Advertisement

SCCM Current Branch Intune Hybrid Sync Issue with MDM Client on Windows 10 Error 0x80072f0c

A green field environment with all new trail versions of SCCM CB 1511, AD, Intune, AAD Premium and EMS. SCCM current branch 1511  is connected to trail Intune subscription and on premises AD is synced with  Azure AD Premium using AD connect. I could see on premises AD users in Azure AD as well in Intune console. We have also enabled the Azure AD + MDM auto enrolment feature in Azure AD tenant. This setting helps users to get Out Of Box Experience as I explained in the post here. In this scenario the Windows 10 1511 device was able to auto enrol to Azure AD and MDM, however Intune MDM agent (not full Intune Agent) was not able to sync with Intune. When we try to sync it was giving following error “The sync could not be initiated (0x80072f0c)“. The error translates to “A certificate is required to complete client authentication Source: Winhttp

SCCM_Intune_MDM_Sync_Issue_1

Basic troubleshooting didn’t help us much. We checked the Azure AD Premium licenses, licenses have been assigned to users correctly.  In SCCM 2012, there is Intune connector role for a hybrid scenario however in SCCM CB 1511 that site system role is depreciated and there is default role called “Service Connection Point“. Everything looks ok between Intune and SCCM with the log files. On Premise AD and Azure AD sync also working fine. When we checked the SCCM SQL DB for User Discovery table we found that some of the values like UPN suffix name (User_Principal_Name0) and Cloud User IDs (CloudUserID) are not getting populated correctly.  Following SQL query can be used to find out user discovery data from SCCM SQL DB “select * from User_DISC“.

For example in the below screen capture you can see some users with UPN like “@dwpoc01outlook.onmicrosoft.com” and some are with “dwpoc.local“. Also, Cloud ID are not allocated to some of the users like “NAA” CloudUserID = NULL :-

SCCM_Intune_MDM_Sync_Issue_10

Now we identified that UPN suffix s of some of the on Prem AD users are not correct and that could create a problem in MDM enrolment and SCCM + MDM sync on Windows 10 devices. So, we need to think about the fix to this issue. How to change the UPN values of users? There are two ways you can edit the User_Disc table and update the correct UPNs but that is NOT recommended. Next option is to go on premises AD and create new alternate UPN suffix as you can see in the following screen capture. How t0 Add a UPN Suffix to a Forest :-

  1. Open Active Directory Domains and Trusts.
  2. Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
  3. On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forest.
  4. Click Add, and then click OK.

SCCM_Intune_MDM_Sync_Issue_4

Once Alternate UPN Suffix is added to the forest, we can go back to Active Directory Users and Computers (DSA.MSC) and change the user (NAA) from UPN drop down menu. In this case it was set to @DWPOC.local, now I changed it to @dwpoc01outlook.onmicrosoft.com.  SCCM_Intune_MDM_Sync_Issue_5

SCCM CB User discovery component detected the changes in the AD user and ran the SCCM delta user discovery. Now you can see User_Principal_Name0 is populated correctly in SCCM CB database. However the cloud ID value is not populated for the user NAA. It’s still set to NULL. Now how to get the CloudSerID in SCCM CB DB? Read on 🙂

SCCM_Intune_MDM_Sync_Issue_9

We need to bounce back / restart the SMS executive thread called “SMS_CLOUD_USERSYNC”. How to restart SCCM Executive thread SMS_CLOUD_USERSYNC? This process has been explained in the post here. Once I bounced back SMS_CLOUD_USERSYNC using the registry key, the following entries got appeared in cloudusersync.log file.

SCCM_Intune_MDM_Sync_Issue_7

When you check the SCCM CB SQL DB, you can see that the cloud ID against the user NAA has been generated. See the screen capture below.  After the cloud ID and User Principal Name are populated correctly into SCCM DB, the AAD and MDM enrolment worked very well.

SCCM_Intune_MDM_Sync_Issue_8

Some more sample log files on success sync ! cloudusersync.log file

Length of all Added/Newly licensed Users thus far is 2~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.068-330><thread=2476 (0x9AC)>
In batch [0], Generating Udx for total [2] newly licensed records. [2] UPNs sent to intune for licensing.~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.068-330><thread=2476 (0x9AC)>
Write message to file C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\ForwardingMsg\___UDXugfk4buq.MCM~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.068-330><thread=2476 (0x9AC)>
Write message to file C:\Program Files\Microsoft Configuration Manager\inboxes\hman.box\ForwardingMsg\___UDX1phsq0ud.MCM~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.069-330><thread=2476 (0x9AC)>
UserDeltaSync:- Users Added = 2~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.069-330><thread=2476 (0x9AC)>
Last ItemKey retrieved : 2063597572~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.069-330><thread=2476 (0x9AC)>
UserDeltaSync - Fetching batches of Users to be licensed : batch [1] starting from ItemKey [2063597572]~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.069-330><thread=2476 (0x9AC)>
In this batch, total received users to add from SCCM = 0, total Successfully added users to Cloud = 0~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.071-330><thread=2476 (0x9AC)>
Length of all Added/Newly licensed Users thus far is 2~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.071-330><thread=2476 (0x9AC)>
In batch [1], no Udx messages generated for newly licensed users, however [0] UPNs sent to intune for licensing.~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.072-330><thread=2476 (0x9AC)>
A total of [2] users have been licensed.~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.072-330><thread=2476 (0x9AC)>
STATMSG: ID=10007 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_CLOUD_USERSYNC" SYS=CMCBTP.acn.local SITE=Z00 PID=1544 TID=2476 GMTDATE=Thu Jul 07 05:25:38.073 2016 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 $$<SMS_CLOUD_USERSYNC><07-07-2016 10:55:38.073-330><thread=2476 (0x9AC)>
Reading SOFTWARE\Microsoft\SMS\Components\SMS_CLOUD_USERSYNC\:SQL Server Name from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.090-330><thread=2476 (0x9AC)>
Returning value CMCBTP.acn.local from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.090-330><thread=2476 (0x9AC)>
Reading SOFTWARE\Microsoft\SMS\Components\SMS_CLOUD_USERSYNC\:Database Name from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.090-330><thread=2476 (0x9AC)>
Returning value CM_Z00 from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.091-330><thread=2476 (0x9AC)>
Reading SOFTWARE\Microsoft\SMS\Identification:Server from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.091-330><thread=2476 (0x9AC)>
Returning value CMCBTP.acn.local from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.091-330><thread=2476 (0x9AC)>
HasIntuneSubscription: Site has valid Intune subscription.~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.091-330><thread=2476 (0x9AC)>
Reading SOFTWARE\Microsoft\SMS\Components\SMS_CLOUD_USERSYNC\:SQL Server Name from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.092-330><thread=2476 (0x9AC)>
Returning value CMCBTP.acn.local from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.092-330><thread=2476 (0x9AC)>
Reading SOFTWARE\Microsoft\SMS\Components\SMS_CLOUD_USERSYNC\:Database Name from provider Registry~~ $$<SMS_CLOUD_USERSYNC><07-07-2016 11:00:38.092-330><thread=2476 (0x9AC)>

About Author 

Anoop is Microsoft MVP and Veeam Vanguard ! He is a Solution Architect on enterprise client management with more than 13 years of experience (calculation done on the year 2014) in IT. He is Blogger, Speaker and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...

    Find more about me on:
  • googleplus
  • twitter
  • facebook
  • linkedin
  • youtube
Posted in: ConfigMgr (SCCM), SCCM 2016

Trackbacks

  1. Intune | Pearltrees

Leave a Comment and Contact Anoop