Fixing Azure AD Join for Windows 10 Provisioning Package Error 0xCAA2000C
We are working with Declaration Software on their Windows 10 Workstation Migration Agent. The Workstation Migration Agent is capable of migrating Computer Accounts from On-Premises AD to Azure AD, AD to AD, and Azure AD to Azure AD. This includes migrating a Workstation where it has been Azure AD Hybrid Joined and instead making it Azure AD Joined directly to the same tenant it was already in.
In addition it will execute runbooks to ensure that any Office 365 Workloads configured on the device will either be gracefully disconnected or when possible, migrated for immediate use. This includes Outlook, OneDrive for Business, Teams and Microsoft EDGE Profiles. Those runbooks can be run as a set of stand-alone utilities to support tenant to tenant migrations.
Nero Blanco are Premium Delivery Partners and can help you with any sort of Workstation Migration in addition to our already burgeoning range of migration capabilities.
During testing we hit this error: LastResult:Error -895352820 (0xCAA2000C)
Install-ProvisioningPackage -PackagePath C:\MigrationAgent\JoinNewDirectory.ppkg IsInstalled : False PackageID : 23d3425d-bcfc-4c75-a631-d87687e61002 PackageName : Migrate to IT Murray PackagePath : C:\MigrationAgent\JoinNewDirectory.ppkg Description : Rank : 0 Altitude : 2000 Version : 1.0 OwnerType : OEM Notes : LastInstallTime : 03/06/2021 05:13:42 Result : 0__Accounts_Azure.provxml Category:DeviceAADJoin LastResult:Error -895352820 (0xCAA2000C) Message:Provisioning failed NumberOfFailures:1 (0x1)
Message:OOBE successfully configured.
When this was attempted at the GUI for “Add or remove a provisioning package” we saw this error:
Looking in the Azure AD Audi Logs we could see failures for the bulk enrollment package – Microsoft.Online.Workflows.ObjectAlreadyExistsException, but those errors didn’t quite seem accurate especially as they were preceded by a success. (Ultimately they are a bit of a red herring)
What we did know as that we had been doing more advanced testing by making the target tenant more secure. We had activated Conditional Access polices whereby All Users require MFA to consume Microsoft 365 services. This is what caused that issue. To resolve this we crated a Dynamic Security Group with the following Dynamic Membership Rules:
(user.displayName -startsWith "package_") and (user.userPrincipalName -startsWith "package_")
We then added that as an exclusion, then our Provisioning Package went through fine.
There was not a lot of information around about LastResult:Error -895352820 (0xCAA2000C) so hopefully this will help some others people out there experiencing the same issue