Don’t Mess Around with MDM User Scopes – A Different Take to “Something Went Wrong 8004005” and “OOBEAADV10” Errors

Something went horribly wrong. Not the policies. Not the deployment profiles, Not the ODJ profile, not the ESP. Let me explain.

Setup in a high-level

• Intune Connector setup
• Intune Connector account is licensed and the Intune admin role assigned
• OU delegation done
• Hybrid Join GPO has setup
• MDM Auto-enrollment GPO has set
• Autopilot deployment profiles have been created
  • Entra Joined profile
  • Hybrid Entra Joined profile
• ESP has been set
• An Intune license has been assigned to the user
• Device has been registered in Intune
• Autopilot profiles have been assigned to the devices

The above is pretty much a standard environment.

Error

The error was a typical error that I saw a lot of blog posts discuss. However while some helped me to lead to the issue I had, the error never indicated anything about the issue I had. Stange indeed!

An honorable mention that helped me to shape my solution, Michael Niehaus – https://oofhours.com/2020/07/19/troubleshooting-windows-autopilot-hybrid-azure-ad-join/

No matter how much I tried, I ended up with the below errors.

Hybrid Entra Joined Error

Entra Joined Error

What did I do?

• Checking the network connectivity
• Running Autopilot Diagnostics – ODJ Applied was set to No.

• ODJ Events in the Intune Connector Server – No events in the log for the service

Investigations

• Noticed that there was an outdated MDM which was still in the Entra ID’s MDM authorities with the All Users as the MDM scope.

• ODJ Connector Service logs in the server that has the Intune Connector was all empty.

• As mentioned earlier, the Autopilot Diagnostics script didn’t show much under the Observed Timeline

MDM Authorities

This was a big red flag because, for a fact, a device can have only one MDM authority as more than one can lead to all sorts of issues. Similarly, the user scopes are sacred in a way. If the user groups are overlapping, which it did in my case, there will be issues. Case and point, the issue that I had where the errors didn’t help that much.

You can check the MDM Authorities by navigating to Entra ID > Identity > Settings > Mobility

Microsoft Intune as the Default MDM Authority

For tenants using the 1911 service release and later, the MDM authority is automatically set to Intune.

🔗Setting MDM Authority to Intune for tenants using the 1911 service release

Solution

• Removed the overlapping user scopes by making the scope for the 3rd party MDM authority to None or Some along with the specific groups. Leave it for a while to populate necessary changes in the backend.

• Removed all my test devices’ registrations from Intune re-imaged the devices with a fresh copy of Windows and registered the device back into Intune.

• Re-ran Autopilot

This time it worked like a charm! No more errors for either deployment profile (Entra Joined or Hybrid Entra Joined)

Noticed the ODJ Connector Service has now started recording the events.

Wrapping Up

If you have multiple MDM Authorities, make sure to understand how the User scope has been setup and what changes you can make in order to set Intune as the MDM authority for your users. Do not overlap the user groups as that can end up in issues like this. Always use the Autopilot Diagnostic script to learn more about the backend of the Autopilot process and the steps.