KB – AAD join fails with error 8018000a

Today I received a question what happens if the device is already Workspace ONE joined and then the device gets joined to Azure AD. In this use case the customer had AAD Premium licenses and Intune was assigned as MDM provider to all users.

So I started to install a workgroup client and installed the Intelligent HUB + enrolled the device to my UEM environment. Then I tried to join the device to AAD without an active MDM assignment in Azure Active Directory.

First result:
Works as expected.

Next test was again a workgroup client + enrolled to workspace but with Intune assigned to the user via AAD MDM application.

Result:
Error – I expected this since you can’t enroll into two MDM solutions. If the MDM enrollment fails, the AAD join fails.

Last but not least, I tested this also with a workgroup client + Workspace ONE enrolled + the MDM application was configured to use Workspace ONE.

Result:
The same error. Even if we are using the same MDM provider, Windows is not able to detect that the device is already enrolled in the same MDM.

Conclusion:
Do not try to join an MDM managed device to AAD if you have an MDM application assigned to the user.
So, either remove the MDM assignment in AAD, or unenroll the device before joining the device to AAD.

Here are some errors, and where to find them:

Screenshot of the error 801800a when trying to join the device to AAD

In the Eventlog -> Applications and Services Logs -> Microsoft -> Windows -> AAD -> Operational

AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512

In the Eventlog -> Applications and Services Logs -> Microsoft -> Windows -> User Device Registration -> Admin

The registration status has been successfully flushed to disk. 
Join type: 1 (DEVICE)

As you can see, the initial device registration in AAD worked well. But then you see two errors:

The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c0058. 
Activity Id: 35d87d0f-1d85-49bf-a537-6b5a33446c66 
The server returned HTTP status: 400 
Server response was: {"code":"directory_error","subcode":"error_deviceprotected_fromdeletion_mdmmanaged","message":"The device object with id 'd896ab43-8d16-4991-b8f3-a2cbe40fbd3c' in tenant '6d9bffcc-c515-4a9e-b37c-367e2c84279c' could not be removed from the store because it is managed by MDM application '0000000a-0000-0000-c000-000000000000'.","operation":"DeviceDelete","requestid":"35d87d0f-1d85-49bf-a537-6b5a33446c66","time":"10-13-2021 14:18:38Z"}

and

Unable to delete NGC container. 
User SID: S-1-5-21-2019542070-1415088465-2199772-1001 
IDP domain: NULL 
Tenant domain: NULL 
Error: Access denied.

Now the device tries to delete the entry in AAD since its already managed by an MDM application.
Last but not least you see that the device unjoins the AAD Domain again:

The registration status has been successfully cleared from the device. 
Join type: 8 (DEVICE_UNJOIN) 
Tenant ID: 6d9bffcc-c515-4a9e-b37c-367e2c84279c 
UPN: 
Written by
+ posts

Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP