Windows auto-enrollment to Intune fails with error 0x8018002B, or the user sees "Something went wrong. Looks like we can't connect to the URL for your organization's MDM terms of use" when joining their device. Event Viewer shows Auto MDM Enroll events with error 0x8018002B or token broker errors like 0xCAA5001C. This is often due to the user not having a valid Intune license.
Resolution
1. Verify and assign the required license
Check the user has an Intune-capable license in the Microsoft 365 admin center:
1. Sign in to Microsoft 365 admin center.
2. Go to Users > Active users and select the user.
3. Select Licenses and apps. Ensure a license like Microsoft Intune, EMS E3/E5, Microsoft 365 Business Premium, or Microsoft 365 E3/E5 is assigned.
Using PowerShell to verify and assign:
Install-Module MSOnline -Force
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | Select-Object UserPrincipalName, Licenses
List available SKUs
Get-MsolAccountSku
Assign a license (replace contoso:EMS with your SKU)
Set-MsolUserLicense -UserPrincipalName user@domain.com -AddLicenses contoso:EMSAllow up to an hour for license propagation, then retry enrollment.
2. Check MDM scope configuration
In the Azure portal:
1. Navigate to Microsoft Entra ID > Mobility (MDM and MAM) > Microsoft Intune.
2. Set MDM user scope to "All" or "Selected" (with the user in the selected group).
3. Set MAM user scope to "None".
4. Verify the MDM Terms of use URL is present.
3. Remove existing MDM enrollments
On the Windows device:
1. Go to Settings > Accounts > Access work or school.
2. If another MDM connection exists, select it and click Disconnect.
3. Reboot the device.
4. Check Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider for conflicts.
4. Verify Group Policy auto-enrollment settings (for hybrid/domain-joined devices)
1. Open the GPO editor.
2. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM.
3. Enable "Enable automatic MDM enrollment using default Azure AD credentials".
4. Select "User Credential" for user-owned devices.
5. Run gpupdate /force on the client and reboot.
5. Resolve token broker authentication issues
Ensure the user can sign in to account.microsoft.com and complete MFA if required. Review Conditional Access policies in Azure AD for any policies blocking device enrollment.
Restart the TokenBroker service on the client:
Stop-Service -Name "TokenBroker" -Force
Start-Service -Name "TokenBroker"Have the user sign out and back into Windows.
6. Check device enrollment limits
In the Azure portal:
1. Go to Microsoft Entra ID > Devices > Device settings.
2. Review "Maximum number of devices per user".
3. If the limit is reached, remove old device objects for the user.
4. Verify the on-premises UPN matches the Azure AD UPN (use Get-MsolUser).
Manually trigger enrollment
Check the current state:
dsregcmd /statusGo to Settings > Accounts > Access work or school > Connect, and sign in with the work account.
Alternatively, run the scheduled task: Task Scheduler > Microsoft > Windows > EnterpriseMgmt > right-click "Schedule created by enrollment client" > Run.
Verification
Check enrollment success:
dsregcmd /statusLook for AzureAdJoined : YES and EnterpriseJoined : YES. In the Intune admin center, the device should appear under Devices > All devices within 15 minutes. Event Viewer should show successful Auto MDM Enroll events.