This article provides suggestions for troubleshooting most common device enrollment issues in Microsoft Intune.
General troubleshooting steps
When you encounter issues during the process of provisioning of a Windows device that are related ot device enrollment in Intune, use the Event Viewer on the device to search enrollment logs under Applications and Services Logs > Microsoft > Windows > Device-Management-Enterprise-Diagnostic-Provider > Admin
"Securing your hardware" error
Upon attempting to enrol if you see this error message while you are in the staging process, clear the TPM on the device by opening the command prompt by clicking Shift and F10, once the command prompt is loaded, type tpm.msc this will open the TPM management console window. Click Clear TPM on the right hand side, read the cautionary message if this applies to your setup and then click Restart to reset the TPM.
"This device is already" enrolled error
While attempting to join a device to Azure AD, you receive the error "This device is already enrolled. You can contact your system administrator with the error code 0x8018000a" and an Intune administrator has confirmed the device is not listed in Endpoint Manager's All Devices report (i.e. is not currently enrolled in Intune).
This is happening because the residual information from devices past Intune enrollment is still present in Windows Registry. To resolve this issue, perform the following:
- Open Registry editor, go to the following entries, and delete all the GUIDs in these keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\[guid]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\[some guid which has the enrolment information]
- Open an elevated Command Prompt window, and then run the
dsregcmd /leave command.
Reboot the machine and attempt enrollment again.
Provisioning package fails to join device to Azure AD
When the provisioning package is applied on a device, either during OOBE or through Windows Settings, it appears that everything worked fine. Device rebooted, its name was changed to UWIN-%SERIAL% and uwinadmin local admin account was created, but the package failed to join device to Azure AD. After the reboot, Windows login screen does not allow signing in with Azure accounts ("Other User" option missing), only local account, and device is not found in Endpoint Manager.
Most likely, this computer had network connectivity issues while the provisioning package was being applied. To confirm or eliminate this possibility, look in Event View log for these events:
Event ID 44: MDM Push: Failed to renew WNS Push Channel for MDM Push Sessions. Result: (The network is not present or not started.).
Event ID 212: MDM Session: Failed to get AAD Token for sync session User Token: (Unknown Win32 Error code: 0xcaa10001) Device Token: (The network location cannot be reached. For information about network troubleshooting, see Windows Help.).
For best outcome, connect your computer to a wired network on a subnet outside of the University firewall during provisioning.
Provisioning via Group Tag
Upon trying to join your device via group tag i.e. (SharedOfficePC or ITS-GPClassroom) if this fails to provision your device correctly you may see this screen:
When at this screen it is evident that the configuration did not apply correctly. In order to resolve this issue you will need to sign in as the defaultuser0 which has no password as this account is built into Windows and is only active at OOBE. Once signed in type in: Reset this pc. Ensure that the device is plugged into an ac adapter if it's a laptop and hard wired to Ethernet if possible. Once the reset reboots the PC you should be able to see the correct group tag profile applied.
Additional Resources