none
MDM Enrollment Error 0x8018002B on Windows 10 1709 RRS feed

  • Question

  • Hi,

    Currently we're using a SCCM 1710, Azure AD, Intune for Windows 10 1709 devices. ADConnect sync our Windows 10 devices to Azure AD. ADFS has no device registration enabled.

    We want to enroll multiple devices through MDM and have multiple users with different accounts login on that same device. We automatically enroll devices with SCCM Co-managemant and GPO (Auto MDM Enrollment with ADD Token).

    Windows 10 is flawless register on Azure AD as a Hybrid Join Azure AD Device, but there is no enrollment into Intune. The task scheduler gives an error on the "\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD" task. The last run result is 0x8018002B.

    Does anyone no the problem/ solution to this?

    Friday, December 8, 2017 8:34 AM

All replies

  • Hello,

    Please make sure the followings are correct:

    - Azure AD automatic enrollment enabled(Make sure MAM User scope is None)

    - MDM authority in Intune set to Intune

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 11, 2017 5:46 AM
  • Hello,

    Just to follow up.

    I would like to check if there is any other questions about this case.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 28, 2017 8:29 AM
  • Hi,

    I'm having the same issue.

    • MDM authority is set to Intune
    • Azure AD registration is properly applied on the machine
    • MDM URL is properly configured in Azure AD (scope : all)
    • MAM URL scope is set to None
    • GPO "Auto MDM Enrollment with AAD Token" is properly applied

    Workstations does not have any SCCM client installed, only AD Join + Azure AD Registration

    Event Viewer shows Event ID 76 and error 0x8018002b



    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor

    Monday, January 15, 2018 10:36 PM
  • Same here. Same setup, same error code.

    Client: W10 Pro 1709 (16299.192)

    Any update? 

    Sunday, January 21, 2018 11:30 PM
  • Hello,

    I also have that problem. Anything new on that case?

    Kind regards,

    Mario

    Monday, January 29, 2018 4:34 PM
  • Hello Andy,

    this is not solving the problem. 

    Please assist further.

    Monday, January 29, 2018 4:35 PM
  • Hi, 

    Where you able to solve this issue? I am facing the exact same problem.

    Br, Henri

    Monday, February 19, 2018 10:50 AM
  • Hi, 

    Where you able to solve this issue? I am facing the exact same problem.

    Br, Henri

    Have you checked whether manual enrollment of Intune is working?

    Anoop C Nair

    Blog- https://www.AnoopCNair.com Twitter- @anoopmannur Facebook Page- https://www.facebook.com/ConfigMgr/

    Monday, February 19, 2018 11:33 AM
  • We have the same issue. manuel enrollment in company portal is OK. Anyone solved this one?
    Thursday, February 22, 2018 10:18 AM
  • Hi, I have made sure of the following but still unable to auto-enrol

    • MDM authority is set to Intune
    • MDM URL is properly configured in Azure AD
    • MDM scope is set to All
    • MAM URL scope is set to None
    • GPO "Auto MDM Enrollment with AAD Token" is properly applied
    • GPO "Register domain-joined computers as devices" is properly applied

    I get the following error in "aad operational" log on a user machine "The value specified for 'authority' is invalid. It is not in the valid authority list or not discovered."

    Has anyone managed to resolve this issue? Logged a case with MS support and they are not able to resolve this.

    Please note this is a AD FS 2016 environment with latest AAD Connect with device write-back enabled. 


    Saturday, February 24, 2018 10:55 AM
  • I'm seeing a very similar issue, I was getting:

    Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002a)

    I also saw that a notification prompt appeared. Despite this process supposedly being automated. I rebooted, no change. Finally I followed the prompt, which asked me to provide secondary authentication, after that the enrollment succeeded. May be related to my account being MFA enabled.

    1709 16299.309


    Anthony Murfet

    Wednesday, March 14, 2018 10:55 PM
  • Please ensure that you do not have the old classic intune client installed on the device.

    Thanks

    Kam


    Kam

    Wednesday, March 21, 2018 1:07 PM
  • Any news about this problem?

    Jens Ole Kragh, MCITP Server/Client, MCTS, MCT, Microsoft TechNet Influent Denmark,Blog: http://jensolekragh.wordpress.com/

    Thursday, June 21, 2018 8:32 AM
  • This may indicate that the device is not receiving an MDM URL from Intune.  You can confirm that this is the case by running dsregcmd /status and observing the content of the MDM URL in the output.

    If you have not yet done so, please review this config document for setting up hybrid devices and confirm that AD FS and the other server side components are configured as outlined:  https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup


    Ramon


    Wednesday, June 27, 2018 12:01 AM
  • I'm also having this problem with a handful of 1803/1709 hybrid joined computers.

    They show up in azure as Hybrid Azure AD joined but do not find their way into Intune.

    I have just about the same setup and error as Maxime Rastello which was posted Jan 15th.

    and yes from dsregcmd /status my MDMurl is blank.

    Wednesday, June 27, 2018 6:25 PM
  • I'm getting the same error.  Assuming that all off the previously discussed items have been configured correctly (MDM User Scope, etc.) I think maybe this is happening because, while the device is showing as Hybrid Azure AD Joined, it is not yet associated with a user who is included in the MDM User Scope.  If I'm correct on that, the question then becomes, how  do we associate the device to the user.  The obvious way would be to have the user manually enroll in the "Access work or school" screen but I want to get this working with the GPO auto enrollment.  How do we get the user associated to the device?  I was hoping it would happen when they log on.

    Shane Curtis

    Wednesday, July 18, 2018 2:47 PM
  • I'm having the same problem. I'm going to raise a support ticket for microsoft intune team.
    Thursday, July 19, 2018 2:16 PM
  • When you try to enroll the device manually under ordinary user via "Settings -> Accounts -> Access work or school -> Connect...", it says "you don't have permissions to perform this action", if you do the same under an admin account (but using the same user account), it enrolls properly. Please note, AUTO-Enrollment still doesn't work under admin account with the same 0x8018002b error in the Event Viewer.

    I also noticed that task is missing in the Task Scheduler - EnterpriseMgmt and once you enroll a device, it appears under generated id.

    I believe, Intune uses some non-admin account to create a task in the Task Schedule and unable to do it. 

    However, this is only confirmed behaviour on Hybrid Joined Machine. I'm pretty sure there will be no problem with AAD Joined.

    I've got a confirmation from Microsoft Support, that user has to be an admin to have his device enrolled into Intune.

    I'm currently looking for ways how to enroll it via powershell or batch using GPO.

    Please vote here to enable this feature:

    https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34258156-enrolling-windows-10-without-admin-privs-no-sccm

    Another weird thing I've noticed is this:

    There are now two devices in Azure active directory, where MDM is registered on a duplicated dummy.

    • Proposed as answer by Alex Riben Friday, July 20, 2018 1:18 PM
    • Edited by Alex Riben Friday, July 20, 2018 2:55 PM
    Friday, July 20, 2018 1:18 PM
  • Actually, I think Shane_Curtis had the right answer here. The issue is likely that the user account is not sent up with the AzureAD Hybrid registration, so the user account does not populate, and Intune does not know which user account to draw MDM policies from.

    In response to Alex's talk with MS Support: It's normal that non-admins can't enroll in MDM, as that's an administrative function. Auto-enrolling, though, is designed to work either way. To confirm this notion, I am running into the same issue Alex did, but I am on an admin account that won't auto-enroll.


    Friday, July 27, 2018 9:19 PM
  • The issue is likely that the user account is not sent up with the AzureAD Hybrid registration, so the user account does not populate, and Intune does not know which user account to draw MDM policies from.

    This cannot be right, because as per Microsoft documentation:

    "Hybrid Azure AD Joined Windows 10 devices do not have an owner"

    Though it sounds logical, because Intune license is assigned to a user, not a device, nevertheless a device should be enrolled anyway. This is what Microsoft documentation and other guides say.

    In response to Alex's talk with MS Support: It's normal that non-admins can't enroll in MDM, as that's an administrative function.

    No. This is totally wrong. Can you imagine having more than 10000 PCs and an admin has to enroll every device manually? If an admin has to do it by himself, what's the point of having GPO in the first place? Computer GPO are supposed to be rolled without user's consent.

    Let's be honest here. Microsoft Support agents can only cover basic things, they are happy to get rid of the ticket, once an issue is somehow fixed (using a tape and and a gum). After getting a screenshot of 2 devices registered in Azure (which is not correct, there should be 1 hybrid device with MDM policy), a Microsoft agent opened a ticket and submitted gathered info to Intune Engineers. So now I'm waiting for their answer.


    • Edited by Alex Riben Monday, August 6, 2018 12:48 PM
    Monday, August 6, 2018 12:48 PM
  • Is there more info on this topic and how to fix it?

    I have the same issue:

    Winver 1803
    Device is hybrid joined in Azure AD.
    MDM authority is set to Intune.
    MDM URL is properly configured in Azure AD.
    MDM scope is set to All.
    MAM URL scope is set to None.
    GPO "Auto MDM Enrollment with AAD Token" is properly applied.

    I'm logged on with an admin account. The device won't enroll into mdm.
    error message:
    Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b)

    Thursday, August 23, 2018 11:58 AM
  • I am having exactly the same problem, for more that one customer! Any update on this issue would be greatly appreciated.

    Tuesday, August 28, 2018 6:39 PM
  • I encountered the exact same issue on an Hybrid Azure AD joined 1803 computer.

    It appeared the logged on user was not synced in Azure AD.

    Just have a look at your Azure AD console and check if your user resides in.


    Twitter: @MatAitAzzouzene | Linkedin: Mathieu Ait Azzouzene

    Wednesday, August 29, 2018 9:12 AM
  • Hello guys,

    Any news regarding this?

    Getting "Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b)". Although machines are registered correctly in Azure AD (hybrid joined), they do not activate.

    Users and computers are synced using AD Connect and license is assigned.

    What else can we do to troubleshoot this?

    Cheers!

    Wednesday, September 12, 2018 2:28 PM
  • same issue/error with the same configuration.

    AzureAD Hybrid Joined devices with all the Right configurations but no join possible.
    Automatische MDM-Registrierung: Fehler (Unknown Win32 Error code: 0x8018002b)
    Need to activate Bitlocker ASAP and Intune should be the right way, in case you get the devices registered …..

    ------------------------------

    i solved my issue.

    in Device Enrollment / Windows enrollment / Deployment Profiles switch to Self-Deploying (preview)

    now the sheduled Task is created and the hybrid devices Register in Intune automaticly

    • Edited by klausar Thursday, September 13, 2018 10:58 AM
    Wednesday, September 12, 2018 3:52 PM
  • Having the same issue here with freshly installed Windows 10 1803.  I know everything is set up properly for enrollment as the device will enroll eventually, however, it may be with the first login of the user or the fifth.  The lack enrollment doesn't bother me as much as the inconsistency. 

    My only guess is that after installing base Windows 10 1803, the enrollment fails until one of the later updates gets pushed to the device that fixes the issue.

    Monday, September 17, 2018 12:54 PM
  • I had this error too. For me it was resolved almost immediately after I logged in to machine with another account. Both accounts had correct licenses so it wasn't licensing problems. Machine was using W10 1803 and was Azure AD Hybrid joined. 


    Wednesday, October 24, 2018 6:35 PM
  • I fix this error editing the task schedule and selecting the check mark "Run with highest privileges".

    Then I receive an error 0x80180026, that normally occurs when a device is locked in ProvisioningMode. Repair this by changing the following registry key

    HKLM\Softrware\Microsoft\Enrollments\ExternallyManaged,  and set the key equal to 0.

    • Proposed as answer by Braulio Santos Tuesday, October 30, 2018 2:29 AM
    Tuesday, October 30, 2018 2:28 AM
  • This helped me today - GPO rollout on Windows 10 1809 today did not work until I logged on with a different user.

    Thursday, February 21, 2019 5:05 PM
  • Check out the latest cumulative update for Windows 10 1809. The fix list includes the following.

    Allows existing devices that are managed by Configuration Manager to be
    enrolled in Microsoft Intune using Co-management without any user
    interaction. It does not require an active user to be logged in, and
    there are no Multi Factor Authentication (MFA) prompts. This update also
    allows the Co-managed mobile device management (MDM) enrollment to use
    the device credential it received when the device is enabled to join
    Hybrid Azure Active Directory (AADJ).

    https://support.microsoft.com/en-us/help/4495667

    Monday, May 6, 2019 1:34 PM
  • I had 0x8018002B on the 'Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD' task because I had not yet set the MDM authority to Intune

    After following these steps:

    1. Open a new browser window and enter https://portal.azure.com in the address bar.
    2. Choose All services > Microsoft Intune.
    3. Select the banner indicating that you haven't enabled device management, or if you don't immediately see the banner, select Device enrollment. The Choose MDM Authority blade will be displayed if you haven't enabled device management yet.

    https://docs.microsoft.com/en-gb/intune/free-trial-sign-up#set-the-mdm-authority-to-intune

    And waiting for a few hours, it resolved itself.

    Friday, July 5, 2019 2:04 PM
  • Thanks buddy. This has resolved an issue I was having with a device refusing to register despite being Hybrid Azure AD Joined and the user was part of the MDM scope. Brilliant!
    Friday, July 19, 2019 12:00 PM