RAYMOND DE WIT

Helping IT Consultants find their way into the Microsoft Cloud

Manually (re-)enrollment of a Windows 10/11 PC in Intune

by ·

Rolling out a Windows 10/11 PC via Intune can be done in several ways. The enrollment can be done manually or automatically.

Manually:

  • During the Out-of-the-box Experience (OOBE) when a Windows 10/11 PC is first started up
  • Via the Windows settings

If a machine is deployed manually, the user will have to provide their Azure AD credentials

Automatically:

  • During the Azure AD join + automatic Intune enrollment
  • During Hybrid Azure AD join + automatic Intune enrollment

Automatic enrollment can be triggered using a Group Policy, SCCM Co-Management or Windows AutoPilot.

Enrollment process

To do this correctly the process will have to be started in the SYSTEM context. To start the process in the SYSTEM context we will use the PSExec tool which is available on the Microsoft website.

  • Download the PSExec tool from the Microsoft website
  • Use PSExec to launch a Command Prompt as SYSTEM:
psexec /i /s cmd
  • To check if the new Command Prompt window has started in SYSTEM context we use the command whoami. The output should be as follows:
  • In the new Command prompt enter the following command:
%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

Re-enrollment process

Sometimes it can happen that a Windows 10/11 PC can no longer synchronize the device with Intune. The synchronization process is then in an error state. An error like “The sync could not be initiated” will be displayed. It is also possible that Intune uses an automatic cleanup rule. Here you can set, for example, that if a device has not made any activity with Intune for 60 days or longer, it will be removed from Intune. Of course you don’t feel like reinstalling the device. This is where the re-enrollment process comes in. To manually re-enroll the PC, we will need to clean up the environment and relaunch the same command as in the manually ennrolment process in the SYSTEM context to re-enroll the PC.
Below are the steps required to get it working:

  1. Delete stale scheduled tasks
  2. Delete stale registry keys
  3. Delete the Intune enrollment certificate
  4. Start the enrollment process

1. Delete stale scheduled tasks

Run the Task Scheduler as administrator

Got to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt.

Make a note of the enrollment ID somewhere, you will need the ID later in the process.

Delete all existing tasks in the EnterpriseMgmt folder and then delete the folder itself.

2. Delete stale registry keys

  • Run the Registry Editor as Administrator
  • Now, using the enrollment ID noted earlier, find and delete the keys below:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Do not delete any keys other than those specified above.

3. Delete the Intune enrollment certificate

Search for “Manage computer certificates” or use the command certlm.msc as an administrator

Go to Personal > Certificates and delete the certificate issued by “Microsoft Intune MDM Device CA

4. Start the enrollment process

To do this correctly the process will have to be started in the SYSTEM context. To start the process in the SYSTEM context we will use the PSExec tool which is available on the Microsoft website.

  • Download the PSExec tool from the Microsoft website
  • Use PSExec to launch a Command Prompt as SYSTEM:
psexec /i /s cmd
  • To check if the new Command Prompt window has started in SYSTEM context we use the command whoami. The output should be as follows:
  • In the new Command prompt enter the following command:
%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

Did the enrollment go well?

Once the last command has been successfully executed, we can check whether the enrollment went well. in the “Manage computer certificates” Personal store will be visible a new certificate issued by “Microsoft Intune MDM Device CA“. Furthermore, a new folder will be visible in the Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt containing the tasks. The last check can be done in the Windows Settings under “Device sync status”.

The device will become visible in the Endpoint Manager portal within 15 minutes.

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *