Forum Discussion
drivesafely
Jan 20, 2025Brass Contributor
Intune bulk enrollment issue with package
Hello,
We are encountering an issue while trying to enroll a device in Microsoft Intune within a Windows 10/11 workgroup environment.
Using Windows Configuration Designer, we created a provisioning package for device enrollment. However, after executing the package on the device, we observe the following error in the Event Viewer under:
Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (fb5b5ed2-b681-475c-bb21-c31762a5953d), Enrollment Name: (Provisioning), Provider Name: (AADJ), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/AADJ/BPRT), Result: (Unknown Win32 Error code: 0xcaa2000c).
Additionally, when reviewing the Entra Audit logs, we notice that the device gets registered but is immediately unregistered.
Could someone help us identify the root cause of this issue or suggest steps to resolve it?
Thank you
- AnkidoIron Contributor
Hi drivesafely,
Possible Solution
The error 0xCAA2000C (interaction_required) clearly indicates that Multi-Factor Authentication (MFA) is required, which is preventing the enrollment process.Resolution Methods:
Change MFA Setting to Enabled (not Enforced):1- If MFA is set to "Enforced," it will always be required, which blocks the device from enrolling without user interaction.
By changing the MFA setting to "Enabled" but not "Enforced," the device can enroll without immediately requiring MFA.
Follow the documentation for configuration: Microsoft Entra Multi-Factor Authentication.
2- Temporarily Disable MFA During Enrollment:You can temporarily exclude MFA during enrollment by configuring Trusted IPs:
Add your network location (e.g., your organization's IP addresses) to the Trusted IPs list in Microsoft Entra.
Steps:
Go to Azure AD > Security > Conditional Access > Named Locations and add the trusted IP addresses.Please feel free to reach out if this doesn’t work.
- drivesafelyBrass Contributor
Hello Ankido,
Thanks for your response.
I was able to resolve by modifying the CA policy for MFA which was applied to all users. i added a dynamic group to its exclusions, containing a query that matches user account that starts with 'package_'.
- OllieDugCopper Contributor
I have not found a resolution but I am getting the same error on my device too. It runs as part of a larger script for me but even running it manually it gives an error with the AAD join.
- AnkidoIron Contributor
Did you check your enrollment restrictions in Intune?
If you’ve already configured OS version restrictions in Intune, here’s a critical tip to ensure devices aren’t unintentionally blocked:
Use only the major.minor.build format (e.g., 10.0.26100).
Avoid including the revision number (e.g., .2849), as it won’t be evaluated during enrollment.
Here’s why:If you specify a revision number (e.g., 10.0.26100.2894) and a device has a different revision (e.g., 10.0.26100.2780), the device will be blocked—even though it technically meets the requirements.
This small detail can save you hours of troubleshooting and ensure a smoother enrollment experience for your organization!