Last Updated on June 15, 2023 by rudyooms
This blog will be about troubleshooting the Intune enrollment when using a GPO or a PowerShell script to enroll an existing Azure Ad Joined OR Hybrid Azure Ad Joined device into Intune.
I decided to pull this part from my Enroll existing devices into Intune MDM blog because it was becoming too large after trying to answer some posts on Reddit and other forums 😉
I will divide this blog into multiple parts
- The first part will show you how to fix the enrollment when it was MAM enrolled instead of MDM enrolled.
- The second part will show you how to fix the 80190026 error when a device was previously enrolled with SCCM
- The third part will show you how to fix the 0x80180026 error when the scheduled task is executed
- The fourth part will show you how to fix the 0x8018002a error when the scheduled task is executed
- The fifth part will show you how to fix the 0x8018002b error when the scheduled task is executed
- The sixth part will show you how to fix the 0x80180001 error when the scheduled task is executed.
- The Seventh part will show you how to fix the 0x80192ee2/ 0x82aa0008 error when the scheduled task is executed
- The Eight part will show you how to manually create the Schedule to enroll in MDM from AAD when somehow it isn’t created
1. MAM Instead of MDM
When your device was previously enrolled with MAM instead of MDM, you could run into the famous “device is already being managed by an organization” error! if you ever stumble upon this issue you need to clean up the lingering registry keys first and run the deviceenroller.exe afterward.
$EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
$Enrollments = Get-ChildItem -Path $EnrollmentsPath
$DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")
Foreach ($Enrollment in $Enrollments) {
$EnrollmentObject = Get-ItemProperty Registry::$Enrollment
if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
$EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
Remove-Item -Path $EnrollmentPath -Recurse
& "C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM"
}
}2. The 80190026 error
When you have a device that was previously enrolled in SCCM you could end up with a situation where there is still one lingering registry key that could block the enrollment. When that specific key is stuck, you will end up with the error 80190026 and of course, as always the message indicating that something went wrong!
Open the registry and open this key: SOFTWARE\Microsoft\Enrollments
Please ensure the “ExternallyManaged” key doesn’t exist or is configured to zero and NOT to 1 as shown above!
3. The 0x80180026 Error
Most of the time this nice 0x80180026 error is only occurring at HAADJ devices. The first place to start looking at what is going on should always be the “Devicemanagement-Enterprise-Diagnostics-Provider” event log. As shown below, it will show you the error that it failed to enroll with RegisterDeviceWIthManagementUsingAADDeviceCredentials
This error can be resolved easily by making sure the “Disable MDM Enrollment” is not preventing your MDM Enrollment. I guess the name says it all
4. The 0x8018002a | 0x80070003 Error
As shown below, when trying to enroll your existing Azure Ad Joined device into Intune you could end up with the 0x8018002a or the 0x80070003 Error.
This error could be due to a lot of reasons but the 0x8018002a | 0x80070003 error is probably due to some Conditional Access rules you configured to make sure MFA is always required.
As shown above, this Conditional Access rule is targeted at “All Cloud Apps”. When we fix this error, we need to make sure we EXCLUDE the “Microsoft Intune Enrollment” Cloud app.
5. The famous 0x8018002b Error
Yes, why not? Another error we could encounter when enrolling a device into Intune.
The above error 0x8018002b could be thrown at you because of multiple reasons. Let’s take a look at some of them
- UPN ISSUES
- MDM Scope
- User License
- Patience
- Previously AADR enrolled
5.1 UPN Issues
Let’s start with some good old UPN issues!. When you didn’t configure the User Principal Name the right way! You will need to make sure the user his UPN matches your routable domain!
5.2 MDM Scope
It sounds obvious but when you didn’t configure the MDM scope or the user isn’t in the scope you will also run into this error. So please configure the MDM scope to “All” or “Some” (make sure the user is in that group!)
5.3 User License
As mentioned before, the enrollment is user-based so please make sure the user is licensed to use Intune! The best option you have to make sure the user is licensed to use Intune is running the “troubleshooting + support” tool in Intune
5.4 Patience
As mentioned in the blog about enrolling an existing device into MDM, it could really take a whole sometimes before your device is enrolled. So have some patience when the device isn’t being enrolled into Intune on the fly
5.5 Device previously AADR enrolled
Sometimes when a device was previously enrolled with AADR you could also encounter the 0x8018002b error. To solve it we could remove the lingering enrollments in the registry with this PowerShell script
$RegistryKeys = "HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\Enrollments\Status","HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked", "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled", "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers","HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"
$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
$_.Issuer -match "Intune MDM"
} | Remove-Item
$EnrollmentID = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
Get-ScheduledTask | Where-Object {$_.Taskpath -match $EnrollmentID} | Unregister-ScheduledTask -Confirm:$false
foreach ($Key in $RegistryKeys) {
if (Test-Path -Path $Key) {
get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
}
}
Start-Sleep -Seconds 30
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru6. The 0x80180001 Error
When enrolling your devices with the GPO or PowerShell script I showed you, you could run into the 0x80180001 error.
This error would only occur if you configured the credential type to use: Device Credential
As shown above, you need to configure the credential type to use: User Credential because Device Credential is only supported with Co-management or Azure Virtual Desktop. As shown in part 5 you needed to configure the MDM scope because the enrollment user-based NOT device-based
7. The 0x80192ee2/ 0x82aa000 Errors
When you have SCCM co-management in place for your HAADJ devices you could notice the 0x82aa000 error in the event log. Normally when you have configured the Auto MDM enroll GPO to use Device Credentials you are good to go!
But as shown below, you could still run into the “Impersonation failure” error
If you are noticing this error, please make sure that a user is logged in! Even when using device credentials it seems to fail when no user is logged in.
So please make sure a user is logged in on the device and if you don’t want to wait, just use the device enroller again! but this time with the AADeviceCredential paremeter
%windir%\system32\deviceenroller.exe /c /AutoEnrollMDMUsingAADDeviceCredential
8. Schedule to enroll in MDM from AAD not created
Sometimes when we are trying to enroll our device into Intune, a schedule named: Schedule Created by enrollment client for automatically enrolling in MDM from AAD Properties, will not be created automatically.
If for some reason that schedule isn’t created, you could always manually create the schedule, right?
$TaskScheduleName ="Schedule created by enrollment client for automatically enrolling in MDM from AAD"
$Date = Get-Date -Format "yyyy-MM-dd"
$Time = (Get-date).AddMinutes(5).ToString("HH:mm:ss")
$task = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<URI>\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD</URI>
<SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<TimeTrigger>
<Repetition>
<Interval>PT5M</Interval>
<Duration>P1D</Duration>
<StopAtDurationEnd>true</StopAtDurationEnd>
</Repetition>
<StartBoundary>$($Date)T$($Time)</StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>%windir%\system32\deviceenroller.exe</Command>
<Arguments>/c /AutoEnrollMDM</Arguments>
</Exec>
</Actions>
</Task>
"@
(Register-ScheduledTask -XML $task -TaskName $TaskScheduleName -Force) | Out-null
Conclusion
Enrolling your device into Intune/MDM is always a smart thing to do but sometimes you could run into some weird failures. Hopefully, this blog showed you how to deal with some of them. If you have any additions feel free to send me a PM
I am trying to deploy an Azure AD Joined AVD with intune enrolment and I can’t find what I am doing wrong.
If I deploy the same AVD without Intune enrolment it works but I can’t depend of the user to enrol it.
I tried to use create the AutoEnrolment manually but it will fail on both, User or Device.
We have 100s of devices enrolled and I have no idea what might be causing only the AVDs to fail the enrolment
User Credential enrolment failure:
“Mobile Device Management (MDM) is not configured. (0x90180031)”
Device Credential enrolment error:
“The license of the user is in bad state blocking enrollment. (0x80180018)”
I assume you made sure the prereqs are all valid
https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop
Really useful info and well documented – thank you!
On some (few) of our HAAD device enrolled into Intune by group policy, we are seeing the 0x8018002a Error.
To solve it we exclude the “Microsoft Intune Enrollment” app from our MFA CA policy.
I have only been able to try this on one machine, and at that point, I also exclude the “Microsoft Intune” app from the CA policy.
Is it enough to only exclude “Microsoft Intune Enrollment”?
After searching the Internet, I have a hard time understanding the difference between the two…
Another thing that makes me confusef is that we do not have “Microsoft Intune Enrollment” under Mobility (MDM and MAM), only Microsoft Intune…
Is that different from the cloud apps you can exclude in CA policies?
In older threads I see it explained like:
– Microsoft Intune: This represents Intune as a whole (and your Windows Intune subscription), and most of the configuration is in this application
– Microsoft Intune Enrollment: This only represents Intune enrollment as a security principal in AAD. All user based enrollments in Intune will be forced to authenticate against “Microsoft Intune Enrollment”. If the admin wants to configure AAD CA policies (e.g. 2FA) that only apply to enrollment, they should be done here.
https://social.technet.microsoft.com/Forums/en-US/2b01d554-8f1d-4333-9570-101d91ca1e6b/difference-between-intune-and-intune-enrollment-at-aad-gt-mdm-setting?forum=microsoftintuneprod
In a slightly newer thread its explained like:
“Microsoft Intune” covers both the MDM and MAM scenarios. So whenever users hit MDM discovery URL “https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc” or the MAM URL “https://wip.mam.manage.microsoft.com/Enroll” then a CA policy covering “Microsoft Intune” will be applied.
https://github.com/MicrosoftDocs/azure-docs/issues/27017
So my question is, if we want to avoid the 0x8018002a Error, is it enough to just exclude “Microsoft Intune Enrollment”? Can you please advise?
Thanks!
Already reached out on reddit 😛
im getting error Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0xcaa20003)
not listed there
Hi.. Nope as I didnt stumbled upon that error until now. Could you tell something more about your environment? by the looks of it, its an authentication error.
Haadj? Adfs?
Can you post some troubleshooting for below error
Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0xcaa82ee2)
specific to error code 0xcaa82ee2
Thank you, 2nd step fixed my issue.
Hi, I have Azure joined devices (not hybrid), and users with Intune licenses. I followed the steps (using powershell method) and prerequisites in the original guide. But the scheduled task is not being created am getting the following event viewer error when trying to run: C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
“Auto MDM Enroll: Device Credential (0x0), Failed (A specified logon session does not exist. It may already have been terminated.)”
Thank you so much!
I was getting “Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x80180026)” and the fix for number 2 error 80190026 did it for me! The ExternallyManaged key was set to 1. Set it to 0 and it worked like a charm!
Script doesnt seem to be working for me, have deployed a few times over 2 days but none are appearing in endpoint manager.
When I ask users to use company portal app they get the error “Your device is already connected to your organization” yet it shows MDM none and AAD joined in AAD.
Anything I can check when I dont have anything except CLI access to the devices or any thoughts?
Hi,
I’m a sys admin trying to enroll my devices into the Company Portal then to Intune, Company Portal has my sign in, but when I go to enroll, the set up your device page appears. On it, the first step, Add corporate account to this device (which is already signed in) has a yellow exclamation point. I’m not sure how to get Company Portal to detect my corporate account. When I hit next and add work account, opens a microsoft login window where I enter my email and it says this device is already connected to your organization.