Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Jan 20, 2025

Intune bulk enrollment issue with package

Hello,  

We are encountering an issue while trying to enroll a device in Microsoft Intune within a Windows 10/11 workgroup environment.  

Using Windows Configuration Designer, we created a provisioning package for device enrollment. However, after executing the package on the device, we observe the following error in the Event Viewer under:  
Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin:  
MDM ConfigurationManager: Command failure status. Configuration Source ID: (fb5b5ed2-b681-475c-bb21-c31762a5953d), Enrollment Name: (Provisioning), Provider Name: (AADJ), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/AADJ/BPRT), Result: (Unknown Win32 Error code: 0xcaa2000c).  
 
Additionally, when reviewing the Entra Audit logs, we notice that the device gets registered but is immediately unregistered.  

Could someone help us identify the root cause of this issue or suggest steps to resolve it?  

Thank you

  • Ankido's avatar
    Ankido
    Iron Contributor

    Hi drivesafely,

     

     

    Possible Solution
    The error 0xCAA2000C (interaction_required) clearly indicates that Multi-Factor Authentication (MFA) is required, which is preventing the enrollment process.

    Resolution Methods:
    Change MFA Setting to Enabled (not Enforced):

    1- If MFA is set to "Enforced," it will always be required, which blocks the device from enrolling without user interaction.
    By changing the MFA setting to "Enabled" but not "Enforced," the device can enroll without immediately requiring MFA.
    Follow the documentation for configuration: Microsoft Entra Multi-Factor Authentication.

     


    2- Temporarily Disable MFA During Enrollment:

    You can temporarily exclude MFA during enrollment by configuring Trusted IPs:
    Add your network location (e.g., your organization's IP addresses) to the Trusted IPs list in Microsoft Entra.
    Steps:
    Go to Azure AD > Security > Conditional Access > Named Locations and add the trusted IP addresses.

    Please feel free to reach out if this doesn’t work.

    • drivesafely's avatar
      drivesafely
      Brass Contributor

      Hello Ankido,

      Thanks for your response.

      I was able to resolve by modifying the CA policy for MFA which was applied to all users. i added a dynamic group to its exclusions, containing a query that matches user account that starts with 'package_'.

  • OllieDug's avatar
    OllieDug
    Copper Contributor

    I have not found a resolution but I am getting the same error on my device too. It runs as part of a larger script for me but even running it manually it gives an error with the AAD join.

    • Ankido's avatar
      Ankido
      Iron Contributor

      Did you check your enrollment restrictions in Intune?

      If you’ve already configured OS version restrictions in Intune, here’s a critical tip to ensure devices aren’t unintentionally blocked:

      Use only the major.minor.build format (e.g., 10.0.26100).
      Avoid including the revision number (e.g., .2849), as it won’t be evaluated during enrollment.
      Here’s why:

      If you specify a revision number (e.g., 10.0.26100.2894) and a device has a different revision (e.g., 10.0.26100.2780), the device will be blocked—even though it technically meets the requirements.

      This small detail can save you hours of troubleshooting and ensure a smoother enrollment experience for your organization!

       

Resources