Are you managing Intune? Maybe you just started, or maybe you have been working with the product for a long time. Nevertheless, we all see stuff where we need to be able to find out what to do with it. In this blog post I will help you out with your error codes, what they mean and how to resolve them.
During the post there will be links to many external contributors, so please give them a huge kudos, for their extensive work.
Welcome!
Updated February 2nd 2024
MEM Sync related errors
The sync could not be initiated (0x80190190)
| Operating system |
| Windows 10 and later |
Symptoms:
When attempting to sync policies with Intune from settings it says:
Eventlog says: MDM Session: OMA-DM message failed to be sent. Result: (Bad request (400).).
What happened?
Trust to the Intune backend has been lost and cannot be remediated automatically. Re-enroll your device to solve this issue.
Solve it:
You can run this script to clean up and re-enroll (Be aware that this is not supported and will be on your own risk)
It could also be that your device has 2 certificates where you need to clean out the wrong one. See more at Rudy’s blog post here
Failed to get AAD Token for sync session User Token: (Unknown Win32 Error code: 0xcaa2000c)
| Operating system |
| Windows 10 and later |
Symptoms:
We’ve (I guess) all seen this?
When attempting to sync policies with Intune from settings it says:
Sync wasn’t fully successful because we weren’t able to verify your credentials. Select Sync to sign in and try again.
Event log says:
If we look into the Azure sign-in logs we would see this message:
What happened?
The user you logged on to the device with has MFA enabled (You should always have that). The security control in EntraID were not satisfied and needed the account to authenticate and prove it is you. Only the device portion was synced with Intune.
Solve it:
Click on the sync button and authenticate when prompted to do so and this message will disappear.
Microsoft has a good reference on the issue here and also a solution model to go around without messing around with security.
A side note, this could also be that you have tightened Conditional access too much. Go through your sign-in logs in Entra.
OMA-DM message failed to be sent. Result: (Unknown Win32 Error code: 0x801901ad).
| Operating system |
| Windows 10 and later |
Symptoms:
While trying to sync the device it says: The sync could not be initiated (0x801901ad)
What happened?
The device was unable to sync because of network connection issues. This can happen if you have no internet, proxy software prohibiting access to internet or a driver issue.
Solve it:
Resolve it by authenticate to your proxy software, or update network driver.
This solution was provided by Robert Rice.
Windows Autopilot related errors
Device-Targeted Apps Installation (0x00000000)
| Operating system |
| Windows 10 and later |
Symptoms:
During autopilot the 2nd of 3 phases, Device setup, fails to finish:
Device-targeted apps installation encountered an error and could not be completed. Error 0x00000000
What happened?
The device went through Autopilot v1. It almost seems to be fully baked, but then this error occurs and the device seems to fail.
Solve it:
This is no error. Even the process failed, 0x00000000 is not an error. Is there something you can do about it? no not really. Reset the device and enroll the device again.
Preparing your device for mobile management (0x00000004)
| Operating system |
| Windows 10 and later |
Symptoms:
During autopilot the 1st of 3 phases, Device preparation, fails to finish:
Preparing your device for mobile management failed with (0x00000004)
What happened?
The device went through Autopilot v1. But it can’t continue to Device setup because a faulty component did not work properly. In this case the co-management authority policy is applied.
Solve it:
This error means that the device tried to download and install the CM agent.
Preparing your device for mobile management (0x800705b4)
| Operating system |
| Windows 10 and later |
Symptoms:
During autopilot the 1st of 3 phases, Device preparation, fails to finish:
Press SHIFT+F10 to look up the error.
Navigate to the eventlog and this case it says (Unknown Win32 Error code: 0x82aa0002) which indicated that it is related to co-management. Someone setup a configuration for the device to install the Configuration Manager agent during autopilot.
What happened?
This error means “Time-out” and it was not able to get further in the process. Something stopped the device from proceeding to the next phase.
Solve it:
We also see an error (Unknown Win32 Error code: 0x86000022) which is related to configuration manager “The specified node doesn’t exist.”
Check your CMG works and try again or remove the co-management profile assignment and try again, you will see it go through its stages like it should.
There could be many other problems when you see this issue.
See more here
And also here
This device is already enrolled. You can contact your system administrator with the error code 8018000a.
| Operating system |
| Windows 10 and later |
Symptoms:
During autopilot the device fail right after providing credentials:
What happened?
This error means the device already enrolled to Intune. This could be due to error while provisioning the device, but it actually went through some of the process.
In such scenario a device would typically be stuck.
Solve it:
1. Go to intune.microsoft.com and delete the serial number of the device
2. Go to portal.azure.com and remove the EntraID object corresponding to the Autopilot registration.
3. re-register the device to the autopilot service.
Your user can start over and enter their credentials into the device and Autopilot will proceed as expected.
This feature is not supported. Contact your system administrator with the error code 80180014.
| Operating system |
| Windows 10 and later |
Symptoms:
You are at the OOBE page and want to logon to your device. You think it should go through autopilot, but it fails.
If we take a closer look at the autopilot object we see that it seems to be a personal device.
1. To find out what happens in Intune go to Endpoint -> Devices -> Monitor -> Autopilot deployments (preview)
2. Go to the event log on the failing device. Shift + F10 -> eventvwr.msc -> Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider -> Admin
What happened?
This error means the device cannot enroll as the platform or version is not supported. This is typically because there are configured enrollment restrictions in your tenant.
Solve it:
To solve it, register your device to Autopilot as in this case, the device is considered as a “Personal” device, and device restrictions in this environment does not allow “Personal” devices to be enrolled.
Apps (0x81036502).
| Operating system |
| Windows 10 and later |
Symptoms:
You are running through Autopilot and your installation fails during Device Setup.
If you navigate to the IME log you will be able to find the installation and why it failed.
What happened?
This error means the IME waited for a process to finalize but the process did not return with expected error code. 1603 is fatal error and can be many things.
Solve it:
Test your application thorough before you use it with Autopilot and make sure it is robust.
Account setup failed
| Operating system |
| Windows 10 and later |
Symptoms:
While autopilot is running, you will see the account setup fail
Tip to quickly see if your user are licensed:
What happened?
This error could be many things but normally it comes down to the user that enrolling the Autopilot not having a Intune eligible license assigned.
Solve it:
Assign license to the user account and rerun the autopilot provisioning.
This solution was provided by Matias Magnus
Configuration Profiles related errors
(./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
| Operating system |
| Windows 10 and later |
Symptoms:
When looking at the eventlog DeviceManagement-Enterprise-Diagnostics-Provider it says:
What happened?
The “FakePolicy” is created to detect if a certain patch is present on Windows, and will be removed automatically once machines are ready to consume the new ADMX versioning feature.
Reddit has an article on it here
Solve it:
Nothing to do. It is normal behavior of any Intune managed devices.
Application related errors
LogonUser failed with error code : 1008
| Operating system |
| Windows 10 and later |
Symptoms:
You look into the IntuneManagementExtention.log and a code: AAD User check using device check in app is failed, now fallback to the Graph audience. ex = System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist.
What happened?
This error occur on perfectly fine enrolled devices, and you should not put any effort in to fix this as there are no fix disposal. If I find a reason or get more information from Microsoft, I will propose a solution here.
Windows Update related errors
Expedite client missing
| Operating system |
| Windows 10 and later |
Symptoms:
You expedited a patch using Microsoft Intune but nothing ever happens to the device(s) you assigned it to. You have waited the hours that should be sufficient for this patch to be expedited but still no results.
When you go to the report “Windows 10 and later Expedited updates” you see an error in:
Update State = Needs attention
Update Substate = Needs attention
Alert Type = Expedite client missing
If we grab the AAD Device ID and look it up in Azure AD we will be able to find the device.
What happened and how to solve it?
This error occur when a device has not been online for a long time. You see the “Device” column is empty which means you will not be able to find it under the “Device” tab in Microsoft Intune. It could happen if a device has not been used for many months and the device cleanup rule removed it from Intune.
As the device still exist in EntraID with the Device ID, Intune simply sync that ID to the Windows Update for Business Deployment Service (WUfB DS) in the backend and add it to a WUfB DS audience that will make sure the device is eligible for the patch specified. Once the device become online, it either receives the patch via push (WNS channel) or ask for it via the standard 22 hours sync schedule to Windows update, depending on your configuration.
The device does not need to be online for this sync between Intune and WUfB DS to be initiated.
Solve it:
Since your device never asked for updates you get this alert and the simple solution is to turn on your device and make sure it sync to Windows Update, and it will start do its magic and your device will be patched (given all prerequisites for expedite has been fulfilled)
Also you can re-enroll the device again. You probably should.
See more on this troubleshooting guide and deep dive debug with Rudy
Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.
He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.
Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.
Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/
