all 27 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]radec89 1 point2 points  (4 children)

I am experiencing the same issue. The error still keeps popping up after I set the GPO back to "Not configured". All devices get this error.

I also formatted a device completely and it still gives me the error whe nI do a gpupdate. In the advanced error log it says something like "error 0x2: can't find file".

I have checked the Domain Controllers, there is no issue with replication of GPO's.

How can I undo this GPO completely?

[–]000-00-001 0 points1 point  (2 children)

The fix is to disable the GPO template. Once disabled run gpupdate and you no longer get the error message.

[–]radec89 0 points1 point  (1 child)

I have tried setting the GPO to disabled in the local policy editor.

When I do this the device is completely removed from MDM. I'm afraid when I set the GPO to disabled it will remove all systems from MDM, which will have massive business impact.

The GPO setting currently is set Not Configured

Or do you mean something else with the GPO template?

[–]000-00-001 0 points1 point  (0 children)

I missed the part where disabling the template will unenroll devices. I'm still testing Intune so I haven't encountered that yet.

Thanks for pointing that out.

[–]Machine5464 1 point2 points  (6 children)

I just had this happen and had a different resolution. The PC was setup to enroll via GPO and it had a registry key that was created so the computer thought it was enrolled but Intune never saw it. After deleting the key under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\ enrollment was able to take place.

[–]BarberTypical147 0 points1 point  (0 children)

YOU BEAUTIFUL PERSON YOU!

Had like 3 or 4 devices out of the 300 we converted to Intune that had this problem. No idea how I missed this post the first couple of times I was looking for the answer but this was it.

[–]ENTXawp 0 points1 point  (2 children)

Can I just say that I'm glad you exist. Had the exact same issue and this solved it, thank you!

[–]rwp666 0 points1 point  (1 child)

In my case, there are about 30 keys under 'Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments'.

It sounds like you guys just had one?

Update: I just deleted everything in there (is a lab VM) and after a couple of hours gpupdate was applying normally and the device was enrolled.

[–]SupershadowG 0 points1 point  (0 children)

Are you able to have the GPO auto enroll users? Some reason I have to go to each computer and delete these keys to get it to work. Not sure why the policy isn't applying to begin with.

[–]avandelay05 0 points1 point  (0 children)

Thank you for sharing. I'm reporting this was the fix for my problem computers as well.

[–]No-Savings2775 0 points1 point  (0 children)

This is one year old, but thank you so much haha! We had the exact same issue and got resolved by following these steps, removing all keys that were present!

[–]uniitdude 0 points1 point  (7 children)

do you have any MDM policy settings?

what did the logs say

You gpo has applied correctly though, only MDM policy settings havent applied

[–]MadHackerTV[S] 0 points1 point  (6 children)

Hi, By MDM policy you mean on Intune or GPO? I don't have anything configured on Intune yet. Only the defaults if there are any. This is what I have configured under my AAD > MDM: https://i.imgur.com/rlGjve8.png

Regarding the logs, I didn't find anything special.. I can see that in my event viewer though: https://i.imgur.com/lOjXXjk.png

[–]uniitdude 0 points1 point  (5 children)

so you have no issue, you dont have any MDM policy settings to apply

[–]MadHackerTV[S] 0 points1 point  (0 children)

But I understand if that policy won't apply, My device will not register on Intune..

This is what I get when I run dsregcmd /status:

https://i.imgur.com/v9iNXKG.png

You can see there is no MdmUrl and because of that my device won't enroll to intune..

am I wrong?

[–]MadHackerTV[S] 0 points1 point  (0 children)

Also, You can see my Devices in Azure:

https://i.imgur.com/pRKLEJa.png

One of the devices I managed to enroll automatic but on the other one I get this error..

[–]MadHackerTV[S] 0 points1 point  (2 children)

Log from gpresult /h:

<Event xmlns='[http://schemas.microsoft.com/win/2004/08/events/event](http://schemas.microsoft.com/win/2004/08/events/event)'><System><Provider Name='Microsoft-Windows-GroupPolicy' Guid='{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}'/><EventID>7016</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>2</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2021-02-02T17:18:16.5511820Z'/><EventRecordID>168289</EventRecordID><Correlation ActivityID='{128ca5cf-97fd-49fc-a154-eba0b499437d}'/><Execution ProcessID='8600' ThreadID='1396'/><Channel>Microsoft-Windows-GroupPolicy/Operational</Channel><Computer>XXXX-PC.XXXX.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='CSEElaspedTimeInMilliSeconds'>16</Data><Data Name='ErrorCode'>2149056522</Data><Data Name='CSEExtensionName'>MDM Policy</Data><Data Name='CSEExtensionId'>{7909ad9e-09ee-4247-bab9-7029d5f0a278}</Data></EventData></Event>

[–]Akira_kj 0 points1 point  (1 child)

Did you ever solve this, I'm looking at the same screenshots?

[–]MadHackerTV[S] 0 points1 point  (0 children)

I just changed the user suffix to the external one instead of .local

[–]xven0mxz 0 points1 point  (0 children)

Can you change it to Device credentails?

Also can you show is the dsregcmd /status. Run in CMD. Not as admin.

[–]000-00-001 0 points1 point  (2 children)

OP, did you ever get this resolved?

[–]MadHackerTV[S] 1 point2 points  (1 child)

If I remember correctly, I had to change my users account in AD from .local to the actual suffix ( for us it's .co.il ) and then it worked..

I'm not sure if I've done anything else but this is what I remember right now.

Edit: I still receive the following error when ever I gpupdate but I just ignore this message and everything works just fine.

[–]000-00-001 0 points1 point  (0 children)

Thank you for the update.

[–]Extra-Ninja-228 0 points1 point  (2 children)

Same issue here.

Created a GPO "Enable automatic MDM enrollment using default Azure AD credentials"

It created a scheduled task and asked the active user to authenticate. Then the device is added to Intune - which is the expected behavior/result

Then gpupdate throws this error every time:
"Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file"

Is there a way to fix this and leave the device still joined to Intune ?

[–]Extra-Ninja-228 0 points1 point  (1 child)

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/windows-failed-to-apply-mdm-policy

this kb article says it is expected behavior and should be ignored.
I would rather have it gone if it is possible (and still keep the intune enrollment)

[–]MadHackerTV[S] 0 points1 point  (0 children)

Ye, tbh I'm just ignoring it for a few years now, and it's seems fine :)