Active Directory
A set of directory-based technologies included in Windows Server.
6,801 questions
Unknown generic error 0x82AA0001 when enrolling Windows MDM device
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 42%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
Ionut Soare
0
Reputation points
When enrolling a Windows11 device in our custom MDM, we implemented a backend that supports the following endpoints:
- /EnrollmentServer/Discovery.svc
- /api/Windows/Authenticate
- /EnrollmentServer/Policies.svc
- /EnrollmentServer/Enrollment.svc
Our purpose is to develop an MDM that connects to an on-premise AD. As described in Microsoft documentation, the above services implement:
- Discovery ( https://zcusa.951200.xyz/en-us/openspecs/windows_protocols/ms-mde2/98547779-b770-4730-9261-8ecaa1604c10 )
- Authentication in our system (custom implementation that results in an opaque token)
- Policies ( https://zcusa.951200.xyz/en-us/openspecs/windows_protocols/ms-mde2/8a5efdf8-64a9-44fd-ab63-071a26c9f2dc )
- Enrollment ( https://zcusa.951200.xyz/en-us/openspecs/windows_protocols/ms-wstep/ac55b8cc-9ade-4982-b135-991d574ade74 , certificates generated with a self signed openssl certificate)
Entire flow is described here: https://zcusa.951200.xyz/en-us/windows/client-management/on-premise-authentication-device-enrollment
In the enrollment process, first 3 steps succeeded, but even if 4th step (enrollment) is "parsed successfully", it crashes with unknown error.
Logs from Event Viewer:
Information > MDM Enroll: Authentication successful: Got token from STS.
Information > MDM Enroll: Certificate policy request sent successfully.
Information > MDM Enroll: Certificate policy response processed successfully.
Information > MDM Enroll: Certificate enrollment request sent successfully.
Information > MDM Enroll: Certificate enrollment response parsed successfully.
Error > MDM Enroll: Provisioning failed. Result: (Unknown Win32 Error code: 0x82aa0001).
Error > MDM Enroll: Failed (Unknown Win32 Error code: 0x82aa0001)
Information > MDM Unenroll: Finished user independant unenroll
Information > MDM Unenroll: Unenroll origin is: (Failed to process server enrollment provisioning, rolling back).
Information > OmaDmLogOmaDmApiInitiateSession: Result: (The system cannot find the file specified.), Account Id: (3DD9D1E2-C4E6-44FE-B76C-9AA79B2083C1), Initiation Id: ({BBD1793E-2F3C-4BA0-8547-690BBD6ADEAE}), Mode: (2), Origin: (9), AutoDelete: (false), Alert Count: (1), First Alert Name: (com.microsoft:mdm.unenrollment.userrequest), User Sid: (NULL), User Only: (false), All Active Users: (false), Process Name: (C:\Windows\system32\svchost.exe), System Or Admin: (true).
Error > MDM Unenroll: Error sending unenroll alert to server. Result: (Incorrect function.).
Information > MDM Unenroll: Changing dmwappushservice startup type to demand-start. Result: (Incorrect function.).
Information > MDM Unenroll: Succeeded
Error > MDM Enroll: Enrollment via UX failed. Result: (Unknown Win32 Error code: 0x82aa0001).
Any help / ideas how to continue / fix this error?
{count} votes
-
Ionut Soare 0 Reputation points
2025-01-14T19:39:07.3066667+00:00 UPDATE:
As I said above, the error
0x82AA0001is vague, but the request with the issue could/should be something in the/EnrollmentServer/Enrollment.svcendpoint, because it contains the Provisioning XML (the errors from event viewer mention "Provisioning failed", after "Certificate enrollment response parsed successfully").So while I think this response XML is valid (since "Certificate enrollment response parsed successfully"):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <s:Header> <Action s:mustUnderstand="1" xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</Action> <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</RelatesTo> <To s:mustUnderstand="1" xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous</To> <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:35be3899-fd09-44d2-9e8e-5cf874f273e8</MessageID> <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <u:Timestamp Id="_0"> <u:Created>2025-01-14T17:16:05.8302234Z</u:Created> <u:Expires>2025-01-14T17:26:05.8302528Z</u:Expires> </u:Timestamp> </Security> </s:Header> <s:Body> <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <RequestSecurityTokenResponse> <TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</TokenType> <DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment" /> <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID> <RequestedSecurityToken> <BinarySecurityToken ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">...base64ProvisioningXML...</BinarySecurityToken> </RequestedSecurityToken> </RequestSecurityTokenResponse> </RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>The error
0x82AA0001is obscure (I found it referenced only here at line 31, and it might not even be related/true, since it's not an oficial Microsoft repository), so I have no idea why this provisioning thing fails.I have tried to place both
RootandMycharacteristics in separateCertificateStoreXML tags (as described by Microsoft documentation), and together (as in example above, since that's the solution I found in some open source code, line 615 that connects to a public AD instead of local AD server), but provisioning still fails.Fiddler doesn't show any other traffic after receiving the response from
/EnrollmentServer/Enrollment.svc(displayed above).Any ideas or any insight what could be wrong?
Sign in to comment
Sign in to answer