer called, that the Automatic Enrollment for MDM is not working as excepted and the clients are getting some errors during MDM Autoenrollment. Easy I thought, let’s have a look…

Within the Eventlog under Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider the error Unknown Win32 Error code: 0x80180001 was triggerd.

Usually you configure MDM Automatic enrollment using a GPO after your devices are Hybrid Joined (to do so, check that post here).

Since Windows 10 1903 this GPO policy got a change. You can now select Device or User Authentication. If you select Device Authentication, a device token will be used to enroll the device, but this is not supported for Intune, based on this Docs article.

Also, another error caused in the Eventlog which indicates, that the GPO setting must be misconfigured:

MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(Device based token is not supported for enrollment type OnPremiseGroupPolicyCoManaged 

As soon this GPO policy is applied to a device, a scheduled task is created and triggers the enrollment process every 5 minutes.

You can find this task under \Microsoft\Windows\EnterpriseMgmt. If you check the arguments for this specific task, you probably realize that the argument uses the string:

/c /AutoEnrollMDMUsingAADDeviceCredential

So, still device authentication is used. This causes our error. Let’s change that to User authentication.

To test the enrollment with user auth, you can ether changing the GPO to user authentication (this did not change the scheduled task arguments in my case, even after reboots, gpupdate, etc.) or just manually changing the string to:

/c /AutoEnrollMDMUsingAADUserCredential

After that, the devices started to auto enroll into Intune. Be aware, that auto enrollment, enrollment restriction and Azure AD device registration needs to be enabled and configured for that.

Your users will receive a toast message that some account settings has been changed.

If you use Azure MFA maybe another error will popup in the event log but not displayed to the enduser:

Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a)

This will also block the enrollment process. You can avoid that, by configuring an exclusion in Conditional Access for the “Microsoft Intune Enrollment” cloud app.

Hope this helps!

MY UPCOMING SPEAKING ENGAGEMENT

It is going to be a busy time until the end of November!
I’m very proud to be a part of some great conferences and user groups to present about Modern Workplace stuff like Modern Device Management and Microsoft 365 Governance.

AZURE USER GROUP ZURICH
Already next week you can join me at the Azure User Group in Zurich. There is a full track about Digital Cloud Workplace and how to move from a “legacy” management to a modern cloud (enabled) management or better I say, to a Modern Workplace! Of course, using tools from the Microsoft 365 products. If you like to join check out the agenda and register now for the MeetUp in Zurich:

Tuesday, October 29, 2019
Digital Cloud Workplace at Azure Zurich User Group

EXPERTS LIVE EUROPE
I am happy to let you know that I will be speaking at Experts Live Europe 2019 in Prague. The conference will be held in from November 20-22 2019. This is huge for me and I’m very happy to be a part of this conference, specially as a speaker in this year. If you’re interested to join, you can find more details about the conference here:

Wednesday – Friday, November 20-22, 2019
Experts Live Europe 2019, Prague
My session – 10:30, Club E!

GEEKMANIA
Also in November, at the 29th, we will be at a community event called Geekmania in Zurich, Switzerland. This event covers two tracks, one for Azure and another one for Microsoft 365. I’m happy to provide two sessions in the afternoon.
In the first session I will show, why and how you can use Microsoft 365 and in the second session we will talk about Modern Device Management. Would be cool to see you there and if you have, bring some questions!

Friday, November 29, 2019
geekmania 2019, Zurich, Switzerland

#COMMUNITYPOWER

SPEAKING ENGEMENT

INTEGRATE AZURE INFORMATION PROTECTION (AIP) INTO CLOUD APP SECURITY (MCAS)

If you use the Microsoft 365 Security platform and you have the licences to use Microsoft Cloud App Security (MCAS), I recommend to implement Azure Information Protection (AIP) into MCAS.

Azure Information Protection allows you to label and protect your documents also in an automated way. There are two ways to do that. First: You can use the AIP labels in Azure or second, you migrate your labels to the Office 365 Security & Compliance Center also called Unified Labels. Before you migrate your labels, be aware of some limitations of Unified Labels. Find a detailed overview in this article here.

First of all, assign a licence to your user to use MCAS (usually E5 or the Microsoft 365 Security Add-In) and then login to the MCAS portal. portal.cloudappsecurity.com
From there use the gear in the top right to configure or check your organization settings. They should already be filled out, as this information’s are tenant wide settings.

Navigate to Investigate and select Connected apps. On the plus sign add Office 365 as app and Connect the platform to MCAS.

Also make sure you have enabled Office 365 Auditing in the Security & Compliance portal. Browse to protection.office.com – Search – Audit Log search. If audit log is not yet enabled, enable it. It should be on by default. You can find more details regarding audit log here

Back in MCAS, under settings, select Azure Information Protection. Tick the box Automatically scan new files for AIP labels and content inspection warnings and save it.

MCAS can also inspect protected files using file policies. Grant these permissions to MCAS by activating the option in the settings.

To ignore classification labels set external to your organization, in the Cloud App Security portal, go under Settings and Azure Information Protection. Select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.

Now from Files page and under Investigate you can select the file you like to label. Click the three dots at the right side of the file and choose Apply classification label to apply a label.

Be aware: It takes some time to sync your labels into Cloud App Security and Cloud App Security can apply Azure Information Protection on files that are up to 50 MB.

In the next post I will show you how to apply labels in an automated way to a SharePoint library.

ENABLE MICROSOFT KAIZALA COMPLIANCE

Kaizala is a simple and secure mobile chat app for work. If you need more information about the product, navigate to the product description https://products.office.com/en/business/microsoft-kaizala.
During May 2019, Microsoft started to rollout the Kaizala admin management portal worldwide. To reach the portal, open your browser and browse to manage.kaiza.la.

If you would like to enable the complaint settings, you need to meet some pre-requisites. Those pre-requisites you can find on flowing page:

https://docs.microsoft.com/en-us/Office365/Kaizala/backup-export-org-data#prerequisites

If you check your current licences trough PowerShell, you will see that there is no Kaizala Licence assigned, even if you use Microsoft 365 licences (SPE_E3):

Connect-AzureAD
$userUPN="your admin account here"

$licensePlanList = Get-AzureADSubscribedSku

$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID 

$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } }

Output from the script:

This results in the following error message if you try to enable the compliance for Kaizala:
Error : “Please make sure your organization has Kaizala Pro, Microsoft Exchange and Microsoft SharePoint licenses.”

To enable the compliance on the portal, you need a Kaizala Pro licence.
I started a trial on the page https://products.office.com/en/business/microsoft-kaizala and assigend a licence to my admin account:

Shows as Kaizala_Standrad licence
Assigend is a Kaizala Pro licence to the admin account

However, after correcting the licence for the admin account, I was able to configure the compliance settings within the Kaizala portal.

Let me know if you have similar experience or facing other issues.

SPEAKING AT EXPERTS LIVE SWITZERLAND 2019

I’m excited to be chosen as a speaker at Experts Live Switzerland 2019. Experts Live Switzerland 2019 will take place on June 20 in the Workspace Welle 7 in Bern Switzerland. Experts Live Switzerland is a one-day event with 17 sessions in three parallel tracks focusing on Microsoft Cloud, Datacenter and Modern Workplace opics, with Microsoft MVPs, speakers from Microsoft and other industry experts.

I am happy to speak about Modern Workplace and how you can move from a classic or legacy deployment to a new Modern Device deployment. This will cover some Microsoft 365 features like Windows 10, Autopilot & Intune.

Check out the Experts Live Switzerland for more detailed information’s. Would be cool to see you there!

Speaking at Microsoft Tech Summit & Experts Live in Switzerland

The Microsoft community year 2019 starts very soon, also in Switzerland. In the USA the Experts Live US in Austin and the Midwest Management Summit (MMS) are just around the corner.
In the most beautiful capital of the world, Bern, interesting Microsoft community events will take place this year. I am proud to be a part of it.

Microsoft Tech Summit 2019
The Microsoft Tech Summit will take place on April 3 & 4.
The first keynote will be held by Scott Hanselmann, Partner Program Manager & Web Developer at Microsoft: The Microsoft Open Source Cinematic Universe. Also on this day, further information about the Microsoft Datacenters in Switzerland will be presented. I’m looking forward to my session on April 4th where I’ll be happy to share some tips and tricks about Microsoft 365, Autopilot and Intune! Hope to see you there!
Microsoft Tech Summit 2019

Experts Live Switzerland
A bit later this year, in June, exactly at 20th, the Experts Live Switzerland will takes place. Organized by districtUP located in Bern. The event will again take place at Welle 7 directly at the train station. I will speaking about Modern Workplace Management. The one day event and the sessions are held in German. Details will follow soon on my blog or directly under on the Experts Live webpage: www.expertslive.ch

This will be a great start into the community year 2019! So, see YOU there!

Hyper-V error during RDS VDI collection creation

For a RDS VDI test environment we decided to use an internal switch on the Hyper-V server. This is not working.

As a consequence, in Hyper-V the external network was not up. This resulted in the following error during the creation of a VDI collection:

D90C3088

 

Server computer.domain.com either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned

This is unlikely to be a concern in any type of real life environment because those will have the external NIC connected at all times. However, it may occur when you are in a test environment and are trying to isolate from the production environment.

Conclusion: You have to configure an external switch which is connected to a physical LAN cable. DHCP is enough but of course you can also set a static IP on the NIC.