Device registration in Co-Management - Error 0x8018002b

%3CLINGO-SUB%20id%3D%22lingo-sub-2107810%22%20slang%3D%22en-US%22%3EDevice%20registration%20in%20Co-Management%20-%20Error%200x8018002b%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2107810%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EHi%20All%2C%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EI%20am%20a%20bit%20stumped%20as%20we%20have%20been%20experiencing%20issues%20getting%20devices%20into%20the%20co-managed%20state%20correctly%20on%20several%20of%20our%20machines.%20We%20did%20extensive%20testing%20on%20this%20several%20months%20ago%20and%20successfully%20joined%2010-15%20machines%20before%20refocusing%20our%20efforts%20on%20building%20out%20our%20policies.%20Machines%20are%20showing%20up%20in%20both%20EPM(Endpoint%20Manager)%20and%20AAD%20(Azure%20Active%20Directory)%20but%20have%20SCCM%20listed%20as%20the%20MDM%20authority%20in%20AAD.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EImage%201%2C%20Source%20AAD%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JoelTR_0-1611879763639.png%22%20style%3D%22width%3A%20556px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250463i4892BF54CB9AA36F%2Fimage-dimensions%2F556x42%3Fv%3D1.0%22%20width%3D%22556%22%20height%3D%2242%22%20role%3D%22button%22%20title%3D%22JoelTR_0-1611879763639.png%22%20alt%3D%22JoelTR_0-1611879763639.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EImage%202%2C%20Source%20EPM%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JoelTR_1-1611879940111.png%22%20style%3D%22width%3A%20417px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250466iD276005A96A36902%2Fimage-dimensions%2F417x24%3Fv%3D1.0%22%20width%3D%22417%22%20height%3D%2224%22%20role%3D%22button%22%20title%3D%22JoelTR_1-1611879940111.png%22%20alt%3D%22JoelTR_1-1611879940111.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EInterestingly%20on%20the%20users%20devices%20the%20co-management%20status%20is%20set%20to%201%20we%20are%20unable%20to%20push%20apps%20such%20as%20the%20company%20portal%20down%20to%20the%20machine.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EThis%20value%20is%20managed%20by%20the%20Co-Management%20sliders%20in%20SCCM%20and%20increases%20based%20on%20how%20much%20of%20the%20load%20is%20managed%20by%20Intune.%20Therefore%20currently%20Intune%20is%20not%20managing%20the%20device%20at%20all%2C%20despite%20it%20showing%20up%20in%20Intune%20as%20Co-Managed.%20All%20test%20cases%20of%20this%20are%20part%20of%20the%20Pilot%20collection%20in%20SCCM%20and%20all%20sliders%20are%20set%20to%20Intune%20Pilot.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EI%20have%20collected%20logs%20on%20all%20of%20the%20devices%20that%20have%20this%20issue%20and%20have%20noticed%20this%20error%20is%20present%20on%20all%20of%20them%20and%20users%20are%20not%20getting%20the%20MFA%20prompt%20to%20set%20up%20intune%20in%20the%20first%20instance.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%22Auto%20MDM%20Enroll%3A%20Device%20Credential%20(0x0).%20Failed%20(Unknown%20Win32%20Error%20code%200x8018002b)%22%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EThis%20leads%20me%20to%20believe%20that%20devices%20are%20using%20the%20incorrect%20credential%20(Device)%20to%20sign%20up%20for%20Microsoft%20EPM%20despite%20the%20following%20Policy.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JoelTR_4-1611880212486.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250469i476BD52591CD5CE0%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JoelTR_4-1611880212486.png%22%20alt%3D%22JoelTR_4-1611880212486.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EI%20have%20tried%20the%20below%20solutions%20to%20no%20success%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EMicrosoft%20Solution%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Ftroubleshoot%2Fmem%2Fintune%2Ftroubleshoot-windows-enrollment-errors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3ETroubleshooting%20Windows%20device%20enrolment%20problems%20in%20Microsoft%20Intune%20-%20Intune%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EOne%20of%20the%20following%20conditions%20should%20be%20the%20cause%3C%2FFONT%3E%3C%2FP%3E%3COL%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EUPN%20Contains%20an%20unverified%20or%20non-routable%20domain%2C%20such%20as%20.local%20-%20Checked%26nbsp%3B%40edu%20address%20used%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EMDM%20user%20Scope%20set%20to%20None%20-%20Checked%2C%20set%20to%20Some.%20User%20is%20in%20included%20group%20with%20licenses%20assigned%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3ECommunity%20Solution%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.spiceworks.com%2Ftopic%2F2278963-intune-with-aadj-cannot-auto-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%3E%5BSOLVED%5D%20Intune%20with%20AADJ%20-%20Cannot%20auto%20enrol%20-%20Azure%20Forum%20-%20Spiceworks%3C%2FSPAN%3E%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3COL%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EWait%2012%20hours%E2%80%A6%20%2C%20Waited%2048h%20no%20change%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3E%3CSPAN%3E%3CSPAN%3EEnsure%20MDM%20enrolment%20Group%20Policy%20uses%20user%20credential%2C%20not%20device%20-%20Checked%2C%20See%20image%20of%20Policy%20above%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3E%3CSPAN%3E%3CSPAN%3EIt%20could%20be%20that%20i%20am%20missing%20something%20obvious%20but%20I%20would%20appreciate%20help%20finding%20that%20component%20%3A).%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2107810%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevice%20enrollment%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESystem%20Center%20Configuration%20Manager%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2110455%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20registration%20in%20Co-Management%20-%20Error%200x8018002b%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110455%22%20slang%3D%22en-US%22%3E%3CP%3EResponding%20to%20a%20possibly%20deleted%20comment%20received%20by%20email%2C%20here%20is%20a%20bit%20more%20information%20that%20may%20help%3A%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Co-Management%20handler%20logs%20are%20as%20follows%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JoelTR_0-1612216247937.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251115i11E7523EC088BC91%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JoelTR_0-1612216247937.png%22%20alt%3D%22JoelTR_0-1612216247937.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ETwo%20of%20the%20errors%20that%20stick%20out%20to%20me%20are%3A%3C%2FP%3E%3COL%3E%3CLI%3EMerged%20value%20for%20setting%20'CoManagementSettings_AutoEnroll'%20is%20%3CFONT%20color%3D%22%23FF0000%22%3E'False'%3C%2FFONT%3E%20CoManagementHandler%2028%2F01%2F2021%2010%3A05%3A26%20AM%2010380%20(0x288C)%3C%2FLI%3E%3CLI%3ENew%20merged%20workloadflags%20value%20with%20co-management%20max%20capabilities%20%3CFONT%20color%3D%22%23FF0000%22%3E'255'%20is%20'1'%3C%2FFONT%3E%20CoManagementHandler%2028%2F01%2F2021%2010%3A05%3A26%20AM%2010380%20(0x288C)%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThis%20issue%20seems%20to%20point%20to%20the%20SCCM%20collection%20being%20unable%20to%20set%20new%20values%20for%20Auto-Enrol%20%26amp%3B%20Capabilities.%20Note%20that%20I%20am%20no%20expert%20in%20SCCM%20and%20I%20am%20just%20presenting%20what%20i%20see%20in%20the%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-align-center%22%3ENon-Compliant%20Devices%20(Active)%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22JoelTR_2-1612217532818.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251132iDC392036B9B4699C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JoelTR_2-1612217532818.png%22%20alt%3D%22JoelTR_2-1612217532818.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22lia-align-center%22%3EUnknown%20Devices%20(Inactive)%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22JoelTR_3-1612217565062.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F251134i17092546FDE8A7A9%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JoelTR_3-1612217565062.png%22%20alt%3D%22JoelTR_3-1612217565062.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20that%20all%20devices%20were%20active%20before%20the%20auto-enrol%20process%20was%20started%20and%201%20of%20the%20inactive%20devices%20was%20successfully%20co-managed%20before%20having%20SCCM%20removed.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20feel%20free%20to%20reach%20out%20if%20any%20other%20logs%20or%20information%20would%20help%20investigate%20this%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All,

 

I am a bit stumped as we have been experiencing issues getting devices into the co-managed state correctly on several of our machines. We did extensive testing on this several months ago and successfully joined 10-15 machines before refocusing our efforts on building out our policies. Machines are showing up in both EPM(Endpoint Manager) and AAD (Azure Active Directory) but have SCCM listed as the MDM authority in AAD.

 

Image 1, Source AAD

JoelTR_0-1611879763639.png

Image 2, Source EPM

JoelTR_1-1611879940111.png

 

Interestingly on the users devices the co-management status is set to 1 we are unable to push apps such as the company portal down to the machine.

This value is managed by the Co-Management sliders in SCCM and increases based on how much of the load is managed by Intune. Therefore currently Intune is not managing the device at all, despite it showing up in Intune as Co-Managed. All test cases of this are part of the Pilot collection in SCCM and all sliders are set to Intune Pilot.

 

I have collected logs on all of the devices that have this issue and have noticed this error is present on all of them and users are not getting the MFA prompt to set up intune in the first instance. 

 

"Auto MDM Enroll: Device Credential (0x0). Failed (Unknown Win32 Error code 0x8018002b)"

 

This leads me to believe that devices are using the incorrect credential (Device) to sign up for Microsoft EPM despite the following Policy.

JoelTR_4-1611880212486.png

 

I have tried the below solutions to no success:

Microsoft Solution

Troubleshooting Windows device enrolment problems in Microsoft Intune - Intune | Microsoft Docs

One of the following conditions should be the cause

  1. UPN Contains an unverified or non-routable domain, such as .local - Checked @edu address used
  2. MDM user Scope set to None - Checked, set to Some. User is in included group with licenses assigned

 

Community Solution

[SOLVED] Intune with AADJ - Cannot auto enrol - Azure Forum - Spiceworks

  1. Wait 12 hours… , Waited 48h no change
  2. Ensure MDM enrolment Group Policy uses user credential, not device - Checked, See image of Policy above

 

It could be that i am missing something obvious but I would appreciate help finding that component :).

1 Reply

Responding to a possibly deleted comment received by email, here is a bit more information that may help: 

The Co-Management handler logs are as follows:

JoelTR_0-1612216247937.png

Two of the errors that stick out to me are:

  1. Merged value for setting 'CoManagementSettings_AutoEnroll' is 'False' CoManagementHandler 28/01/2021 10:05:26 AM 10380 (0x288C)
  2. New merged workloadflags value with co-management max capabilities '255' is '1' CoManagementHandler 28/01/2021 10:05:26 AM 10380 (0x288C)

This issue seems to point to the SCCM collection being unable to set new values for Auto-Enrol & Capabilities. Note that I am no expert in SCCM and I am just presenting what i see in the logs.

 

Non-Compliant Devices (Active)

JoelTR_2-1612217532818.png

 

Unknown Devices (Inactive)

JoelTR_3-1612217565062.png

 

Note that all devices were active before the auto-enrol process was started and 1 of the inactive devices was successfully co-managed before having SCCM removed. 

Please feel free to reach out if any other logs or information would help investigate this issue.