How to Get the Intune Enrollment errors Outta Your Ass

Last Updated on November 21, 2022 by rudyooms

This blog will be about troubleshooting the Intune enrollment when using a GPO or a PowerShell script to enroll an existing Azure Ad Joined OR Hybrid Azure Ad Joined device into Intune.

I decided to pull this part from my Enroll existing devices into Intune MDM blog because it was becoming too large after trying to answer some posts on Reddit

I will divide this blog into multiple parts

The first part will show you how to fix the enrollment when it was MAM enrolled instead of MDM enrolled.

The second part will show you how to fix the 80190026 error when a device was previously enrolled with SCCM

The third part will show you how to fix the 0x80180026 error when the scheduled task is executed

The fourth part will show you how to fix the 0x8018002a error when the scheduled task is executed

The fifth part will show you how to fix the 0x8018002b error when the scheduled task is executed

The sixth part will show you how to fix the  0x80180001 error when the scheduled task is executed.

The Seventh part will show you how to fix the 0x80192ee2/ 0x82aa0008 error when the scheduled task is executed

1. MAM Instead of MDM

When your device was previously enrolled with MAM instead of MDM, you could run into the famous “device is already being managed by an organization” error! if you ever stumble upon this issue you need to clean up the lingering registry keys first and run the deviceenroller.exe afterward.

$EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
 
$Enrollments = Get-ChildItem -Path $EnrollmentsPath
  
$DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")
 
Foreach ($Enrollment in $Enrollments) {
      $EnrollmentObject = Get-ItemProperty Registry::$Enrollment
      if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
            $EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
            Remove-Item -Path $EnrollmentPath -Recurse
            &  "C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM"
      }
}

2. The 80190026 error

When you have a device that was previously enrolled in SCCM you could end up with a situation where there is still one lingering registry key that could block the enrollment. When that specific key is stuck, you will end up with the error 80190026 and of course, as always the message indicating that something went wrong!

Open the registry and open this key: SOFTWARE\Microsoft\Enrollments

Please make sure the “ExternallyManaged” key doesn’t exist or is configured to zero and NOT to 1 as shown above!

3. The 0x80180026 Error

Most of the time this nice 0x80180026 error is only occurring at HAADJ devices. As shown below, it will show you the error that it failed to enroll with RegisterDeviceWIthManagementUsingAADDeviceCredentials

This error can be resolved easily by making sure the “Disable MDM Enrollment” is not preventing your MDM Enrollment. I guess the name says it all

4. The 0x8018002a Error

As shown below, when trying to enroll your existing Azure Ad Joined device into Intune you could end up with the 0x8018002a Error.

This error could be due to a lot of reasons but the 0x8018002a error is probably due to some Conditional Access rules you configured to make sure MFA is always required.

As shown above, this Conditional Access rule is targeted at “All Cloud Apps”. When we fix this error, we need to make sure we EXCLUDE the “Microsoft Intune Enrollment” Cloud app.

5. The famous 0x8018002b Error

Yes, why not? Another error we could encounter when enrolling a device into Intune.

The above error 0x8018002b could be thrown at you because of multiple reasons. Let’s take a look at some of them

  • UPN ISSUES
  • MDM Scope
  • User License
  • Patience
  • Previously AADR enrolled

5.1 UPN Issues

Let’s start with some good old UPN issues!. When you didn’t configure the User Principal Name the right way! You will need to make sure the user his UPN matches your routable domain!

5.2 MDM Scope

It sounds obvious but when you didn’t configure the MDM scope or the user isn’t in the scope you will also run into this error. So please configure the MDM scope to “All” or “Some” (make sure the user is in that group!)

5.3 User License

As mentioned before, the enrollment is user-based so please make sure the user is licensed to use Intune! The best option you have to make sure the user is licensed to use Intune is running the “troubleshooting + support” tool in Intune

5.4 Patience

As mentioned in the blog about enrolling an existing device into MDM, it could really take a whole sometimes before your device is enrolled. So have some patience when the device isn’t being enrolled into Intune on the fly

Be Patient GIFs - Get the best GIF on GIPHY

5.5 Device previously AADR enrolled

Sometimes when a device was previously enrolled with AADR you could also encounter the 0x8018002b error. To solve it we could remove the lingering enrollments in the registry with this PowerShell script

$RegistryKeys = "HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\Enrollments\Status","HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked", "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled", "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers","HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"

$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
		$_.Issuer -match "Intune MDM" 
	} | Remove-Item

$EnrollmentID = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
	
Get-ScheduledTask | Where-Object {$_.Taskpath -match $EnrollmentID} | Unregister-ScheduledTask -Confirm:$false
			
			foreach ($Key in $RegistryKeys) {
				if (Test-Path -Path $Key) {
					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
	}
			}

			Start-Sleep -Seconds 30
		
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru

6.  The 0x80180001 Error

When enrolling your devices with the GPO or PowerShell script I showed you, you could run into the 0x80180001 error.

This error would only occur if you configured the credential type to use: Device Credential

As shown above, you need to configure the credential type to use: User Credential because Device Credential is only supported with Co-management or Azure Virtual Desktop. As shown in part 5 you needed to configure the MDM scope because the enrollment user-based NOT device-based

7. The 0x80192ee2/ 0x82aa000 Errors

When you have SCCM co-management in place for your HAADJ devices you could notice the 0x82aa000 error in the event log. Normally when you have configured the Auto MDM enroll GPO to use Device Credentials you are good to go!

But as shown below, you could still run into the “Impersonation failure” error

If you are noticing this error, please make sure that a user is logged in! Even when using device credentials it seems to fail when no user is logged in.

So please make sure a user is logged in on the device and if you don’t want to wait, just use the device enroller again! but this time with the AADeviceCredential paremeter

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDMUsingAADDeviceCredential

Conclusion

Enrolling your device into Intune/MDM is always a smart thing to do but sometimes you could run into some weird failures. Hopefully, this blog showed you how to deal with some of them. If you have any additions feel free to send me a PM

Failure GIFs | Tenor

5 thoughts on “How to Get the Intune Enrollment errors Outta Your Ass

  1. I am trying to deploy an Azure AD Joined AVD with intune enrolment and I can’t find what I am doing wrong.
    If I deploy the same AVD without Intune enrolment it works but I can’t depend of the user to enrol it.

    I tried to use create the AutoEnrolment manually but it will fail on both, User or Device.
    We have 100s of devices enrolled and I have no idea what might be causing only the AVDs to fail the enrolment

    User Credential enrolment failure:
    “Mobile Device Management (MDM) is not configured. (0x90180031)”

    Device Credential enrolment error:
    “The license of the user is in bad state blocking enrollment. (0x80180018)”

    1. I assume you made sure the prereqs are all valid

      https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop

  2. On some (few) of our HAAD device enrolled into Intune by group policy, we are seeing the 0x8018002a Error.

    To solve it we exclude the “Microsoft Intune Enrollment” app from our MFA CA policy.

    I have only been able to try this on one machine, and at that point, I also exclude the “Microsoft Intune” app from the CA policy.

    Is it enough to only exclude “Microsoft Intune Enrollment”?

    After searching the Internet, I have a hard time understanding the difference between the two…

    Another thing that makes me confusef is that we do not have “Microsoft Intune Enrollment” under Mobility (MDM and MAM), only Microsoft Intune…

    Is that different from the cloud apps you can exclude in CA policies?

    In older threads I see it explained like:
    – Microsoft Intune: This represents Intune as a whole (and your Windows Intune subscription), and most of the configuration is in this application
    – Microsoft Intune Enrollment: This only represents Intune enrollment as a security principal in AAD. All user based enrollments in Intune will be forced to authenticate against “Microsoft Intune Enrollment”. If the admin wants to configure AAD CA policies (e.g. 2FA) that only apply to enrollment, they should be done here.
    https://social.technet.microsoft.com/Forums/en-US/2b01d554-8f1d-4333-9570-101d91ca1e6b/difference-between-intune-and-intune-enrollment-at-aad-gt-mdm-setting?forum=microsoftintuneprod

    In a slightly newer thread its explained like:
    “Microsoft Intune” covers both the MDM and MAM scenarios. So whenever users hit MDM discovery URL “https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc” or the MAM URL “https://wip.mam.manage.microsoft.com/Enroll” then a CA policy covering “Microsoft Intune” will be applied.
    https://github.com/MicrosoftDocs/azure-docs/issues/27017

    So my question is, if we want to avoid the 0x8018002a Error, is it enough to just exclude “Microsoft Intune Enrollment”? Can you please advise?

    Thanks!

Leave a Reply

Your email address will not be published.

52  +    =  59