Problems enrolling devices into Intune

Iron Contributor



We're deploying our machines to Intune, using a GPO. Most of the times everything works fine, but I still have about 300 machines which didn't get into Intune, and now we're analyzing why.

After reading a bit, I've found that most of the devices which are not getting into Intune is because they are not enrolling with the user in Azure AD.

So after the machine gets into the domain, it will go to Azure AD Devices as well, as Hybrid Azure AD Joined, which is fine. But when Owner field is not populated with the user, the device will not join Intune.


Looking at those machines, and running the command "dsregcmd /status", the ones which are not ok, in the "SSO State" area, have the following error:

Server Error Code : interaction_required
Server Error Description : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.


The users can logon to Azure AD with their MFA working fine. So any clue on how can I correct this issue?
I've read about disabling security defaults in Azure AD, but in our case, it's already disabled.



11 Replies



Hi, So you are running a hybrid setup and those are existing devices. You have made sure those devices are in scope of the azure ad  connect instance.


You are mentioning "they are not enrolling with the user in Azure AD.". Could you explain this a little bit more? Could you also confirm if those devices are azure ad joined  and domain joined when looking at the dsregcmd status. While at it , I assume the azureprt is also "yes"


Troubleshoot questions: 

*Anything in the  DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

*Could you confirm the task schedules have been created


Enable automatic MDM enrollment for Azure Ad joined Devices (


Resume: I guess we need some more info.... :) 

Thanks for the reply.

What I mean they are not enrolling correctly in Azure AD is that, after we join the devices (Windows 10 and 11 devices) to our onprem AD, they sync to Azure AD, so I can see them in Azure AD, but on this cases they don't get an Owner attribute, like the screenshot attached. When they don't get the owner attribute, they are not enrolled into Intune.

Also, on the link bellow you can see one example of the dsregcmd /status. I've redacted some areas, but you can see the AzurePrt is NO, and the reason why.

Just to be sure... the people who are working on that device.. do they even have a intune license applied and in the MDM scope?
Did you have taken a look at the event log DeviceManagement-Enterprise-Diagnostic-Provider .. it should mention something

No old lingering enrollments?

Also worth trying.. what happens when you use a filter to exclude azure ad hybrid devices from mfa? so you could rule out the mfa issue
Licensing is fine, as we have M365 E5 for all of them, and some are enrolling fine in Intune.
I'll get those Logs to try to check if something there might help.

I could use a filter to exclude MFA, but in fact all of our users have MFA, and some of them enroll just fine in Intune, while some others don't, so I don't really think it's MFA related.

I'll start by getting the Logs from those machines and check those.
I'll post after I read the Logs.


I've got already the logs from some of the devices.
On the Operational Log there are no errors.
On the Admin Log I've got 3 events repeated from 5 to 5 minutes, events 80, 90 and 76.
Event 80 - Warning - Auto MDM Enroll DmRaiseToastNotificationAndWait Failure (Unknown Win32 Error code: 0x8018002a)
Event 90 - Information - Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource Url (, Resource Url 2 (NULL), Status (Unknown Win32 Error code: 0x8018002a)
Event 76 - Error - Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002a).

So seems the device is not authenticating correctly in Azure AD from my little understanding. Is there any way to force it to sync with AAD or debug the reason why it's not getting an authentication in AAD?




- Ensure Modern Auth is enabled in the Org settings under

- Disable sec defaults

- Disable the classic per user MFA and use CA policies to enforce MFA instead

- Target all users all cloud apps all devices all locations with Grant and Require MFA via CA policy

- Exclude Break the Glass accounts (max 2 Break the glass accounts are fine) from the CA policy

- Exclude SMTP accounts from the CA policy or move SMTP traffic to a third party like SMTP2GO and then create a CA policy to block legacy auth all together in the tenant

- Disable all forms of legacy auth/basic auth the Org settings under

- see again if Devices are now auto enrolling into Intune ~300 are quite high number and there has to be a good reason


Thanks for the notes and tips. Some of those we are already implementing, but some of those mess with the users, so they need to be done carefully. And some might impact legacy stuff, which needs to be considered carefully.
On the meanwhile of course I would like to debug this cases so I can understand what is going on and try to fix it.


@dmarquesgn Any update on this, I am having exactly the same issue you are.  Thanks in advance!

having the exact same error here -
Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource Url (, Resource Url 2 (NULL), Status (Unknown Win32 Error code: 0x8018002a)
A little bit background info could be useful :)... What are you trying to accomplish? how does your setup looks like. requiring MFA? (blocking acces with ca if you dont)