Autoenrollment

Ik acorn has a 3 program limit for how many u can be enrolled in simultaneously, so how does that work if, say, I applied to 4 limited programs and got into all of them, would acorn block enrollment into the 4th one I got accepted into?

I have business premium, Azure Hybrid with AD connect. However testing joining machines to solely entra ID out of box, both W10 and W11. I fail at joining to Entra ID. Error I get is Server Error Code: 80192ee2. I look at Audit Logs in Entra ID and devices register and then 2 secs later delete themselves. All users are set to be allowed to join devices to entra ID. I am also allowing the use of Intune Autoenrollment. It should not be an issue because I have business premium licensed accounts. I am completely lost and Google hasn’t helped me either. Any help would be greatly appreciated.
UPDATE: I was testing join to Entra ID on a VirtualBox machine. I had it set to NAT Adapter. I switched to Bridged Network Adapter and that resolved the issue. For anyone out there with same issues testing hope this finds you.

Bought the Joshua fight 20 quid. Been auto charged another 20, autoenrolled on a subscription, and then charged a further month.
Absolute fucking disgrace. Will never buy a PPV again with them. Might have screwed me in the short term but they'll lose alot more future revenue.

Can someone please explain the implications of autoenrollment on existing standard PRSAs for PAYE employee?
The employer is going to have to pay into a pension one way or the other when autoenrollment is finally rolled out; can they pay into an employee's existing PRSA (does that them make it an occupational pension?)
Also, is there any additional burden to the employer by setting up an occupational pension over just going along with autoenrollment?
Trying to get in ahead of autoenrollment here as on the higher marginal rate of tax and my understanding is that an occupational pension would be more tax efficient than what autoenrollment is offering (i.e. 40% vs 33%)

can anyone help identify how to resolve these errors.
Using this script to create MDM URLs:
# Create Registry Path for MDM AutoEnrollment
$registryPath = “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM”
New-Item -Path $registryPath -Force
# Add Registry Keys for AutoEnrollment
$Name1 = “AutoEnrollMDM”
$Name2 = “UseAADCredentialType”
$value = “1”
New-ItemProperty -Path $registryPath -Name $Name1 -Value $value -PropertyType DWORD -Force Out-Null
New-ItemProperty -Path $registryPath -Name $Name2 -Value $value -PropertyType DWORD -Force Out-Null
# Force Group Policy Update
gpupdate /force
# Speed up the process by configuring MdmEnrollmentUrl and other URLs, and then forcing device enrollment
$key = ‘SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*’
$keyinfo = Get-Item “HKLM:\$key”
$url = $keyinfo.name
$url = $url.Split(“\”)[-1]
$path = “HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url”
New-ItemProperty -LiteralPath $path -Name ‘MdmEnrollmentUrl’ -Value ‘https://enrollment.manage.microsoft.com/enrollmentservediscovery.svc’ -PropertyType String -Force -ea SilentlyContinue
New-ItemProperty -LiteralPath $path -Name ‘MdmTermsOfUseUrl’ -Value ‘https://portal.manage.microsoft.com/TermsofUse.aspx’ -PropertyType String -Force -ea SilentlyContinue
# Create Registry Path for MDM AutoEnrollment
$registryPath = “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM”
New-Item -Path $registryPath -Force
# Add Registry Keys for AutoEnrollment
$Name1 = “AutoEnrollMDM”
$Name2 = “UseAADCredentialType”
$value = “1”
New-ItemProperty -Path $registryPath -Name $Name1 -Value $value -PropertyType DWORD -Force Out-Null
New-ItemProperty -Path $registryPath -Name $Name2 -Value $value -PropertyType DWORD -Force Out-Null
# Force Group Policy Update
gpupdate /force
# Speed up the process by configuring MdmEnrollmentUrl and other URLs, and then forcing device enrollment
$key = ‘SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*’
$keyinfo = Get-Item “HKLM:\$key”
$url = $keyinfo.name
$url = $url.Split(“\”)[-1]
$path = “HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url”
New-ItemProperty -LiteralPath $path -Name ‘MdmEnrollmentUrl’ -Value ‘https://enrollment.manage.microsoft.com/enrollmentservediscovery.svc’ -PropertyType String -Force -ea SilentlyContinue
New-ItemProperty -LiteralPath $path -Name ‘MdmTermsOfUseUrl’ -Value ‘https://portal.manage.microsoft.com/TermsofUse.aspx’ -PropertyType String -Force -ea SilentlyContinue
​
Error i get below:
Get-Item : Cannot find path
'HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo' because
it does not exist.
At line:1 char:12
+ $keyinfo = Get-Item “HKLM:\$key”
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (HKLM:\SYSTEM\Cu...Join\TenantI
nfo:String) [Get-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetI
temCommand
PS C:\Windows\TEMP> $url = $keyinfo.name
PS C:\Windows\TEMP> $url = $url.Split("\")[-1]
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $url = $url.Split(“\”)[-1]
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

Hi all, I'm hoping someone can at least explain why this is happening. I have users who are enrolling their mobile devices with Intune, but are contractors and connect to client environments. Some of those clients use MS Authenticator for 2FA. What we are finding is that in these cases, after enrolling their device with Intune they can no longer use the MS Authenticator app for the client's MFA. Right now users are enrolling their devices and BYOD, but I will be enabling autoenrollment using Modern Auth next month. Can someone explain why they can no longer use MS Authenticator, even if we are not using the app for deploying Intune?

A bit about my situation: - In 2017/18 I was PAYE and was autoenrolled into making contributions into a L&G pension - Since 2018/19 I have been self-employed - Until this current tax year, I haven't made any contributions into any pension at all - This tax year, I have transferred my old L&G pension into a vanguard SIPP, and have also made contributions into the SIPP - It's looking like I may be in a position to use the full 60000 allowance for the current year
Given that I did not use any of my allowances over the past 3 years, would I be able to exceed the 60000 limit by carry forward if I wanted? I've read that to be eligible to do this, I have to have been enrolled into a pension scheme during that time. Does the existence of my old L&G DC pension (that lay forgotten about during that time) give me that eligibility?
And if I do so, do things get substantially more complicated on next years self-assessment, or is it all pretty straightforward still...

Got a weird one where a bunch of laptops that have been re-imaged in the last 12 months are failing to autoenrol the computer certificate BUT it’s not affecting every device.
The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377 CERTSRV_E_SUBJECT_DNS_REQUIRED)
I’ve checked the failed requests on ADCS and for some reason the requester is listed as the domain\admin rather than the computer name so the error is logical because the requester should be the computer name.
Just wondered if anyone had seen similar in the past? I’d like to avoid re-imaging all of these devices again if I can help it ><
Edit - typo in the subject is going to haunt me. Knew I should have posted from laptop rather than phone!!

So in every AD shop I’ve been in the domain and Windows PKI has been configured to install computer and user certificates via autoenrollment.
I’ve come across a domain that is not doing either and my question is why wouldn’t you want to at least do auto-enrollment for computers? What are the security implications of not issuing certs to computers and users? In hybrid AD/Entra there is option to override the rule that if userCertificate attribute on a machine is null then do not sync, but why would you want to?
Jus trying to understand the implications of not having certs for domain users and computers, and what are the implications of implementing (what’s possible going to break)?
Thanks

I have a workstation windows 10 Enterprise LTSC 21H2. It is failing to join Intune MDM. I am testing autoenrollment of Intune into my domain. I created the GPO for MDM enrollment. It looks to be failing to apply. When I run gpupdate /force, it says MDM policy fails to apply. I enabled GPO logging, error I see is that Extension MDM Policy returned 0x8018000a. From research, I performed it means that device is already registered and enabled, however this is not the case. The workstation does not appear in Intune Manager. It appears in Entra ID, as being Entra Hybrid Joined but MDM set to none. Any tips or suggestions would be greatly appreciated.
Thanks,

If we have on Prem AD and SCCM and we want to move to AD + Intune
then do we need Autopilot? We can just use AutoEnroll and manage deployment/Policies via Intune.
So Am I confusing the purpose of AutoPilot? OOBE is not relevant to us.

hi,
totally new to Intune, however doing some conditional access review for my organization, and would have some questions.
According to https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enroll?tabs=work-profile%2Ccorporate-owned-apple%2Cbyod-enrollment#windows-enrollment-methods when someone registers a BYOD device in Entra as Entra registered device by using the Company Portal or through Connect a work or school account "In all of these BYOD scenarios, the devices are Microsoft Entra registered and managed by Intune", but isn't autoenrollement required to be configured for this if the first place ( I mean without https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#enable-windows-automatic-enrollment wouldn't the BYOD device be Entra registered but not enrolled in Intune?).
I'm asking because I see in the sign-in logs after two events to the Device Registration Service one request to Microsoft Intune Enrollment that is denied by a conditional access policy rule (because as of now, the rule requires to be either pn the VPN network or in a range from the Trusted Site).
​
Anyone ?
​

Hello, I'm configuring Intune Auto Enrollment for Hybrid Joined Devices and the devices are failing to enroll with the given error "Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018002b)", I have verified all the pre-reqs like the correct UPN, Azure tenant url and ID.
Note: Azure domain is federated to Okta.
Anyone has encountered this issue?
​

Came back from vacation and it seems none of my certificate autoenrollement is working on my domain controllers. I look at logs and I see a lot of Event ID 47 saying that "A valid certification authority cannot be found to issue this template". No permissions have changed on the templates and I validated that the domain controllers group has auto-enroll permissions.
What else should I be checking? Every device I try and request a certificate from shows no available templates.

Hello. Thank you for reading this. We have a recent setup with apple business manager to Intune. Token status is green and active. During testing we had a pilot USER group and the entire process tested out fine. The oobe went smooth with logging into portal and the required apps that were assigned to the USER group came down. The Only vpp(Books and Apps) app I am using is Company Portal and that is provisioned with the Autoenrollment Profile. When going to production the only change that was made is, I created a Dynamic Device Group based off of the Enrollment Profile. I have assigned it to the device configuration policies and apps. The device configurations apply successfully. The apps are stuck in the Waiting for Install Status. These apps are iOS store apps. The phone also pops a message stating "This Apple ID can't be used to make purchases". The are managed apple ID's through ABM. However, they were managed apple ID's we initially tested with as well. I do not believe I have left anything out. Thank you in advance.

Here's a strange one; I'm trying to get a certificate for a copier web portal. I'm using my computer's certificate management MMC to do this. I have a cert template for web server with the right settings.
On my computer, I go into the computer cert store (personal), do a new request (not custom request but just request using autoenrollment), but pick the proper template, fill in the common name/san name, verify settings, and click finish. CA gets the request, looks good, I hit "issue" then go back to my pc.
Now on my PC, the cert appears under "certificate enrollment requests > Certificates", but the wierd thing is it appears to be self-signed, as the "issued by" is the common name?! WTF.
In looking at the CA console under issued certs, I can find the cert, and appears perfect with the proper ca chain behind it. I tried exporting/re-importing and no bueno. I also tried just exporting and importing into the copier, but the same problem persists in that it appears as self-signed.
Anyone run into this?
EDIT/UPDATE - Well I kinda feel like an idiot, in that the requests are just the requests. Even without issuing the cert it appears under requests. Question is, once the cert is issued, shouldn't it flow back into the computer personal store?
I tried exporting from the CA Console but I can't, at least not with the private key.
--------
FOUND IT! I had to right-click on the root of the tree (certificates - local computer), then go to All Tasks, then select "Automatically Enroll and Retrieve Certificates". That prompted to enroll the outstanding requests. I swear I didn't have to do this before, but so be it. And just to test, I denied a subsequent request, then ran that again. It reported the request as denied and removed it from the requests bucket.

Hello, I have set up YK with AD auto-enrollment/renewal. on a Windows host, I can auto-enroll and renew with no issues, however on MacOS I have not found a way to auto enroll, and in all likelihood, renewal will not work either. is there a way to have MacOS clients autoenroll/renew? in order to get this working on MacOS for login, I had to enroll the YK on a Windows 11 VM. Since most users are on MacOS, this becomes a challenge for enrollment/renewal. Super easy on Windows, looking to reproduce on MacOS.

How can I auto enroll my on prem AD computers into Intune? Will this only happen when a end user signs into their work account via accounts on the PC or (preferred) can I force enroll the PC when joining the domain or logging in the first time?
Thanks,

we have a few devices, they keep not to enroll to intune, from the co-management handler log :
Could not check enrollment url, 0x00000001: CoManagementHandler 2023/11/6 14:18:58 8964 (0x2304)
​
from the event log there is eventID 78 as below screenshot : MDM autoenrollment DMgetaadDeviceToken failed ( The operation attempted to access data outside the valid range )
​
https://preview.redd.it/6mjc4udexvyb1.png?width=906&format=png&auto=webp&s=6b12792659a69a7da58806dc9a9e709e9b36e4ec
hope someone have seen this issue and can help us ?

Hi! I am a 23F with a 1 year old son. I have recently landed a job that pays me $19 (base pay) for working 23.25 hours a week. I do a weekend warrior program so after all my added incentive it comes out to be $22 an hour. I am also starting nursing school in the spring. It wouldn’t effect my work hours but just for reference. My job offers a 403b and they match the 3% that is autoenrolled when you first start. I have no clue what this is. I do want to plan for retirement and i have low monthly expenses. Just need a little more information and advice if possible. I also want to start a college savings for my son, whats better than a regular savings account? I want to put my money to use. I am new to finances so feel free to add any information you think will be useful! Thank you guys!!

Im just catching up on my PSLF and really trying to understand a few things.
- I was under IDR previously and was autoenrolled into the SAVE plan - I'll be paying $0 for the next 10 months? Last time I was given an estimate for how much I'll pay was back around the time of the end of the initial payment pause and it was $307 based on a percent of my discretionary income (salary was around 70K then). Now, im closer to 100-120K. Seems too good to be true that I'd be paying nill now. Is there a catch?
On another note, I'd like to recertify my employment to update my counts. I cannot for the life of me find the employment certification form. I was able to submit a PSLF form (studentaid.gov/pslf/) and have it sent to my employer for e-signature. Is that the new method of recertifying?
Lastly, I'm learning about the Mandatory Forebearance Request for Medical or Dental Internship/Residency, National Guard or DOD Student Loan Repayment Program Forbearance which i can save some money with. Would this forebearance still count toward my qualifying payments?
​
Thank you all for your answers.

Hi everyone, a bit stumped here with some Meraki/NPS authentication failures.
I am working on configuring 802.1X authentication using machine certificates. I setup the NPS policies, configured the autoenrollment machine certs, and configured network policies in GPO to push the client settings. The Wireless is configured the exact same as far as policies and client settings. The only difference is the port type (Wired vs Wireless) that is being used for the NPS connection request/network policy. I have also imported the CRL directly into the NPS server.
The odd thing is that the Wirelesss authentication works as expected, but the wired gives "authentication failed errors" and the NPS server logs show errors that "revocation server offline" I run a wireshark capture, and I can see the access-request/access denied.
If I switch the policy for the wired auth to accept PEAP and switch the client NIC settings for user based auth, then it works.
Has anyone ran into this issue before? I'm not sure why NPS would give errors on the CRL only on the wired when all of the certificate settings are the exact same and the CRL is imported.
​
​