Devices continue to try to enroll in a cancelled Intune subscription

Symptoms
Consider the following scenario:
  • A user's Intune subscription was cancelled, and the Intune Admin Console can no longer be accessed. 
  • A different MDM provider was selected. The MDM authority for the tenant is still set to Intune, Office 365, or CM.

In this scenario, the user's devices still try to enroll in Intune.
Cause
This issue occurs if the CNAMEs that were set as prerequisites for device enrollment (as described at https://technet.microsoft.com/en-us/library/dn764959.aspx) are still present. As long as these CNAMEs are still present, automatic enrollment of devices without specification of an enrollment server is redirected to the Microsoft Intune servers. This behavior is by design. If the customer sets up CNAME forwarding with their domain name provider to point towards the Intune service, their devices will try to enroll in Intune. To fix this behavior, the customer should modify their CNAME records with their domain name provider.

Be aware that the MDM authority has no effect on another provider's MDM solution as long as devices are not redirected to Intune enrollment servers with old CNAMEs that may still be present. After the MDM authority is configured, it will remain that way unless a customer opts to change to another structure within the possible MDM configurations—for example, from Intune or Office 365 to ConfigMgr, or vice versa.
Resolution
If you switched your MDM provider from Microsoft Intune to another company, or if you don't want to switch to the Office 365 built-in MDM, check whether the CNAMEs that were set as prerequisites for device enrollment (per https://technet.microsoft.com/en-us/library/dn764959.aspx) are no longer present.

If these CNAMEs remain present, your devices will still try to enroll in Intune MDM servers, because the enrollment and registration requests are being redirected to the Microsoft servers instead of to your new provider by the old CNAMEs entries. To prevent this behavior while the CNAMEs are still set to Microsoft-based enrollment servers, you must override the enrollment server information in the device itself, assuming that option is available in the enrollment interface on the unit.

Note Make sure you verify that all of your domains have no CNAMEs pointing to either manage.microsoft.com or EnterpriseRegistration.windows.net.

Example
Assume that you have an Office 365 tenant for contoso.onmicrosoft.com and have verified the contoso-1.com, contoso-2.com, contoso-3.net domains. In this situation, you must check all possible CNAMEs for these domains. To check CNAMEs, open a command prompt, and then enter the following:

nslookup -type=cname enterpriseenrollment.<domain>.<com>

If a CNAME is set, the reply will resemble the following:

Non-authoritative answer:
enterpriseenrollment.<domain>.<com> canonical name = manage.microsoft.com

Now, enter the following at a command prompt:

nslookup -type=cname enterpriseregistration.<domain>.<com>

If a CNAME is set, the reply will resemble the following:

Non-authoritative answer:
enterpriseenrollment.<domain>.<com> canonical name = EnterpriseRegistration.windows.net

Additionally, you can check any available online tool from several entities for a simplified webpage guided lookup procedure. This also lets you check different DNS hierarchy branches by using tool providers in different regions to make sure that all changes that were submitted at your domain registrar have percolated through the hierarchy. Remember that DNS changes may take as long as several days in some cases.

Important note
In the preceding example, you must check whether you have CNAMEs set for any of the following entries and if so, what they point to:
  • enterpriseenrollment.contoso-1.com
  • enterpriseregistration.contoso-1.com
  • enterpriseenrollment.contoso-2.com
  • enterpriseregistration.contoso-2.com
  • enterpriseenrollment.contoso-3.net
  • enterpriseregistration.contoso-3.net
If you find any entries that point to either manage.microsoft.com or EnterpriseRegistration.windows.net, you must delete these from your domain registrar's site and then set the new CNAMEs that are specified by your new provider.
Properties

Article ID: 3182596 - Last Review: 08/03/2016 22:43:00 - Revision: 2.0

Microsoft Intune

  • KB3182596
Feedback