Fix

When re-enrolling a device into Microsoft Intune or Entra ID, you may encounter the 0x8018000a error. Here's how to clean up stale enrollment data and fix it.

Published 2026-01-28 by TechNet Team

If you've removed a device from Microsoft Intune or Entra ID (formerly Azure AD) and are trying to re-enroll it, you may encounter the frustrating "This device is already enrolled" error (error code 0x8018000a). This happens because Windows retains enrollment artifacts from the previous registration, even after the device has been removed from the admin portal.

Why This Happens

When a device is removed from Intune or Entra ID through the admin console, the device itself doesn't automatically clean up its local enrollment data. This leaves behind:

When you try to enroll the device again, Windows detects this stale data and incorrectly believes the device is still enrolled.

The Solution: Clean Up Stale Enrollment Data

The fix requires removing all traces of the previous enrollment. You can do this manually or use a PowerShell script to automate the process.

Option 1: PowerShell Script (Recommended)

Save the following script as Remove-IntuneEnrollment.ps1 and run it as Administrator:

# Remove-IntuneEnrollment.ps1
# Removes stale Intune enrollment data to allow re-enrollment
# Run as Administrator

# Find the current enrollment ID
Try {
    $enrollment = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Logger -Name CurrentEnrollmentId -ErrorAction Stop
}
Catch {
    Write-Host "No enrollment found. Device may already be clean." -ForegroundColor Yellow
    exit
}

If ($enrollment) {
    $enrollmentId = $enrollment.CurrentEnrollmentId
    Write-Host "Found enrollment ID: $enrollmentId" -ForegroundColor Cyan
    Write-Host "Cleaning up enrollment data..." -ForegroundColor Cyan

    # Remove scheduled tasks
    Try {
        $scheduleObject = New-Object -ComObject Schedule.Service
        $scheduleObject.Connect()
        $TaskFolder = $scheduleObject.GetFolder("\\Microsoft\\Windows\\EnterpriseMgmt\\$enrollmentId")
        $Tasks = $TaskFolder.GetTasks(1)
        ForEach($Task in $Tasks) {
            Write-Host "  Removing task: $($Task.Name)"
            $TaskFolder.DeleteTask($Task.Name, 0)
        }
        $rootFolder = $scheduleObject.GetFolder("\\Microsoft\\Windows\\EnterpriseMgmt\\")
        $rootFolder.DeleteFolder($enrollmentId, 0)
        Write-Host "  Scheduled tasks removed" -ForegroundColor Green
    }
    Catch {
        Write-Host "  No scheduled tasks found or already removed" -ForegroundColor Yellow
    }

    # Remove registry keys
    $regPaths = @(
        "HKLM:\\SOFTWARE\\Microsoft\\Enrollments\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\Enrollments\\Status\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\EnterpriseResourceManager\\Tracked\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\PolicyManager\\AdmxInstalled\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\PolicyManager\\Providers\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Accounts\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Logger\\$enrollmentId",
        "HKLM:\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Sessions\\$enrollmentId"
    )

    ForEach ($path in $regPaths) {
        If (Test-Path $path) {
            Remove-Item $path -Recurse -Force -ErrorAction SilentlyContinue
            Write-Host "  Removed: $path" -ForegroundColor Green
        }
    }

    # Remove the CurrentEnrollmentId property
    Remove-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Logger -Name CurrentEnrollmentId -Force -ErrorAction SilentlyContinue

    # Remove Intune MDM certificates
    $certNew = Get-ChildItem Cert:\\LocalMachine\\My\\ | Where-Object { $_.Issuer -Match "CN=Microsoft Intune MDM Device CA" }
    $certOld = Get-ChildItem Cert:\\LocalMachine\\My\\ | Where-Object { $_.Issuer -Match "CN=SC_Online_Issuing" }

    If ($certNew) {
        $certNew | Remove-Item -Force -ErrorAction SilentlyContinue
        Write-Host "  Removed Intune MDM certificate" -ForegroundColor Green
    }
    If ($certOld) {
        $certOld | Remove-Item -Force -ErrorAction SilentlyContinue
        Write-Host "  Removed legacy Intune certificate" -ForegroundColor Green
    }

    Write-Host ""
    Write-Host "Cleanup complete! Restart the computer and try enrolling again." -ForegroundColor Green
}

Option 2: Manual Cleanup

If you prefer to clean up manually:

  1. Find the Enrollment ID: Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\Logger. Note the CurrentEnrollmentId value (a GUID).
  2. Delete Scheduled Tasks: Open Task Scheduler and navigate to Microsoft\\Windows\\EnterpriseMgmt. Delete the folder matching your enrollment ID.
  3. Delete Registry Keys: In Registry Editor, delete any keys containing your enrollment ID from:
    • HKLM\\SOFTWARE\\Microsoft\\Enrollments\\
    • HKLM\\SOFTWARE\\Microsoft\\EnterpriseResourceManager\\Tracked\\
    • HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\
    • HKLM\\SOFTWARE\\Microsoft\\Provisioning\\OMADM\\
  4. Remove MDM Certificates: Open certlm.msc (Local Computer Certificates), go to Personal > Certificates, and delete any certificates issued by "Microsoft Intune MDM Device CA".

After Cleanup

Once you've run the script or completed the manual cleanup:

  1. Restart the computer
  2. If the device was Azure AD joined, you may also need to run dsregcmd /leave from an elevated command prompt before re-joining
  3. Attempt the enrollment again through Settings > Accounts > Access work or school

Preventing Future Issues

To avoid this problem in the future:

Related Error Codes

Similar cleanup may be needed for these related errors:

Need help with Intune or Entra ID device management? Contact TechNet New England for assistance with your Microsoft 365 and endpoint management.