AUTOENROLLMENT FAILS WITH UNKNOWN ERROR 0x80180001 & 0x8018002a

Recently a customer called, that the Automatic Enrollment for MDM is not working as excepted and the clients are getting some errors during MDM Autoenrollment. Easy I thought, let’s have a look…

Within the Eventlog under Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider the error Unknown Win32 Error code: 0x80180001 was triggerd.

Usually you configure MDM Automatic enrollment using a GPO after your devices are Hybrid Joined (to do so, check that post here).

Since Windows 10 1903 this GPO policy got a change. You can now select Device or User Authentication. If you select Device Authentication, a device token will be used to enroll the device, but this is not supported for Intune, based on this Docs article.

Also, another error caused in the Eventlog which indicates, that the GPO setting must be misconfigured:

MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(Device based token is not supported for enrollment type OnPremiseGroupPolicyCoManaged 

As soon this GPO policy is applied to a device, a scheduled task is created and triggers the enrollment process every 5 minutes.

You can find this task under \Microsoft\Windows\EnterpriseMgmt. If you check the arguments for this specific task, you probably realize that the argument uses the string:

/c /AutoEnrollMDMUsingAADDeviceCredential

So, still device authentication is used. This causes our error. Let’s change that to User authentication.

To test the enrollment with user auth, you can ether changing the GPO to user authentication (this did not change the scheduled task arguments in my case, even after reboots, gpupdate, etc.) or just manually changing the string to:

/c /AutoEnrollMDMUsingAADUserCredential

After that, the devices started to auto enroll into Intune. Be aware, that auto enrollment, enrollment restriction and Azure AD device registration needs to be enabled and configured for that.

Your users will receive a toast message that some account settings has been changed.

If you use Azure MFA maybe another error will popup in the event log but not displayed to the enduser:

Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a)

This will also block the enrollment process. You can avoid that, by configuring an exclusion in Conditional Access for the “Microsoft Intune Enrollment” cloud app.

Hope this helps!

DISABLE EXTERNAL SHARING FOR A SPECIFIC TEAMS

If you use Microsoft Teams, then is external sharing one of the option you probably love. You can share a whole Team with your Co-workers like customers or partners.

But in some cases you would like to disallow external sharing for a specific Teams. Maybe to protect accidental sharing of sensitive information located in a specific channel – Data under NDA, Management, HR and so on. Of course you would use AIP/Senitivity labels to protect your data, but here we will block the Teams external sharing option.

The easiest way to achieve this, is using PowerShell. First of all you need to install the Microsoft Exchange Online PowerShell Modules. To do so, login to your Exchange Online Portal by browsing to https://outlook.office365.com/ecp/ Hybrid – and click configure to download the Application.

Install the application and launch Microsoft Exchange Online PowerShell Module from your Windows Start Menu. Follow the next view steps to block external sharing in your Teams:

STEP 1: CONNECT EXCHANGE ONLINE

Use Exchange Online Modules
Set a Groups/Teams to 'AllowToAddGuests' == $False
Connect-EXOPSSession -UserPrincipalName 

STEP 2: GET TEAMS GUID

Get-UnifiedGroup
#If you have many Teams, you can select the Teams by name
Get-UnifiedGroup | select "<name of your Teams>"

STEP 3: WRITE TO VARIABLE
Write the ExternalDirectoryObjectId property to an variable.

$group = Get-UnifiedGroup -Identity "<GUID of your Teams>" | select "external" -ExpandProperty ExternalDirectoryObjectId

STEP 4: ADD THE AZURE AD TEMPLATE TO VARIABLE
The Get-AzureADDirectorySettingTemplate cmdlet gets a directory setting template from Azure Active Directory (AD). We need the group.unified.guest for our goal and adding the settings also to variables.

$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$settingsCopy["AllowToAddGuests"]=$False 

STEP 5: FIRE THE COMMAND
Now we need to fire the command against our Teams.

New-AzureADObjectSetting -TargetType Groups -TargetObjectId $group -DirectorySetting $settingsCopy

RESULT: NO EXTERNAL SHARING POSSIBLE
Within the specific Teams, you wont be able anymore to add guest accounts (even if they are already enrolled in your AzureAD) or share with people outside of your organization. In the picture bellow, I tried to add an external account to the Teams:

Maybe this helps. Let me know if you have any suggestions on this!

ENABLE MICROSOFT KAIZALA COMPLIANCE

Kaizala is a simple and secure mobile chat app for work. If you need more information about the product, navigate to the product description https://products.office.com/en/business/microsoft-kaizala.
During May 2019, Microsoft started to rollout the Kaizala admin management portal worldwide. To reach the portal, open your browser and browse to manage.kaiza.la.

If you would like to enable the complaint settings, you need to meet some pre-requisites. Those pre-requisites you can find on flowing page:

https://docs.microsoft.com/en-us/Office365/Kaizala/backup-export-org-data#prerequisites

If you check your current licences trough PowerShell, you will see that there is no Kaizala Licence assigned, even if you use Microsoft 365 licences (SPE_E3):

Connect-AzureAD
$userUPN="your admin account here"

$licensePlanList = Get-AzureADSubscribedSku

$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID 

$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } }

Output from the script:

This results in the following error message if you try to enable the compliance for Kaizala:
Error : “Please make sure your organization has Kaizala Pro, Microsoft Exchange and Microsoft SharePoint licenses.”

To enable the compliance on the portal, you need a Kaizala Pro licence.
I started a trial on the page https://products.office.com/en/business/microsoft-kaizala and assigend a licence to my admin account:

Shows as Kaizala_Standrad licence
Assigend is a Kaizala Pro licence to the admin account

However, after correcting the licence for the admin account, I was able to configure the compliance settings within the Kaizala portal.

Let me know if you have similar experience or facing other issues.

SPEAKING AT EXPERTS LIVE SWITZERLAND 2019

I’m excited to be chosen as a speaker at Experts Live Switzerland 2019. Experts Live Switzerland 2019 will take place on June 20 in the Workspace Welle 7 in Bern Switzerland. Experts Live Switzerland is a one-day event with 17 sessions in three parallel tracks focusing on Microsoft Cloud, Datacenter and Modern Workplace opics, with Microsoft MVPs, speakers from Microsoft and other industry experts.

I am happy to speak about Modern Workplace and how you can move from a classic or legacy deployment to a new Modern Device deployment. This will cover some Microsoft 365 features like Windows 10, Autopilot & Intune.

Check out the Experts Live Switzerland for more detailed information’s. Would be cool to see you there!