InTune Automatic Enrollment Failing

Aaron_Colon · November 8, 2024, 5:36pm

We are encountering the following error when running the Join AzureAD deployment on computers for clients with InTune automatic enrollment enabled.

Write-Error: 
Line |
  64 |          Write-Error "Error occurred: $_"
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error occurred: Forbidden:Make sure you have the ImmyBot Azure integration setup to use a Custom App Registration with API Permissions for /deviceManagement/managedDevices
PROGRESS: Starting Intune enrollment process after Azure AD Join... - Intune Enrollment
WARNING: Initial MDM enrollment failed. Checking event logs for Impersonation or Device Credential Failure
WARNING: No Impersonation or Device Credential Failure detected in event logs. Returning the last 15 events...
TimeCreated : 11/7/2024 3:22:16 PM
Id          : 81
Message     : Auto MDM Enroll Impersonation Failure (Unknown Win32 Error code: 0x82aa0008)

TimeCreated : 11/7/2024 3:22:16 PM
Id          : 76
Message     : Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x82aa0008)
WARNING: Intune enrollment process failed (ExitCode:     -2102788088).

According to the error, we may need to use a custom app registration. We are currently using Default Azure permissions. Is ImmyBot not able to enroll devices in InTune using default permissions, or is there something else I am missing?

Aaron_Colon · November 12, 2024, 9:36pm

It was confirmed in the v-immybot channel of the MSP Geek Discord that custom permissions are required.

Aaron_Colon · November 13, 2024, 10:44pm

We are still encountering failures after changing to custom permissions and setting up a custom app registration. After updating, we did make sure to re-do partner consent, customer consent, and consent in the AAD deployment. Provisioning packages and InTune Enrollment are already excluded from MFA.

Logs from the enforcement stage are below. I tried looking into some of the errors like “Device based token is not supported for enrollment type UserCorporateWithAADNotInOobe”, but this seems to be a red herring as there is nothing configured to force user-driven or exclude device-driven enrollment after OOBE.

PROGRESS: Processing - Retrieving destination TenantId from OAuthInfo
PROGRESS: Processing - Found 2 Jwt Section(s)
PROGRESS: Processing - Getting AzureAD Join Status...
PROGRESS: Processing - CurrentTenantID:     <redacted>
PROGRESS: Processing - DestinationTenantID: <redacted>
PROGRESS: Processing - Machine is joined to <redacted>
PROGRESS: Processing - RequireIntuneEnrollment is set. Checking Intune enrollment and DEM account permissions.
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 response of content type application/json of unknown size
VERBOSE: Content encoding: utf-8
VERBOSE: User '<redacted>' has a license suitable for Intune enrollment.
VERBOSE: Not sending count to the deviceManagement API
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 response of content type application/json of unknown size
VERBOSE: Content encoding: utf-8
Write-Error: 
Line |
  64 |          Write-Error "Error occurred: $_"
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error occurred: Forbidden:Make sure you have the ImmyBot Azure integration setup to use a Custom App Registration with API Permissions for /deviceManagement/managedDevices
VERBOSE: The DEM account has permissions to enroll the device.
VERBOSE: Checking OS from Machine
PROGRESS: Processing - Proceeding to unjoin the device from Azure.
DsrCLI: logging initialized.
DsrCmdJoinHelper::Leave: ClientRequestId: <redacted>Unjoin request ID: <redacted>
Unjoin response time: Wed, 13 Nov 2024 22:26:12 GMT
Unjoin HTTP status: 200
DSREGCMD_END_STATUS
             AzureAdJoined : NO
          EnterpriseJoined : NO
2024-11-13T22:26:14: Restarting Computer
VERBOSE: Verifying post restart connectivity
PROGRESS: Processing - Not setting Wireless Profile to automatic as machine is not connected via wireless
VERBOSE: Getting last boot time
VERBOSE: EventViewer           NetworkAdapter        LastBootTime          Average              
-----------           --------------        ------------          -------              
11/13/2024 1:39:38 PM 11/13/2024 1:39:37 PM 11/13/2024 1:39:37 PM 11/13/2024 1:39:37 PM
VERBOSE: LastBootTime: 11/13/2024 21:39:37
VERBOSE: Importing Bitlocker Module
VERBOSE: Successfully suspended Bitlocker
VERBOSE: Executing Reboot
PROGRESS: Processing - Stopping the ImmyAgent Service
PROGRESS: Processing - ImmyAgent Service Stopped
PROGRESS: Processing - Running shutdown /t 0 /g /f
PROGRESS: Processing - Shutdown Initiated successfully
PROGRESS: Processing - 2024-11-13T22:26:25 Total time allowed to wait for a reboot is 30 minutes
PROGRESS: Processing - 2024-11-13T22:26:25 Waiting for agent to come online for 120 seconds. Will begin internal polling after 60 seconds
PROGRESS: {2024-11-13T22:26:56.9393592Z} Agent Event: [ImmyBot Agent] => Connected - Wait-ImmyComputer
PROGRESS: Processing - 2024-11-13T22:26:56 Waited 31.6193988 seconds for an agent connection event...
PROGRESS: Processing - 2024-11-13T22:26:56 Attempting to get boot time
WARNING: Key 'EphemeralAcquisition-2111' is waiting to be acquired by [AcquireEphemeralAgentAsync] (<redacted>).
WARNING: Key 'EphemeralAcquisition-2111' is now held by [AcquireEphemeralAgentAsync] (<redacted>).
VERBOSE: Acquired global lock for Ephemeral session.
VERBOSE: The existing ephemeral session is no longer connected.  Will generate a new ephemeral agent.
VERBOSE: Determining online agents to run the ephemeral agent...
VERBOSE: Found 1 online agent.
VERBOSE: Generating & linking ephemeral agent session to computer...
VERBOSE: Starting ephemeral agent over available providers: [ImmyBot Agent]
VERBOSE: Waiting for ephemeral agent RPC connection to establish.
VERBOSE: ImmyBot Agent: Global\ImmyBot-<redacted> got in 3.1298 ms
Running C:\ProgramData\ImmyBot\Scripts\<redacted>\ImmyBot.Agent.Ephemeral.exe ephemeral run --ImmyScriptPath C:\ProgramData\ImmyBot\Scripts\<redacted> --BackendAddress wss://<redacted>.immy.bot/ --SessionID <redacted>

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                  
-------  ------    -----      -----     ------     --  -- -----------                                                  
    164      14     3268       9056       0.00   6608   0 ImmyBot.Agent.Ephemeral                                      
Released
VERBOSE: Ephemeral agent RPC connection established.
VERBOSE: Releasing global lock for Ephemeral session.
VERBOSE: Checking for any preflight scripts to run...
VERBOSE: Executing preflight script - Is Machine Fully Booted
VERBOSE: EventViewer           NetworkAdapter        LastBootTime          Average              
-----------           --------------        ------------          -------              
11/13/2024 2:26:43 PM 11/13/2024 2:26:42 PM 11/13/2024 2:26:42 PM 11/13/2024 2:26:42 PM
VERBOSE: 2024-11-13T22:27:01 Comparing : 2024-11-13T22:26:42 -gt 2024-11-13T21:39:37 = True
PROGRESS: Processing - An agent reconnected after waiting 36 seconds.
PROGRESS: Processing - <redacted> is Online. Reboot complete
PROGRESS: Processing - Refreshing Azure join status...
PROGRESS: Processing - Joining <redacted>.com AzureAD
VERBOSE: DsRegCmd: 

DeviceState                 : @{AzureAdJoined=False; EnterpriseJoined=False; DomainJoined=False; Virtual Desktop=NOT SET; Device Name=<redacted>}
UserState                   : @{NgcSet=False; WorkplaceJoined=False; WamDefaultSet=ERROR (0x80070520)}
SSOState                    : @{AzureAdPrt=False; AzureAdPrtAuthority=False; EnterprisePrt=False; EnterprisePrtAuthority=False}
IEProxyConfigforCurrentUser : @{Auto Detect Settings=True; Auto-Configuration URL=; Proxy Server List=; Proxy Bypass List=}
WinHttpDefaultProxyConfig   : @{Access Type=DIRECT}
NgcPrerequisiteCheck        : @{IsDeviceJoined=False; IsUserAzureAD=False; PolicyEnabled=False; PostLogonEnabled=True; DeviceEligible=True; SessionIsNotRemote=True; CertEnrollment=none; PreReqResult=WillNotProvision; For more information, please visit https=//www.microsoft.com/aadjerrors}
@{WindowsProductName=Windows 10 Pro; WindowsVersion=2009; OsHardwareAbstractionLayerVersion=}
VERBOSE: DsRegCmdAADStatus: False
VERBOSE: Getting Enrollments
VERBOSE: AADJoinEnrollmentRegistryKey:
VERBOSE: No existing enrollments found
VERBOSE: Initiating removal of any existing device enrollments
PROGRESS: Starting - Registry Test
VERBOSE: AADJoinEnrollmentRegistryKey:
VERBOSE: Verifying device Azure AD join status
VERBOSE: Both the registry and DSRegCmd indicate that the device is NOT joined to Azure AD.
PROGRESS: Completed - Registry Test - 100%
PROGRESS: Initializing BPRT retrieval - BPRT
PROGRESS: Using cached BPRT - BPRT - 10%
PROGRESS: Processing - Found 2 Jwt Section(s)
VERBOSE: CacheKey: BPRT-<redacted>.com
PROGRESS: Generating BPRT - BPRT - 30%
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 1045-byte response of content type application/x-www-form-urlencoded
VERBOSE: Content encoding: utf-8
VERBOSE: Found existing entry for CacheKey BPRT-<redacted>.com [F14F686C234A5678EBA5F152E2D95100]
VERBOSE: UpdatedUtc : 09/17/2024 16:51:12
Data       : <redacted>
VERBOSE: Not expired, return the data
PROGRESS: BPRT retrieved successfully - BPRT - 100%
PROGRESS: Starting - .NET Registry Settings Check
PROGRESS: Checking .NET Framework v2.0.50727 SystemDefaultTlsVersions - .NET Registry Settings Check - 25%
VERBOSE: Testing HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions
VERBOSE: HKLM Detected
VERBOSE: Get-WindowsRegistryValue:
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions skipping type check since desired type was not specified
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions 1 matches 1
True
PROGRESS: Checking .NET Framework v2.0.50727 SchUseStrongCrypto - .NET Registry Settings Check - 50%
VERBOSE: Testing HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto
VERBOSE: HKLM Detected
VERBOSE: Get-WindowsRegistryValue:
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto skipping type check since desired type was not specified
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto 1 matches 1
True
PROGRESS: Checking .NET Framework v4.0.30319 SystemDefaultTlsVersions - .NET Registry Settings Check - 75%
VERBOSE: Testing HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions
VERBOSE: HKLM Detected
VERBOSE: Get-WindowsRegistryValue:
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions skipping type check since desired type was not specified
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions 1 matches 1
True
PROGRESS: Checking .NET Framework v4.0.30319 SchUseStrongCrypto - .NET Registry Settings Check - 100%
VERBOSE: Testing HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto
VERBOSE: HKLM Detected
VERBOSE: Get-WindowsRegistryValue:
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto skipping type check since desired type was not specified
VERBOSE: Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto 1 matches 1
True
PROGRESS: Completed - .NET Registry Settings Check
PROGRESS: Attempt 1 of 3 - Applying Provisioning Package - 33%
VERBOSE: Checking Device-Sync Task
WARNING: Device-Sync Task was disabled. Enabling to prevent error code: 0xCAA50021
VERBOSE: {
    "Modules":  [
                    {
                        "BPRT":  "<redacted>",
                        "Type":  7
                    }
                ],
    "PackageName":  "<redacted> AzureAD Join Provisioning Package"
}
PROGRESS: Sending request for PPKG - Generating PPKG - 50%
VERBOSE: POST with -1-byte payload
VERBOSE: received 21278-byte response of content type application/octet-stream
PROGRESS: Successfully generated PPKG - Generating PPKG - 100%
PROGRESS: Writing PPKG to disk - Preparing PPKG - 50%
PROGRESS: PPKG written to disk - Preparing PPKG - 100%
PROGRESS: Running provtool.exe - Installing PPKG - 70%
VERBOSE: Provtool.exe process is hanging and will be forcibly stopped to continue.
PROGRESS: Installation completed - Installing PPKG - 100%
VERBOSE: Provisioning exit code: MSFT_ScheduledTask (TaskName = "Device-Sync", TaskPath = "\Microsoft\Windows\Workplace Join\") TimedOut
PROGRESS: Collecting WinEvent Logs - PPKG Error Check
VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin"><Select Path="microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin">*[(System/TimeCreated[@SystemTime&gt;='2024-11-13T22:27:12.000Z'])]</Select></Query><Query Id="1" Path="microsoft-windows-aad/operational"><Select Path="microsoft-windows-aad/operational">*[(System/TimeCreated[@SystemTime&gt;='2024-11-13T22:27:12.000Z'])]</Select></Query></QueryList>.
PROGRESS: Processing event 1 of 11 - Analyzing Events - 9%
VERBOSE: 11/13/2024 22:27:17 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
WARNING: ErrorCode: 0xC0048451
WARNING: ErrorCode: 0xC0048451
PROGRESS: Processing event 2 of 11 - Analyzing Events - 18%
VERBOSE: 11/13/2024 22:27:17 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
WARNING: ErrorCode: 0xC0048459
WARNING: ErrorCode: 0xC0048459
PROGRESS: Processing event 3 of 11 - Analyzing Events - 27%
VERBOSE: 11/13/2024 22:27:22 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
WARNING: ErrorCode: 0xC0048512
WARNING: ErrorCode: 0xC0048512
PROGRESS: Processing event 4 of 11 - Analyzing Events - 36%
VERBOSE: 11/13/2024 22:27:25 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
WARNING: ErrorCode: 0xC0048512
WARNING: ErrorCode: 0xC0048512
PROGRESS: Processing event 5 of 11 - Analyzing Events - 45%
VERBOSE: 11/13/2024 22:27:37 - Error - MDM Enroll: Server context (d3369d54-a739-4933-a992-72ffa979c867).
PROGRESS: Processing event 6 of 11 - Analyzing Events - 55%
VERBOSE: 11/13/2024 22:27:37 - Error - MDM Enroll: Server Returned Fault/Code/Subcode/Value=(Authorization) Fault/Reason/Text=(Authorization).
PROGRESS: Processing event 7 of 11 - Analyzing Events - 64%
VERBOSE: 11/13/2024 22:27:37 - Error - MDM Enroll: Failed to receive or parse certificate enroll response. Result: (The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.).
PROGRESS: Processing event 8 of 11 - Analyzing Events - 73%
VERBOSE: 11/13/2024 22:27:37 - Error - MDM Enroll: Failed (The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.)
PROGRESS: Processing event 9 of 11 - Analyzing Events - 82%
VERBOSE: 11/13/2024 22:27:38 - Error - MDM ConfigurationManager: Command failure status. Configuration Source ID: (<redacted>), Enrollment Name: (Provisioning), Provider Name: (AADJ), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/AADJ/BPRT), Result: (The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.).
PROGRESS: Processing event 10 of 11 - Analyzing Events - 91%
VERBOSE: 11/13/2024 22:27:38 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
WARNING: ErrorCode: 0xC0048451
WARNING: ErrorCode: 0xC0048451
PROGRESS: Processing event 11 of 11 - Analyzing Events - 100%
VERBOSE: 11/13/2024 22:27:38 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
WARNING: ErrorCode: 0xC0048459
WARNING: ErrorCode: 0xC0048459
PROGRESS: Errors detected - Processing Provisioning Package - 100%
WARNING: AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
PROGRESS: Attempt 2 of 3 - Applying Provisioning Package - 67%
VERBOSE: Checking Device-Sync Task
WARNING: Device-Sync Task was disabled. Enabling to prevent error code: 0xCAA50021
VERBOSE: {
    "Modules":  [
                    {
                        "BPRT":  "<redacted>",
                        "Type":  7
                    }
                ],
    "PackageName":  "<redacted> AzureAD Join Provisioning Package"
}
PROGRESS: Sending request for PPKG - Generating PPKG - 50%
VERBOSE: POST with -1-byte payload
VERBOSE: received 21281-byte response of content type application/octet-stream
PROGRESS: Successfully generated PPKG - Generating PPKG - 100%
PROGRESS: Writing PPKG to disk - Preparing PPKG - 50%
PROGRESS: PPKG written to disk - Preparing PPKG - 100%
PROGRESS: Running provtool.exe - Installing PPKG - 70%
VERBOSE: Provtool.exe process is hanging and will be forcibly stopped to continue.
PROGRESS: Installation completed - Installing PPKG - 100%
VERBOSE: Provisioning exit code: MSFT_ScheduledTask (TaskName = "Device-Sync", TaskPath = "\Microsoft\Windows\Workplace Join\") TimedOut
PROGRESS: Collecting WinEvent Logs - PPKG Error Check
VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin"><Select Path="microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin">*[(System/TimeCreated[@SystemTime&gt;='2024-11-13T22:27:49.000Z'])]</Select></Query><Query Id="1" Path="microsoft-windows-aad/operational"><Select Path="microsoft-windows-aad/operational">*[(System/TimeCreated[@SystemTime&gt;='2024-11-13T22:27:49.000Z'])]</Select></Query></QueryList>.
PROGRESS: Processing event 1 of 11 - Analyzing Events - 9%
VERBOSE: 11/13/2024 22:27:53 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
WARNING: ErrorCode: 0xC0048451
WARNING: ErrorCode: 0xC0048451
PROGRESS: Processing event 2 of 11 - Analyzing Events - 18%
VERBOSE: 11/13/2024 22:27:53 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
WARNING: ErrorCode: 0xC0048459
WARNING: ErrorCode: 0xC0048459
PROGRESS: Processing event 3 of 11 - Analyzing Events - 27%
VERBOSE: 11/13/2024 22:28:03 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
WARNING: ErrorCode: 0xC0048512
WARNING: ErrorCode: 0xC0048512
PROGRESS: Processing event 4 of 11 - Analyzing Events - 36%
VERBOSE: 11/13/2024 22:28:05 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
WARNING: ErrorCode: 0xC0048512
WARNING: ErrorCode: 0xC0048512
PROGRESS: Processing event 5 of 11 - Analyzing Events - 45%
VERBOSE: 11/13/2024 22:28:18 - Error - MDM Enroll: Server context (37914dcc-4904-4d45-8af7-33816401cad8).
PROGRESS: Processing event 6 of 11 - Analyzing Events - 55%
VERBOSE: 11/13/2024 22:28:18 - Error - MDM Enroll: Server Returned Fault/Code/Subcode/Value=(Authorization) Fault/Reason/Text=(Authorization).
PROGRESS: Processing event 7 of 11 - Analyzing Events - 64%
VERBOSE: 11/13/2024 22:28:18 - Error - MDM Enroll: Failed to receive or parse certificate enroll response. Result: (The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.).
PROGRESS: Processing event 8 of 11 - Analyzing Events - 73%
VERBOSE: 11/13/2024 22:28:18 - Error - MDM Enroll: Failed (The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.)
PROGRESS: Processing event 9 of 11 - Analyzing Events - 82%
VERBOSE: 11/13/2024 22:28:19 - Error - MDM ConfigurationManager: Command failure status. Configuration Source ID: (<redacted>), Enrollment Name: (Provisioning), Provider Name: (AADJ), Command Type: (SetValue: from Replace), CSP URI: (./Vendor/MSFT/AADJ/BPRT), Result: (The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.).
PROGRESS: Processing event 10 of 11 - Analyzing Events - 91%
VERBOSE: 11/13/2024 22:28:19 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
WARNING: ErrorCode: 0xC0048451
WARNING: ErrorCode: 0xC0048451
PROGRESS: Processing event 11 of 11 - Analyzing Events - 100%
VERBOSE: 11/13/2024 22:28:19 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
WARNING: ErrorCode: 0xC0048459
WARNING: ErrorCode: 0xC0048459
PROGRESS: Errors detected - Processing Provisioning Package - 100%
WARNING: AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
PROGRESS: Attempt 3 of 3 - Applying Provisioning Package - 100%
VERBOSE: Checking Device-Sync Task
WARNING: Device-Sync Task was disabled. Enabling to prevent error code: 0xCAA50021
VERBOSE: {
    "Modules":  [
                    {
                        "BPRT":  "<redacted>",
                        "Type":  7
                    }
                ],
    "PackageName":  "<redacted> AzureAD Join Provisioning Package"
}
PROGRESS: Sending request for PPKG - Generating PPKG - 50%
VERBOSE: POST with -1-byte payload
VERBOSE: received 21281-byte response of content type application/octet-stream
PROGRESS: Successfully generated PPKG - Generating PPKG - 100%
PROGRESS: Writing PPKG to disk - Preparing PPKG - 50%
PROGRESS: PPKG written to disk - Preparing PPKG - 100%
PROGRESS: Running provtool.exe - Installing PPKG - 70%
VERBOSE: Provtool.exe process is hanging and will be forcibly stopped to continue.
PROGRESS: Installation completed - Installing PPKG - 100%
VERBOSE: Provisioning exit code: MSFT_ScheduledTask (TaskName = "Device-Sync", TaskPath = "\Microsoft\Windows\Workplace Join\") TimedOut
PROGRESS: Collecting WinEvent Logs - PPKG Error Check
VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin"><Select Path="microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin">*[(System/TimeCreated[@SystemTime&gt;='2024-11-13T22:28:24.000Z'])]</Select></Query><Query Id="1" Path="microsoft-windows-aad/operational"><Select Path="microsoft-windows-aad/operational">*[(System/TimeCreated[@SystemTime&gt;='2024-11-13T22:28:24.000Z'])]</Select></Query></QueryList>.
PROGRESS: Processing event 1 of 4 - Analyzing Events - 25%
VERBOSE: 11/13/2024 22:28:29 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
WARNING: ErrorCode: 0xC0048451
WARNING: ErrorCode: 0xC0048451
PROGRESS: Processing event 2 of 4 - Analyzing Events - 50%
VERBOSE: 11/13/2024 22:28:29 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
WARNING: ErrorCode: 0xC0048459
WARNING: ErrorCode: 0xC0048459
PROGRESS: Processing event 3 of 4 - Analyzing Events - 75%
VERBOSE: 11/13/2024 22:28:42 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
WARNING: ErrorCode: 0xC0048512
WARNING: ErrorCode: 0xC0048512
PROGRESS: Processing event 4 of 4 - Analyzing Events - 100%
VERBOSE: 11/13/2024 22:28:49 - Error - AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
WARNING: ErrorCode: 0xC0048512
WARNING: ErrorCode: 0xC0048512
PROGRESS: Errors detected - Processing Provisioning Package - 100%
WARNING: AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048451
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048459
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
PROGRESS: Completed - Applying Provisioning Package - 100%
VERBOSE: Not sending count to the deviceManagement API
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 response of content type application/json of unknown size
VERBOSE: Content encoding: utf-8
Write-Error: 
  64 |          Write-Error "Error occurred: $_"
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error occurred: Forbidden:Make sure you have the ImmyBot Azure integration setup to use a Custom App Registration with API Permissions for /deviceManagement/managedDevices
Line |
PROGRESS: Starting Intune enrollment process after Azure AD Join... - Intune Enrollment
WARNING: Initial MDM enrollment failed. Checking event logs for Impersonation or Device Credential Failure
WARNING: Detected Impersonation or Device Credential Failure in event logs. Retrying with '/AutoEnrollMDMUsingAADDeviceCredential'
WARNING: Retry failed. Returning the last 15 events...
TimeCreated : 11/13/2024 2:29:13 PM
Id          : 81
Message     : Auto MDM Enroll Impersonation Failure (Unknown Win32 Error code: 0x82aa0008)

TimeCreated : 11/13/2024 2:29:13 PM
Id          : 76
Message     : Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x82aa0008)

TimeCreated : 11/13/2024 2:29:14 PM
Id          : 89
Message     : Auto MDM Enroll DmGetAadDeviceTokenWithDiscovery with Application ID (NULL): Status (The operation 
              completed successfully.)

TimeCreated : 11/13/2024 2:29:14 PM
Id          : 90
Message     : Auto MDM Enroll Get AAD Token: Device Credential (0x1), Resource Url 
              (https://enrollment.manage.microsoft.com/), Resource Url 2 (https://enrollment.manage.microsoft.com/), 
              Status (The operation completed successfully.)

TimeCreated : 11/13/2024 2:29:14 PM
Id          : 91
Message     : Auto MDM Enroll Enrollment Information: AadResourceUrl 
              (https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc), DiscoveryServiceFullUrl 
              (https://enrollment.manage.microsoft.com/), TenantID (<redacted>), Upn 
              (package_<redacted>.com)

TimeCreated : 11/13/2024 2:29:15 PM
Id          : 4
Message     : MDM Enroll: Certificate policy request sent successfully.

TimeCreated : 11/13/2024 2:29:15 PM
Id          : 6
Message     : MDM Enroll: Certificate policy response processed successfully.

TimeCreated : 11/13/2024 2:29:15 PM
Id          : 3012
Message     : TPM State: Version:(2) ReadyForStorage:(true) NotReadyReason:(None), ReadyForAttestation:(true), 
              NotReadyReason:(None), isUnsatifactory:(false), hasVulnerability:(false), isLockedout:(false), 
              AlgOidInUse:(1.2.840.113549.1.1.1), IsAlgOidInUseSupported:(true).

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 3011
Message     : Creating key with crypto provider: (Microsoft Platform Crypto Provider) HRESULT: (The operation 
              completed successfully.), failFunction: (), CryptoProvider index (0) of total (2).

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 8
Message     : MDM Enroll: Certificate enrollment request sent successfully.

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 59
Message     : MDM Enroll: Server context (<redacted>).

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 52
Message     : MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(Device based 
              token is not supported for enrollment type UserCorporateWithAADNotInOobe).

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 11
Message     : MDM Enroll: Failed to receive or parse certificate enroll response. Result: (Invalid message from the 
              Mobile Device Management (MDM) server.).

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 71
Message     : MDM Enroll: Failed (Invalid message from the Mobile Device Management (MDM) server.)

TimeCreated : 11/13/2024 2:29:26 PM
Id          : 76
Message     : Auto MDM Enroll: Device Credential (0x1), Failed (Invalid message from the Mobile Device Management 
              (MDM) server.)
WARNING: Intune enrollment process failed (ExitCode:     -2102788088).

Adam_Bednar · March 10, 2025, 2:29pm

Hi Aaron, did you figure this out? This issue is happening for one of tenants. Note, Entra ID Join + Intune automatic enrollment works via Immy.bot works for other tenants.

Aaron_Colon · March 10, 2025, 4:48pm

Hi Adam, yes we were able to resolve this. Our issue was that the tenant was still using a cached provisioning package, so we had to delete the _package account from 365 and force it to be recreated. This was because the previous provisioning package was made with default permissions. For some reason it would not update to custom permissions automatically.

This is the part of the log that led me to finding this as the cause. I had just set custom permissions in November, but it was still using a cached provisioning account from 9/17/24.

VERBOSE: Found existing entry for CacheKey BPRT-.com [F14F686C234A5678EBA5F152E2D95100]
VERBOSE: UpdatedUtc : 09/17/2024 16:51:12

Adam_Bednar · March 10, 2025, 8:45pm

Thanks for the quick detailed response. I’ll go track this down in our environment.

Much appreciated,
Adam

Adam_Bednar · March 11, 2025, 4:05am

This resolved my issue. Thanks again!

Sean_Moreira_Admin_A · March 16, 2025, 3:46pm

I had the same issue with a multitude of client tenants until I realized I had to re-authorize the Integration to invoke the new permissions I had set in our MSP Tenant. Once that was done it works great.

One item to note is when using JoinAzureAD, if you have automatic enrollment already enabled in Intune there is no need to tick the RequireIntuneEnrollment as the device will automatically enroll into intune.

EDIT: Re-authorize the integration in the client’s tenant with ImmyBot