"0x8018002B" error and Windows 10 MDM auto-enrollment for Intune fails if an invalid UPN is used

Applies to: Microsoft IntuneCommerce IntuneSystem Center Configuration Manager Hybrid with Intune for Government More

Symptoms


When you try to auto-enroll a device in Microsoft Intune by using Windows 10 Mobile Device Management (MDM) through a Group Policy Object, the attempt fails, and you experience the following additional symptoms:

  • The Task Scheduler generates an error on the \Microsoft\Windows\EnterpriseMgmt\Schedule folder. This folder is created by the enrollment client that automatically enrolls a device in MDM from an Aaure Active Directory (Azure AD) task. The last-run result is as follows:
     

    Event 76 Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b)

  • In Event Viewer, you may also see the following event logged under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-ProviderAdmin:
     

    Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
    Source: DeviceManagement-Enterprise-Diagnostics-Provider
    Event ID: 76

    Level: Error

    Description: Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x80180002b)

Cause


This problem may occur if the domain for the UPN is either unverified or unroutable. For example, the UPN is an internal (unresolvable) UPN. The following example domains illustrate the cause of this problem.
 
Invalid
contoso\userx
userx@contoso.local
 
Valid
userx@contoso.com
 

Resolution


To resolve this problem, follow these steps:
 
  1.  Open Active Directory Users and Computers.
  2. Select the user object for the affected user.
  3. Open Properties, and then select the Account tab.
  4. Change the UPN suffix to a valid value (for example, from contoso.local. to contoso.com).
     
    123456.png

After you complete these steps, either wait for the next synchronization to occur, or force a delta sync from the synchronization server. To do this, following these steps:
 
  1. Open an administrative PowerShell window.
  2. Run the following commands:
Import-Module ADSync

Start-ADSyncSyncCycle -PolicyType Delta

These commands start a delta sync operation. After the sync is finished, the account should reflect the updated domain within Azure.


Note If this method does not resolve the problem, see the following Knowledge Base article: 

4463749 "0x8018002B" error and Windows 10 MDM auto-enrollment for Intune fails if the user scope is set to None

More information


To verify that this is your problem, log on to Windows by using the affected account, and then run dsregcmd /status at an administrative command prompt. Examine the AzureADPrt field in the output that resembles the following:
 
+--------------------------------------------------+
| User State                                                           |
+--------------------------------------------------+
           NgcSet : NO
           WorkplaceJoined : NO
           WamDefaultSet : ERROR
           AzureAdPrt : NO
           AzureAdPrtAuthority : 
           EnterprisePrt : NO
           EnterprisePrtAuthority :
 
The AzureAdPrt field is required (value = YES). If the field value is NO, the user is not authenticated and will not be enrolled in Intune through Group Policy.