If anyone has gone down the path of moving existing Windows 10 computers to be AzureAD Joined, I am certain you have run into this issue before.
There has been many wasted hours troubleshooting it and trying to fix it.
Azure AD join error code 8018000a – This device is already enrolled
The common fixes are related to SCCM or similar, but if you deal with small business its unlikely that these softwares have been on the device before and the issue is not related to that.
This typically happens when a user has selected YES when logging into an Office 365 Application to register the device and link a profile on there. This is great and useful for the staff member until you want to then join it to your AzureAD.
We have lost countless hours with this error across different customers and the fix has been to either
- Log into the users profile that added the work profile, go into access work or school and disconnect the account.
This is horrible and sucks if multiple people use that computer - Delete the user profiles from the computer via the User account section via “control userpasswords2” from the run command.
An option, but then you also lose all the user accounts and info on the computer
After many lost hours, we have finally found a solution to this problem. We have found the relevant information that has the device linked up and have created an easy powershell script to clear out the information for you WITHOUT deleting any user accounts/profiles and allow you to get the device AzureAD Joined.
Where is the info stored?
For your knowledge, the main registry key that controls this is stored here
HKLM:\SOFTWARE\Microsoft\Enrollments\
There will be a large chunk of SID’s in this section, however we have set up the powershell to grab the correct one and clean it up.
The second place is in scheduled tasks. We also need to clean up its tasks and remove the folder.
\Microsoft\Windows\EnterpriseMgmt\<SID>
You don’t need to, but to help keep azure clean, delete the registered device in AzureAD and then you will be ready to join it!
The Fix!
I have shared the powershell script below that we have created. You will need to ensure the execution policy is set to allow scripts to run on the computer (set-executionpolicy unrestricted
Simply copy the powershell script below and save it. It needs to be run from a powershell as administrator prompt.
##This script checks for devices registered to AzureAD and removes them so you can successfully perform an AzureAD join.
# We recommend you backup your registry prior to running. We take no responisbility for the use of this script.
$sids = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked' -name |where-object {$_.Length -gt 25}
Foreach ($sid in $sids){
Write-host "Found a registered device. Would you like to remove the device registration settings for SID: $($sid)?" -ForegroundColor Yellow
$Readhost = Read-Host " ( y / n ) "
Switch ($ReadHost)
{
Y {Write-host "Yes, Remove registered device"; $removedevice=$true}
N {Write-Host "No, do not remove device registration"; $removedevice=$false}
Default {Write-Host "Default, Do not remove device registration"; $removedevice=$false}
}
if ($removedevice -eq $true) {
$enrollmentpath = "HKLM:\SOFTWARE\Microsoft\Enrollments\$($sid)"
$entresourcepath = "HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\$($sid)"
##Remove device from enrollments in registry
$value1 = Test-Path $enrollmentpath
If ($value1 -eq $true) {
write-host "$($sid) exists and will be removed"
Remove-Item -Path $enrollmentpath -Recurse -confirm:$false
Remove-Item -Path $entresourcepath -Recurse -confirm:$false
}
Else {Write-Host "The value does not exist, skipping"}
##Cleanup scheduled tasks related to device enrollment and the folder for this SID
Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\$($sid)\*"| Unregister-ScheduledTask -Confirm:$false
$scheduleObject = New-Object -ComObject Schedule.Service
$scheduleObject.connect()
$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
$rootFolder.DeleteFolder($sid,$null)
Write-Host "Device registration cleaned up for $($sid). If there is more than 1 device registration, we will continue to the next one."
pause
} else { Write-host "Removal has been cancelled for $($sid)"}
}
write-host "Cleanup of device registration has been completed. Ensure you delete the device registration in AzureAD and you can now join your device."
I really hope this has helped you.
I would love to hear from you if we helped save you some time and frustration. Reach out to me on Linkedin https://www.linkedin.com/in/leon-black/