This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 66%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hello,
I know this has been asked repeatedly, but none of the answers so far have been useful for my situation, so I am hoping for some new insight.
I am trying to test the automated enrollment of Hybrid Joined devices to Intune. I have been doing extensive research and so far I haven't been able to find a solution to my problem. The goal is to eventually enroll the over 3000 devices which are hybrid joined to Intune, without having to do too much manual work.
The devices I am trying to enroll is Hybrid Joines as mentioned above. The MDM scope is set to a test group of which I am part of. My user account has EMS licensing. I have activated the local GPO to auto enroll using user credentials and this has created a task and a registry key.
The Task keeps failing with the following error: Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b) - not sure why it says device credentials as the GPO is set to user credentials"
Also, when looking at dsregcmd /status, these fields are empty "MdmUrl; MdmComplianceUrl; MdmTouUrl" even though these have been configured in the Windows Automatic Enrollment policy in Intune.
Any thoughts or feedback is appreciated...
What version of Windows is running on the devices? Also, are the device AAD registered by any chance?
Most of the machines, including this test machine is running version 1809.
No under the Device list in Azure, this device has the value "Hybrid Azure AD joined" under "Join Type"
User also has to log in to the device to trigger the enrolment process (scheduled task which runs on sign-in), and it'll enroll using the user's context. The devices won't just do it by themselves if that is what you are testing.
Also, have you checked the logs located under Task Scheduler Library, Microsoft > Windows>EnterpriseMgmt.
Yes, I am logged into the machine with my account, which is licensed and all.
Under the Task Scheduler there are no errors, just info that the tasks was initiated correctly.
In the event log under Applications and Services - Microsoft - Windows - DeviceManagement-Enterprise-Diagnostics-Provider - Admin I get Event ID 76 Error "Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)" every 5 minutes as the task repeats.
Do you have MFA enabled for the account?
The account is part of a group with conditional access policy, however it only applies if logging on from an unknown device. As this is a Hybrid Joined, it should not require MFA.
Check for your sign-ins in Azure just to be sure. Maybe exclude the user from MFA and then test.
The CA change had no effect. We are still getting the same error.
Can you confirm if the sign-in data in Azure reflects the same?
Looking at the sign-in logs, there don't appear to be any attempts under my account.
This leads me to believe, as others have said the MDM settings are not setup correctly, or not syncing with the machine. I'm out of idea where to look for this though.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@GIAN202B , From your description, we get error "Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)" during Auto enrollment with GPO. If there's any misunderstanding, please let us know.
For the error code, it indicates MDM auto-enrollment is not configured,
0x8018002b -2145910741 MENROLL_E_MDM_NOT_CONFIGURED N/A mdmregistration.h
I notice we already configured MDM scope for a test group which includes your account. Here, please also confirm what is the MAM scope set. Did we also set the test group there? If yes, we suggest to set it as none and see if the result will be different.
Meanwhile, for the Conditional access policy, we can also try to disable it to see if it can be enrolled successfully.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello and thanks for your answer,
What I am having an issue understanding is why it thinks the auto-enrollment is not configured? Does that error indicate an issue on the client side or the intune side?
I will disable the conditional access policy to see if that makes any difference.
Thanks again
After removing my user from CA testing group, there was no change. The device is still not enrolling.
In the documentation at https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd it says
"If the MDM URLs in this section are empty, it indicates that the MDM was either not configured or current user is not in scope of MDM enrollment. Check the Mobility settings in Azure AD to review your MDM configuration."
In fact, when running dsregcmd -status I do see the MDMurl field is empty... But we have configured the MDM url and scope per the guide.
@GIAN202B , Based on the testing, I know the isue still persits after removing Conditional access policy. from your description, I know we are not in corporate network.
To clarify our issue, here is my thought:
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your suggestions.
I did check the UPN and everything is correct with a routable domain.
I will have another use try on their machine while being on the corporate network to see if the issue is solved by that.
@GIAN202B , Thanks for the information. We will stand here and wait for the update. If there's anything we can help during this time, feel free to let us know.
For the GPO auto enrollment, it seems the “Device credential” is chosen under “Enable Automatic MDM enrollment using default Azure AD credentials.”. Could you change it to “User Credential” to see if the result will be different?
The GPO is set to use User Credentials... Even though the logs seem to be misleading.
Also, from the following article, since we are using version 1809, that option should be disregarded and the policy should only use "User Credentials"
"... For ADMX files in Windows 10, version 1903 and later, select User Credential (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available."
Thanks for confirming. Are you enrolling the device from corporate network by any chance? Since you are not seeing any sign-in data then is it possible that traffic is being filtered by your corporate FW, proxy, vpn web filter? Have you tried testing directly over the internet outside your corporate network?
I am not on the corporate network directly as I am working from home. I disconnected from the VPN connection but there was no difference. I also checked to make sure there was no traffic blocked by the web filter and there is nothing there.
You can try using a different account or re-assigning the license. If this doesn’t work then I don’t think there is much to do but raise a case with MS support.
I just wanted to give everyone an update on our situation.
We identified a possible issue while going through our settings in regards to who is authorized to enroll devices in AD (see image below). In our case, it was limited to a few users, of which I was not part of. I was added to this group for testing, but this still has not fixed our issue.
As well, I've had someone else create the GPO on their machine to ensure the issue is system wide and not just my machine. He is not able to enroll as well.
I did just find an article which mentions having to login to the device using the same login as Azure AD rather than the on-premise AD username. I will be trying this tomorrow to see if that makes any difference... fingers crossed.
I am still not sure why my MDMURL is not showing in dsregcmd /status.... I'm sure what's I figure out that, I will be able to enroll devices.
@GIAN202B , For auto-enrollment, Azure AD Premium is required. Here, we suggest to try to assign Auzre AD premium license to the user and see if we can get the MDM URL.
https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
Hi,
This is the assignment under the EMS E3 License... Is this not enough?
@GIAN202B ,, Yes, that is enough. Please make sure the following two are on,
