If you've removed a device from Microsoft Intune or Entra ID (formerly Azure AD) and are trying to re-enroll it, you may encounter the frustrating "This device is already enrolled" error (error code 0x8018000a). This happens because Windows retains enrollment artifacts from the previous registration, even after the device has been removed from the admin portal.
Why This Happens
When a device is removed from Intune or Entra ID through the admin console, the device itself doesn't automatically clean up its local enrollment data. This leaves behind:
- Registry keys containing enrollment IDs and configuration
- Scheduled tasks that were used for MDM policy sync
- Certificates issued by Microsoft Intune MDM
- Provisioning data and enrollment state
When you try to enroll the device again, Windows detects this stale data and incorrectly believes the device is still enrolled.
The Solution: Clean Up Stale Enrollment Data
The fix requires removing all traces of the previous enrollment. You can do this manually or use a PowerShell script to automate the process.
Option 1: PowerShell Script (Recommended)
Save the following script as Remove-IntuneEnrollment.ps1 and run it as Administrator:
# Remove-IntuneEnrollment.ps1
# Removes stale Intune enrollment data to allow re-enrollment
# Run as Administrator
# Find the current enrollment ID
Try {
$enrollment = Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger -Name CurrentEnrollmentId -ErrorAction Stop
}
Catch {
Write-Host "No enrollment found. Device may already be clean." -ForegroundColor Yellow
exit
}
If ($enrollment) {
$enrollmentId = $enrollment.CurrentEnrollmentId
Write-Host "Found enrollment ID: $enrollmentId" -ForegroundColor Cyan
Write-Host "Cleaning up enrollment data..." -ForegroundColor Cyan
# Remove scheduled tasks
Try {
$scheduleObject = New-Object -ComObject Schedule.Service
$scheduleObject.Connect()
$TaskFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt\$enrollmentId")
$Tasks = $TaskFolder.GetTasks(1)
ForEach($Task in $Tasks) {
Write-Host " Removing task: $($Task.Name)"
$TaskFolder.DeleteTask($Task.Name, 0)
}
$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt\")
$rootFolder.DeleteFolder($enrollmentId, 0)
Write-Host " Scheduled tasks removed" -ForegroundColor Green
}
Catch {
Write-Host " No scheduled tasks found or already removed" -ForegroundColor Yellow
}
# Remove registry keys
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Enrollments\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\Enrollments\Status\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\$enrollmentId",
"HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\$enrollmentId"
)
ForEach ($path in $regPaths) {
If (Test-Path $path) {
Remove-Item $path -Recurse -Force -ErrorAction SilentlyContinue
Write-Host " Removed: $path" -ForegroundColor Green
}
}
# Remove the CurrentEnrollmentId property
Remove-ItemProperty HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger -Name CurrentEnrollmentId -Force -ErrorAction SilentlyContinue
# Remove Intune MDM certificates
$certNew = Get-ChildItem Cert:\LocalMachine\My\ | Where-Object { $_.Issuer -Match "CN=Microsoft Intune MDM Device CA" }
$certOld = Get-ChildItem Cert:\LocalMachine\My\ | Where-Object { $_.Issuer -Match "CN=SC_Online_Issuing" }
If ($certNew) {
$certNew | Remove-Item -Force -ErrorAction SilentlyContinue
Write-Host " Removed Intune MDM certificate" -ForegroundColor Green
}
If ($certOld) {
$certOld | Remove-Item -Force -ErrorAction SilentlyContinue
Write-Host " Removed legacy Intune certificate" -ForegroundColor Green
}
Write-Host ""
Write-Host "Cleanup complete! Restart the computer and try enrolling again." -ForegroundColor Green
}Option 2: Manual Cleanup
If you prefer to clean up manually:
- Find the Enrollment ID: Open Registry Editor and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger. Note theCurrentEnrollmentIdvalue (a GUID). - Delete Scheduled Tasks: Open Task Scheduler and navigate to
Microsoft\Windows\EnterpriseMgmt. Delete the folder matching your enrollment ID. - Delete Registry Keys: In Registry Editor, delete any keys containing your enrollment ID from:
HKLM\SOFTWARE\Microsoft\Enrollments\HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\HKLM\SOFTWARE\Microsoft\PolicyManager\HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\
- Remove MDM Certificates: Open
certlm.msc(Local Computer Certificates), go to Personal > Certificates, and delete any certificates issued by "Microsoft Intune MDM Device CA".
After Cleanup
Once you've run the script or completed the manual cleanup:
- Restart the computer
- If the device was Azure AD joined, you may also need to run
dsregcmd /leavefrom an elevated command prompt before re-joining - Attempt the enrollment again through Settings > Accounts > Access work or school
Preventing Future Issues
To avoid this problem in the future:
- Proper device retirement: Use Intune's "Retire" or "Wipe" actions before removing devices, which triggers proper local cleanup
- Autopilot reset: For Autopilot-enrolled devices, use the "Autopilot Reset" option instead of manual removal
- Fresh Start: If reprovisioning a device, consider using Windows "Fresh Start" or a clean OS reinstall
Related Error Codes
Similar cleanup may be needed for these related errors:
0x8018000a- Device is already enrolled0x8018002b- Device was previously enrolled with AADR0x80180026- Device is already managed by an organization
Need help with Intune or Entra ID device management? Contact TechNet New England for assistance with your Microsoft 365 and endpoint management.
Need Help With Your IT?
Our team of experts is ready to help you implement the strategies discussed in this article. Whether you need cybersecurity assessments, cloud migration support, or managed IT services, we're here to help.