none
Auto MDM Enroll: Failed (Unknown Win32 Error code : 0x8018002b) RRS feed

  • Question

  • Hi I am getting the error as specified in the title when trying to automatically enrol a device for MDM. 

    The machines that I am trying to put on are locally domain joined and showing as Hyrbid Azure Machines in AAD. 

    But the scheduled task on the machines keeps giving the same error. 

    Please help. 

    Wednesday, August 22, 2018 10:33 PM

All replies

  • Hi,

    What is the operation system of the device?  There are some limitations of the platform:
    https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enable-platform-enrollment 

    Here is the detailed steps for Setting upthe hybrid MDM with Configuration Manager and Microsoft Intune:
    https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/setup-hybrid-mdm

    You can follow these steps to enroll automatically.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, August 23, 2018 6:18 AM
  • Is this happening for all machines or just some?

    Does manual enrollment work?

    Which version is the operating system?

    Thursday, August 23, 2018 6:39 AM
  • Hi, 

    This is the first machine that I have tried to MDM Enrol. 

    It is a Windows 10 1803 Enterprise VM.

    I will try adding another one to see if that one behaves, or attempt to enrol it manually like you say. 

    This is what I have done. 

    1.The device is able to register in Azure and appears as Hybrid Domain Joined. 

    2. I have the latest 1803 .admx files on my Server. 

    3. I have a GPO set to auto enrol all devices as MDM. 

    4. I am logging into the machine with an account that is licensed for Intune. 

    5. The scheduled task is failing to auto enrol with 0x8018002b error. 

    Thanks 

    Thursday, August 23, 2018 8:43 AM
  • Hi,

    Please make sure the followings are correct:

    - Azure AD automatic enrollment enabled(Make sure MAM User scope is None)
    - MDM authority in Intune set to Intune

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, August 27, 2018 7:17 AM
  • Hey there, we are receiving the same errors.

    Any solution here?


    Freundliche Grüße

    Sandro Reiter
    Consultant Cloud Infrastructure

    Thursday, August 30, 2018 11:45 AM
  • https://social.technet.microsoft.com/Forums/windows/en-US/d2bda796-eef4-452a-b622-7c7463218555/mdm-enrollment-error-0x8018002b-on-windows-10-1709?forum=microsoftintuneprod

    Freundliche Grüße

    Sandro Reiter
    Consultant Cloud Infrastructure

    Thanks for pointing this out Sandro. 

    I am not making this up and I don't think that I am doing anything wrong either. 

    This is a issue with the product and I don't know of anyone that has got it to work. 

    How can promote the product when it does not work. 

    I can only get an Azure AD machine into Intune MDM. 

    Please sort this HYBRID AZURE, auto MDM enrolment  issue out Microsoft!! 

    Friday, August 31, 2018 2:10 PM
  • For my case I resolved the issue. I did these 2 steps:

    - uninstalled old Intune Agent on Client

    - removed the manual MDM enrollment from client in the work/school account area in the settings

    Reboot -> Client successfully enrolled

    @midi: Did you configure device writeback in AAD Connect Client AND do you also sync the OU which are the computerobjects located to Azure AD?


    Freundliche Grüße

    Sandro Reiter
    Consultant Cloud Infrastructure

    Friday, August 31, 2018 2:14 PM
  • For my case I resolved the issue. I did these 2 steps:

    - uninstalled old Intune Agent on Client

    - removed the manual MDM enrollment from client in the work/school account area in the settings

    Reboot -> Client successfully enrolled

    @midi: Did you configure device writeback in AAD Connect Client AND do you also sync the OU which are the computerobjects located to Azure AD?


    Freundliche Grüße

    Sandro Reiter
    Consultant Cloud Infrastructure

    Hi Sandro, 

    • I do not have device write back enabled. 
    • Yes, I am syncing the OU with the computers objects in to Azure AD. 
    • My computers have a fresh installation of Win10 1803, and do not use the old intune client. 
    • The computers appear in Azure Active Directory as Hybrid Domain Joined devices. 
    • I am logging into them with an account that is licensed for Office 365 (E5), and EM+S (E5). 
    • But the auto enrol scheduled task is still failing to enrol my devices. 

    What I did notice is that I am not able to manually auto enrol a device into MDM because it says it cannot find my endpoint. So I had to copy and paste my MDM endpoint URL in and then I was able to connect. 

    I am wondering if the machines are not able to find the endpoint and that is why the auto enrol task is failing. But I have setup the (Service Connection Point in my domain) for enrolling devices using Azure Active Directory Connect. 

    Thanks 

    Sunday, September 2, 2018 8:42 PM
  • Do you have Azure AD Premium license assigned? Is the user in the MDM group configured for Automatic enrollment? If you don't have the Azure AD Premium license assigned, then you need to create the DNS CNAME records.
    Sunday, September 2, 2018 10:37 PM
  • Do you have Azure AD Premium license assigned? Is the user in the MDM group configured for Automatic enrollment? If you don't have the Azure AD Premium license assigned, then you need to create the DNS CNAME records.

    Hi Nick, 

    I think that I have managed to get it working but it's still a bit baffling. 

    It seems that the device has to be enrolled by a licensed (O365(E5) and EM+S (E5) user. I would have thought that the device would have been auto enrolled first and users would be associated later. This is how it used to work with our classic deployment model. 

    So from what I can tell. 

    1. Devices get registered into Azure AD by system account. 

    2. Devices get auto enrolled to MDM by the user credentials providing that the user is licensed. 

    3. Device then appear as being managed by Intune and linked to associated user. 


    Friday, September 7, 2018 1:47 PM
  • We too are suffering this issue on some (not all) of our machines, so far I have 2 out of about 20 with this issue.

    Troubleshooting steps taken so far:

    1. Remove the old Intune agents (using the retire/wipe action from the Silverlight portal) - in both cases the agents appear removed (just log files left in the C:\Program Files\Microsoft\OnlineManagement\ folder)
    2. Update the machines to latest Windows build (1803)
    3. Ensure the user has an E M+S E3 License assigned (this is what the other successful users have assigned)
    4. Check the 'Access work or school' settings page and remove any entries other than the default 'Connected to xxx AD Domain' entry.
    5. Checked Task Scheduler for the 'Schedule created by enrolment client for automatically enrolling in MDM from AAD' - in both cases this is present and running every 5 mins and ending with return code 2149056555.
    6. Checked event log for anything meaningful - seeing 'Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b)' as per the OP.
    7. Verifying that the device exists in Azure AD (it does in both cases - have tried deleting it from AAD and running sync to re-generate, still same result)
    8. We have different devices with the same hardware that *have* enrolled correctly so this suggests its not a fundamental hardware related issue.
    9. Verified that https://support.microsoft.com/en-gb/help/4463749/mdm-auto-enrollment-for-intune-fails-if-scope-is-none does not apply.
    10. Verified that https://support.microsoft.com/en-gb/help/4461453/mdm-auto-enrollment-for-intune-fails-if-invalid-upn-used does not apply.
    11. Updated the machine to the latest BIOS version.
    12. Reset the Security settings (TPM) in BIOS.
    13. Manually deleted the Scheduled Task and ran gpupdate/force to allow it to be recreated.

    The fact that enrolment is working for some but no all, suggests that the basic settings are correct. Can anyone suggest anything else to check?



    Tuesday, November 13, 2018 3:30 PM
  • Hello 

    I get a simlar issue, 

    my environement consists of Server 2012 r2 (functional level set at 2012) with a simple hash password sync to my on premise environement. 

    Here is what i have noticed, i deploy Windows 10 Enterprise 1803 via mdt, it does all configuration.

    What i suspect is happening is the local administrator account is then creating the task schedule before i log in with a domain account. No matter how many times i run it, or if i leave it over night, it will not successfully enroll this device. 
    How ever if i delet the Task, and run gpupdate /force and allow it to recreate the task, it works straight away.

    I can't be certain that it is the local administrator account actually creating this, how ever i do suspect.

    I guess in the short term the solution would be to create a group policy object, or add something to a task sequence to remove the task schedule, and allow group policy to recreate it with a azuread link account (but i have not actually tried this yet). 

    can you let me know if this helps you, if your experience is similar?

    Wednesday, November 14, 2018 4:42 PM
  • Thanks for the info Adam. Have just tried manually deleting the task then running a gpupdate /force but no different unfortunately.
    Thursday, November 15, 2018 9:05 AM
  • HI

    I had this problem. The cause for me was i was trying to use a domain admin account to enrol the device automatically. To enrol a device you have to uses a user that has a UPN that is available on the internet and routable. When i logged on with my user account that has an O365 email address it then enrolled successfully. 

    What account are you using to enrol the device?

    Thanks

    Shane

    Thursday, November 15, 2018 12:09 PM
  • @Shane - thanks for the suggestion. Yes I'm logging in with a user account, the users UPN is publicly routable. Have tried another user on the same machine and still no change.
    Thursday, November 15, 2018 12:16 PM
  • HI Alex

    Ok great.

    Have you checked the MDM user Scope?

    https://support.microsoft.com/en-gb/help/4463749/mdm-auto-enrollment-for-intune-fails-if-scope-is-none

    Thanks

    Shane

    Friday, November 16, 2018 11:35 AM
  • Hi Shane,

    Yeah checked that already as per point 9 in my earlier post, and the fact that others are able to enrol would suggest its not that particular setting.

    Its looking like a ticket with MS at this point I think!

    Friday, November 16, 2018 11:40 AM
  • HI

    I had this problem. The cause for me was i was trying to use a domain admin account to enrol the device automatically. To enrol a device you have to uses a user that has a UPN that is available on the internet and routable. When i logged on with my user account that has an O365 email address it then enrolled successfully. 

    What account are you using to enrol the device?

    Thanks

    Shane

    Hi, I need to come back to this at some stage but I have been so busy with other things. 

    I managed to get around the issue in a lab by signing up for a trial E5 subscription and creating multiple normal user accounts with email accounts. 

    But, I couldn't get them to enrol more than one device even though I had my settings set to 5 devices. 

    I need to do some more testing but it appears that. 

    1. The user needs to have all the correct licences in place. 

    2. Possible that it can't be a domain admin account. 

    3. It needs to be able to be discovered and be able to route etc..


    Monday, November 19, 2018 11:09 AM
  • Just posting this for info, it hasn't solved the issue for me but may help others. I have a ticket open with MS on this right now.

    The devices I'm having problems with have had the Intune client agents installed previously and have been retired/wiped via the Silverlight portal.

    So far they have pointed me to:

    https://docs.microsoft.com/en-us/intune/install-the-windows-pc-client-with-microsoft-intune#uninstall-the-windows-client-software

    The script on this page appears to uninstall more components that are not uninstalled via retire/wipe.

    Worth a shout for anyone with this issue who has previously used the Intune client agents.


    Monday, November 19, 2018 11:41 AM
  • Have you guys tried to check if you need to update your Internal DNS servers CNAME records for enterpriseregistration and enterpriseenrollment?

    I had the exact issues until I realized I did such a noob mistake :-) After this Auto MDM worked perfectly!

    Thursday, November 29, 2018 5:25 PM
  • Quick update on my issue is that the ticket I opened has now been passed from the Intune team to the Azure AD team. They have taken a copy of the event logs from 'Application and Services Logs' > 'Microsoft' > 'Windows' > 'AAD' for analysis as the client machine in question had a number of errors logged in there. I will update this thread when I hear more from them.

    @Jose - Yes tried that unfortunately and CNAME is testing all good. Thanks for the suggestion though.

    Thursday, November 29, 2018 5:55 PM
  • The issue seems to be resolved now on the machine I was testing on. I'm unsure which out of the below fixed it though:

    Deleted the device from Azure AD then ran the command "dsregcmd.exe /debug /leave" on the machine.

    Cleared the TPM using the BIOS option (on the HP laptop this was 'Clear Security Settings' or similar).

    Logged into the machine and re-enrolment still failed.

    The user took the laptop off site and logged in and this seemed to resolve the issue as it enrolled OK.


    Wednesday, December 5, 2018 12:53 PM
  • Nothing to Worry!
    The error 0x8018002b in the event logs under
    Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider can happen if the load balancer of Intune backend is turned ON to control the number of auto-enrolled devices. Usually, People use the GP to enroll several hundreds of devices and in order to keep the performance stable, the enrollment might be temporarily blocked. So it is by-design that the auto-enrollment with GP policy might take up to several hours.
    Thursday, December 6, 2018 1:15 AM
  • @Inderpreet_Dadiala - several hours yes but several weeks I think would point to a different issue other than performance throttling by the enrolment service.
    Thursday, December 6, 2018 9:44 AM
  • Have you checked if your device is able to connect intune management IPs for enrollment?
    https://docs.microsoft.com/en-us/intune/network-bandwidth-use
    Please make sure you open all the ports and you client is able to reach all the destination IPs.

    Friday, December 7, 2018 2:23 AM
  • In case anyone is still having this issue, a potential solution might be running "deviceenroller.exe /c /autoenrollmdm" as an Intune entitled Office 365 user on a machine that is properly hybrid AD joined.

    I had this same issue on two machines, and found I could use this command to resolve it in both cases.

    I did a quick post about it here: https://www.candiamantics.com/projects/fixing-auto-mdm-enroll-failed/

    Maybe that works for someone else.

    • Proposed as answer by Cory Candia Monday, December 31, 2018 6:06 PM
    Monday, December 24, 2018 2:48 PM
  • I am getting the  same error 0x8018002b, its been weeks now and the devices are still not auto enrolling. any assistance will be most appreciated. Thanks.
    Friday, March 29, 2019 4:29 PM
  • For my case I resolved the issue. I did these 2 steps:

    - uninstalled old Intune Agent on Client

    - removed the manual MDM enrollment from client in the work/school account area in the settings

    Reboot -> Client successfully enrolled

    @midi: Did you configure device writeback in AAD Connect Client AND do you also sync the OU which are the computerobjects located to Azure AD?


    Recently I had again a device which wasn't successfully enrolling by itself. Figured out that the registry entry 

    Hive HKEY_LOCAL_MACHINE 
    Key path SOFTWARE\Microsoft\Enrollments 
    Value name ExternallyManaged 
    

    was left due to old Intune agent installation. Maybe its helpful.<style></style>


    Freundliche Grüße

    Sandro Reiter
    Cloud Solutions Consultant

    • Proposed as answer by Shane_Curtis Tuesday, October 29, 2019 4:29 PM
    Monday, October 21, 2019 11:19 AM
  • Sandro, thanks a ton!  That was my problem!  I was getting a constant 0x80180026 in task scheduler until I went and looked for that registry key.  It was there, I deleted it, re-ran the task and it immediately ran successfully.  I have no idea how it got there but that was it!

    Shane Curtis

    Tuesday, October 29, 2019 4:31 PM
  • Hi,

    Do you still have the issue ?

    Wednesday, March 4, 2020 10:15 PM
  • Hi,

    Do you still have the issue ?

    Yep, I'm having it: See https://social.microsoft.com/Forums/en-US/e8aeec3d-3ee4-4160-aa0b-62c78f2e47aa/device-is-not-mdm-enrolled-yet?forum=ConfigMgrMDM&prof=required ..just opened today.

    MCSA Win10, MCSE Mobility, MCSA M365.

    Wednesday, April 22, 2020 7:32 PM
  • Sandro, thanks a ton!  That was my problem!  I was getting a constant 0x80180026 in task scheduler until I went and looked for that registry key.  It was there, I deleted it, re-ran the task and it immediately ran successfully.  I have no idea how it got there but that was it!

    Shane Curtis

    Can you confirm which registry key that was? I'm facing the same issue here, the device fails to get enrolled automatically although user is assigned Intune and Azure AD Premium P1 licenses and Automatic enrollment's MDM user scope is set to all. I have also made sure that the user's account in Active directory is properly configured. Registry keys don't show any previous enrollment info. 

    Thursday, July 2, 2020 1:46 PM