In a hybrid Azure AD setup, you may encounter situations where a workstation fails to enroll in Intune after completing the Hybrid Join process. When you check the Event Viewer under Applications and Services → Microsoft → Windows → DeviceManagement → Enterprise-Diagnostics-Provider → Operational, you might see the error:
Unknown Win32 Error code: 0xcaa9001f
Microsoft’s official documentation provides a potential fix, but the solution only applies if your environment and issue match the scenarios described there. In many cases, this error can also stem from unique factors within your own infrastructure setup, requiring deeper troubleshooting.
Symptoms:
When attempting to enroll devices in a hybrid Azure AD environment, you may observe the following conditions:
- Enrollment failure after Hybrid Join
Devices successfully complete the Hybrid Azure AD Join process but fail to enroll in Intune MDM. The enrollment attempt does not progress, leaving the workstation unmanaged. - AAD Connect synchronization in place
Your environment uses Azure AD Connect to synchronize on-premises Active Directory objects with Azure AD. The affected devices belong to organizational units (OUs) that are included in the synchronization scope. - Group Policy configured for MDM enrollment
A GPO (Group Policy Object) has been deployed to automatically trigger MDM enrollment using user credentials. Despite this configuration, devices fail to register with Intune. - OU targeting in AAD Connect
Synchronization is scoped to specific OUs in Active Directory. The devices experiencing issues are part of these targeted OUs, yet they still fail to enroll. - Event Viewer error
In the Event Viewer under Applications and Services → Microsoft → Windows → DeviceManagement → Enterprise-Diagnostics-Provider → Operational, you may see the error:
Unknown Win32 Error code: 0xcaa9001f
Cause :
The issue occurs in the following situation.
- The device was originally part of the Organizational Unit (OU) configured for synchronization with Azure AD Connect. However, it was moved out of this OU multiple times, which disrupted the synchronization process and left the device registration in a pending state within Azure AD. When a device remains stuck in this pending status, enrollment attempts typically fail and result in the Unknown Win32 Error code: 0xcaa9001f.
Solution:
Move the device back into the Organizational Unit (OU) that is included in Azure AD Connect synchronization. On the affected machine, disconnect it from Azure AD by removing its registration. Next, run the following command with administrative privileges:
dsregcmd /leave
After executing the command, restart the device. Once it reboots, Azure AD Connect will resynchronize the object and re-establish the device’s join with Azure AD.
Related Posts
- Win32 App Deployment failed with error code 0x80070643
- Win32 App Deployment Failed with Error 0x87D1041C
- Win32 App Deployment failed with error 0x87D300C9
- Win32 App failed with error code 0x80070653
- That account info didn’t work – error when disconnecting Windows 10 / 11 Work or School account
- Intune – Windows 10 MDM- Basic troubleshooting
- Deploying Microsoft 365 Apps Stuck in Downloading in Company Portal
- Windows 10 / 11 Operating System Build Versions
- MDM Enroll: Device Credential, Failed (Unknown Win32 Error code : 0xcaa9001f
- Microsoft Endpoint Manager: Error Code Reference
- Intune Bulk Enrollment with Provisional Package failed Error 0xCAA2000C
- How to Fix Intune Win32 App Deployment Error 0x87D30006
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.