Intune Auto Enrollment and Hybrid AAD Join error

New Contributor

I'm working with a customer that has AD domain joined devices setup to Hybrid Join and Auto Enroll into Intune, but the results are very sporadic. The AAD Connect is syncing the users and devices in scope. The users have Intune licenses. The devices appear to be stuck at completing the Hybrid Join (pending), so the Intune enrollment doesn't happen (which is the goal).

There are 3 things that keep logging in the Device Management-Enterprise-Diagnostics event log:

  1. Auto MDM Enroll <Dm Raise Toast Notification And Wait>* Failure (Unknown Win32 Error code: 0x8018002a)
  2. "Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource <>* (https://enrollment.manage.microsoft.com/), Resource <>* 2 (NULL), Status (Unknown Win32 Error code: 0x8018002a)"
  3. Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002a)

I had them run the following script to test connectivity: https://learn.microsoft.com/en-us/samples/azure-samples/testdeviceregconnectivity/testdeviceregconne...

Both systems they tested completed all checks successfully (1 on-prem and 1 on VPN).

Still not completing the Intune Enrollment.

Has anyone been able to resolve a similar registration/enrollment error?

Thanks!

4 Replies
hi

That error could indicate that conditional access is requiring a mfa ... did you have taken a look at the sign in logs?
https://call4cloud.nl/2022/06/how-to-get-the-intune-enrollment-errors-outta-your-**bleep**/#part4
It could be MFA CA as Rudy mentioned.

https://www.imab.dk/auto-mdm-enrollment-fails-with-error-code-0x8018002a-troubleshooting-mdm-enrollm...

But if you still seeing the issue after disabling MFA or excluding Intune enrollment app, can you remove this folder from an affected local PC (C:\Windows\Systems32\Group Policy (hidden folder)\Machine) and wait for gpo to reapply or force sync.
I did look at the sign-in logs briefly, but I'll take another look.
Just a quick follow-up.
It was suggested to include in the GPO for the AutoEnroll a setting for the device registration. The setting is referenced here:
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WorkplaceJoin%3A%3AWJ_AutoJoin
After including this in the GPO we had about 1/2 the remaining devices enroll without any intervention.