This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 55.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all,
I am implementing auto-enrollment for windows based PCs in my company. The devices are Hybrid AD joined and registered on Azure portal. I have deployed a GPO with user-based option for MDM enrollment with my test PC in the OU. I tested the configuration by running "dsregcmd /status" command on test PC and it is showing me the URLs for all of the following:
MdmUrl
MdmTouUrl
MdmComplianceUrl
Also, the status of the device is:
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
**
SSO State: AzureAdPrt : YES**
In task scheduler, I can see the "EnterpriseMgmt" scheduled task showing and running after 5 minutes. But when I check the event viewer, I am getting the following errors:
EVENT 52: MDM Enroll: Server Returned Fault/Code/Subcode/Value=(MessageFormat) Fault/Reason/Text=(InvalidEmailAddress: Empty).
EVENT 71: MDM Enroll: Failed (Invalid Schema, Message Format Error from server.)
EVENT 76: Auto MDM Enroll: Device Credential (0x1), Failed (Invalid Schema, Message Format Error from server.)
I have already disabled MFA for the user I am logging in with on that device. Any thoughts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@AZee, Thanks for posting in Q&A. From your description, i know the devices are failed to enroll into Intune via GPO enrollment. From the error message, it seems we use device credential to enroll. In fact, Device Credential is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop multi-session host pools
If we are not Co-management or Azure Virtual Desktop multi-session host pools, please change the credential type to "user credential" in GPO.
Meanwhile, please also ensure it has both Microsoft Intune Plan 1 and Microsoft Entra related licenses assigned and MDM user scope is set all or some which include the users under automatic enrolment.
Please check the above information and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
Thank you for the response. I have verified the following:
GPO setting has been set to user credential:
@AZee, Thanks for the reply. For the license, you can check if the following three are assigned to user.
The error messages you are seeing in the event viewer indicate that there is an issue with the schema or message format when attempting to enroll the device in MDM. One possible cause of this issue is an invalid email address. You can check the email address associated with the user account you are using to log in to the device and ensure that it is valid.
Another possible cause of this issue is an outdated enrollment entry in the registry on the target client device. You can check the registry at HKLM > Software > Microsoft > Enrollments to see if there are any outdated enrollment entries. If so, you can remove them and try enrolling the device again.
Thank you for the update.
I have checked the licenses and the test user is having these licenses activated:
Regarding the email, I am able to login with the email address of the user and the AD password without any error.
Registry settings show the following:
@AZee,, Thanks for the reply. From the information you provided, I know the user licenses are assigned and the registry key is correct.
Here I suggest also check the auto-enrollment task under the Microsoft\Windows\EnterpriseMgmt\ path via taskschd.msc - confirm the details of the command and let us know which command it used.
Please find the screenshot of the command that is being used int he task scheduler:
@AZee,, Thanks for the reply. After checking the summand, I find it is correct. For our issue, I suggest open case to check background log to investigate the issue: