question

JasonMabry-0307 avatar image
0 Votes"
JasonMabry-0307 asked Crystal-MSFT edited

Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018002b

We have a lab of computers that uses a generic AD account to sign in. This user is not in an Azure AD synced OU, so a User Credential will not work in this case. We would like to get these devices auto enrolled in Intune/Endpoint Manager, however the enrollment task fails with the error above.

When running dsregcmd /status, the TenantName, and MdmUrl values are all blank. TenantId is populated and is the correct TenantID. The devices are all Hybrid Joined.

Any advice as to how to troubleshoot or resolve this error?

mem-intune-generalmem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@JasonMabry-0307 For Hybrid Azure AD joined device to enrolled into intune, we need to make sure the user account is synced to Azure AD and also we have Azure AD Premium and Microsoft Intune License assigned. Because the enrollment process starts in the background once we sign in to the device with our Azure AD account. We can see more details in the following link:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JasonMabry-0307 avatar image
0 Votes"
JasonMabry-0307 answered Crystal-MSFT edited

Thank you for the reply, @Crystal-MSFT!

We are trying to use a Device Credential.

The user is synced, but it's a special AD account, with no password, used strictly for shared lab access. We tried using a User Credential, but a check of dsregcmd /status does not show the user as being a valid AAD User. The user is licensed for Intune and is configured as a Device Enrollment Manager. The MDM user scope is set to All and the MAM user scope is set to None.

We are using Device-based licenses for Office, and were really wanting to enroll these using the Device Credential.

Is this possible?

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@JasonMabry-0307, Thanks for the reply. Based as I know, device credential is not working in Intune device enrollment. So we need to consider user credential to do the enrollment.

From your description, I know the user account is not a valid AAD account. We suggest to firstly contact Azure AD support to fix this issue. Also, please ensure AzureAdJoined, DomainJoined and AzureAdPrt under dsregcmd /status are all YES, If not, we also need Azure AD support engineer to help on this.
https://docs.microsoft.com/en-us/answers/topics/azure-active-directory.html

After the above issues are all fixed, then we can check if the enrollment will work well.

Thanks for the understanding.

0 Votes 0 ·