Are you managing Intune? Maybe you just started, or maybe you have been working with the product for a long time. Nevertheless, we all see stuff where we need to be able to find out what to do with it. In this blog post I will help you out with your error codes, what they mean and how to resolve them.

During the post there will be links to many external contributors, so please give them a huge kudos, for their extensive work.

Welcome!

Updated October 13th 2022

—————————————————————————————————————————————————————–

Symptoms:When attempting to sync policies with Intune from settings it says:

Eventlog says: MDM Session: OMA-DM message failed to be sent. Result: (Bad request (400).).

What happened and how to solve it?Trust to the Intune backend has been lost and cannot be remediated automatically. Re-enroll your device to solve this issue.

You can run this script to clean up and re-enroll (Be aware that this is not supported and will be on your own risk)

It could also be that your device has 2 certificates where you need to clean out the wrong one. See more here

—————————————————————————————————————————————————————–

Symptoms:We’ve (I guess) all seen this?

When attempting to sync policies with Intune from settings it says:Sync wasn’t fully successful because we weren’t able to verify your credentials. Select Sync to sign in and try again.

Event log says:

If we look into the Azure sign-in logs we would see this message:

What happened and how to solve it?The user you logged on to the device with has MFA enabled (You should always have that). The security control in AAD were not satisfied and needed the account to authenticate and prove it is you. Only the device portion was synced with Intune.

Click on the sync button and authenticate when prompted to do so and this message will disappear.Microsoft has a good reference on the issue here and also a solution model to go around without messing around with security.

—————————————————————————————————————————————————————–

Symptoms:While trying to sync the device it says: The sync could not be initiated (0x801901ad)

What happened and how to solve it?The device was unable to sync because of network connection issues. This can happen if you have no internet, proxy software prohibiting access to internet or a driver issue.

Resolve it by authenticate to your proxy software, or update network driver.

This solution was provided by Robert Rice.

—————————————————————————————————————————————————————–

Symptoms:During autopilot the 1st of 3 phases, Device preparation, fails to finish:

What happened and how to solve it?This error means “Time-out” and it was not able to get further in the process. Something stopped the device from proceeding to the next phase.

Press SHIFT+F10 to look up the error.Navigate to the eventlog and this case it says (Unknown Win32 Error code: 0x82aa0002) which indicated that it is related to co-management. Someone setup a configuration for the device to install the Configuration Manager agent during autopilot.

We also see an error (Unknown Win32 Error code: 0x86000022) which is related to configuration manager “The specified node doesn’t exist.”

Check your CMG works and try again or remove the co-management profile assignment and try again, you will see it go through its stages like it should.

There could be many other problems when you see this issue. See more hereAnd also here

—————————————————————————————————————————————————————–

Symptoms:During autopilot the device fail right after providing credentials:

What happened and how to solve it?This error means the device already enrolled to Intune. This could be due to error while provisioning the device, but it actually went through some of the process.

In such scenario a device would typically be stuck.

1. Go to endpoint.microsoft.com and delete the serial number of the device2. Go to portal.azure.com and remove the AAD object corresponding to the Autopilot registration.3. re-register the device to the autopilot service.

Your user can start over and enter their credentials into the device and Autopilot will proceed as expected.

—————————————————————————————————————————————————————–

Symptoms:You are at the OOBE page and want to logon to your device. You think it should go through autopilot, but it fails.

What happened and how to solve it?This error means the device cannot enroll as the platform or version is not supported.Here are two ways how to find out what happens:

1. To find out what happens in Intune go to Endpoint -> Devices -> Monitor -> Autopilot deployments (preview)2. Go to the event log on the failing device. Shift + F10 -> eventvwr.msc -> Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider -> Admin

To solve it, register your device to Autopilot as in this case, the device is considered as a “Personal” device, and device restrictions in this environment does not allow “Personal” devices to be enrolled.

—————————————————————————————————————————————————————–

Symptoms:When looking at the eventlog DeviceManagement-Enterprise-Diagnostics-Provider it says:

What happened and how to solve it?Nothing to do. It is normal behavior of any Intune managed devices.

The “FakePolicy” is created to detect if a certain patch is present on Windows, and will be removed automatically once machines are ready to consume the new ADMX versioning feature.Reddit has an article on it here

—————————————————————————————————————————————————————–

Symptoms:You look into the IntuneManagementExtention.log and a code: AAD User check using device check in app is failed, now fallback to the Graph audience. ex = System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist.

What happened and how to solve it?This error occur on perfectly fine enrolled devices, and you should not put any effort in to fix this as there are no fix disposal. If I find a reason or get more information from Microsoft, I will propose a solution here.

—————————————————————————————————————————————————————–

Symptoms:You expedited a patch using Microsoft Intune but nothing ever happens to the device(s) you assigned it to. You have waited the hours that should be sufficient for this patch to be expedited but still no results.When you go to the report “Windows 10 and later Expedited updates” you see an error in:

Update State = Needs attentionUpdate Substate = Needs attentionAlert Type = Expedite client missing

If we grab the AAD Device ID and look it up in Azure AD we will be able to find the device.

What happened and how to solve it?This error occur when a device has not been online for a long time. You see the “Device” column is empty which means you will not be able to find it under the “Device” tab in Microsoft Intune. It could happen if a device has not been used for many months and the device cleanup rule removed it from Intune.

As the device still exist in Azure AD with the AAD Device ID, Intune simply sync that AAD ID to the Windows Update for Business Deployment Service (WUfB DS) in the backend and add it to a WUfB DS audience that will make sure the device is eligible for the patch specified. Once the device become online, it either receives the patch via push (WNS channel) or ask for it via the standard 22 hours sync schedule to Windows update, depending on your configuration.

The device does not need to be online for this sync between Intune and WUfB DS to be initiated.

Since your device never asked for updates you get this alert and the simple solution is to turn on your device and make sure it sync to Windows Update, and it will start do its magic and your device will be patched (given all prerequisites for expedite has been fulfilled)

See more on this troubleshooting guide and deep dive debug with Rudy