none
MDM enrollment in Windows 10 Build - 14393.321. RRS feed

  • Question

  • In the above build I notice a peculiar behavior in MDM enrollment. I want to use the "Enroll only into Device Management" option and when I try to add the account from the Settings app, I do not receive any request after the Discovery response is sent. I do not receive the Certificate Enrollment Policy web request.

    On the other hand when I try to enroll to the same MDM server using a provisioning package, the enrollment succeeds.

    I checked the event viewer when the error occurred and found the following details:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <System>
      <Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3DA494E4-0FE2-415C-B895-FB5265C5C83B}" /> 
      <EventID>55</EventID> 
      <Version>0</Version> 
      <Level>2</Level> 
      <Task>0</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x8000000000000000</Keywords> 
      <TimeCreated SystemTime="2016-10-13T09:14:21.937280500Z" /> 
      <EventRecordID>838</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="6320" ThreadID="15152" /> 
      <Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel> 
      <Computer>computer-name</Computer> 
      <Security UserID="S-1-5-18" /> 
      </System>
     <EventData>
      <Data Name="HRESULT">0x80070005</Data> 
      </EventData>
      </Event>

    The error message seen on the event viewer is "MDM Enroll: Enrollment via UX failed. Result: (Access is denied.).".

    Note: 

    1) I have not used the default administrator account.

    2) Created a new local user, added it to the administrator group and tried the enrollment via that user.

    3) Have doubly checked and confirmed that the user is an administrator and not a standard user.

    Is there any known issue of this sort in that particular build of Windows 10 Desktop ?

    Thursday, October 13, 2016 9:27 AM

All replies

  • Hi Harishankar,

    When u try enrolling form "Work access" in settings app, by clicking on "Enrol into device management", it triggers the Federated enrollment flow. (Which is a bit different from the "OnPremise" flow that you may have used when enrolling via ppkg).

    Here are the details of Federated flow - https://msdn.microsoft.com/en-us/library/windows/hardware/dn925031(v=vs.85).aspx

    Here are the details of OnPremise flow - https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/on-premise-authentication-device-enrollment

    If you notice, the Federated flow has an authentication step and the Discovery Response expected by the MDM client is different for the two as well. Modifying your management solution using the above links will work.

    - Dhruvesh


    • Proposed as answer by DhruveshRathore Wednesday, November 23, 2016 6:01 AM
    • Unproposed as answer by Harishankar G Tuesday, March 14, 2017 10:17 AM
    • Edited by DhruveshRathore Friday, March 17, 2017 9:24 AM correcting typos
    Tuesday, November 22, 2016 6:33 PM
  • Do you mean we cannot have OnPremise authentication for Windows 10 Desktops ?
    Wednesday, November 23, 2016 5:31 AM
  • We can.

    For OnPremise enrollment using PPKG, it can be done on Desktop or Phone.

    For Federated enrollment using email-password, it can also be done on Desktop or Phone.

    You just need ur management solution configured accordingly and developed using the above links I mentioned.

    - Dhruvesh

    Wednesday, November 23, 2016 6:01 AM
  • Were you ever able to resolve this issue?  I'm getting the same issue however I'm using MaaS360 for my MDM.

    I'm not finding very much out there on the net. 

    MDM Enroll: Enrollment via UX failed. Result: (Access is denied.).

    Friday, January 27, 2017 2:49 AM
  • No I could not find a solution for this yet. Did you find any luck in getting past the error ?
    Wednesday, March 8, 2017 10:05 AM
  • Did you find any solution?
    Monday, March 13, 2017 8:02 PM
  • No Carlos. Still no luck. Tried a lot by fiddling with permissions to registry elements, DCOM permissions and the like yet not luck. Will update the thread if I get a solution for the same.
    Tuesday, March 14, 2017 10:17 AM
  • I know this is an old thread...but did you ever find a resolution? I have the same problem, i've tried maas360 and get the same issue.  airwatch works but requires an agent but cant wipe the drive.  what did you end up using?

    Thanks in advance.

    Thursday, August 31, 2017 12:01 AM