Reenroll HAADJ Device to Intune

3 minute read

Intro

Hey!

I will start with notice that this method should be your last resort in fixing the problem with lost device in Intune or when sync ends with sync could not be initiated 0x80072f0c.

Based on this post - link - I’ve created script to run on affected device to jump start enrollment again.

You will find it in the section below.

The Script

So this is it:

$Global:ErrorActionPreference = 'Stop'
Write-Host "Stopping Intune Service" -ForegroundColor Yellow
Get-Service *intune* | Stop-Service
Write-Host "Check if device is AAD Joined" -ForegroundColor Yellow
$DSREGCMD = dsregcmd /status
$AADJoinCheck = $null
$AADJoinCheck = $DSREGCMD | Select-String -Pattern 'AzureAdJoined : YES'
if ($null -eq $AADJoinCheck) {
	Write-Host "Device is not AAD Joined!!! Stopping!" -ForegroundColor Red
	Break
} else {
	Write-Host "Device is AAD Joined - OK" -ForegroundColor Green
}
Write-Host "Searching for enrollment ID"
$Tasks = Get-ScheduledTask | Where-Object { $psitem.TaskPath -like "\Microsoft\Windows\EnterpriseMgmt\*" }
$EnrollId = $Tasks[0].TaskPath.Split('\\')[-2]
if ($EnrollID -match '\w{8}-\w{4}-\w{4}-\w{4}-\w{12}') {
	Write-Host "Found EnrollID - $EnrollID" -ForegroundColor Green
} else {
	Write-Host "Error parsing EnrollID. Stopping" -ForegroundColor Red
	Break
}
Write-Host "Removing scheduledTasks" -ForegroundColor Yellow
Try {
	$Tasks | ForEach-Object { Unregister-ScheduledTask -InputObject $psitem -Verbose -Confirm:$false }
} catch {
	Throw $_.Exception.Message
}
Write-Host "Done" -ForegroundColor Green
Write-Host "Trying to remove tasks folder" -ForegroundColor Yellow
$TaskFolder = Test-Path "C:\windows\System32\Tasks\Microsoft\Windows\EnterpriseMgmt\$EnrollID"
try {
	if ($TaskFolder) {
		Remove-Item -Path "C:\windows\System32\Tasks\Microsoft\Windows\EnterpriseMgmt\$EnrollID" -Force -Verbose 
	}
} catch {
	Throw $_.Exception.Message
}
Write-Host "Removing registry keys" -ForegroundColor Yellow
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\Enrollments\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\Enrollments\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\Enrollments\Status\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\Enrollments\Status\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\$EnrollID -Recurse -Force -Verbose 
}
$EnrollmentReg = Test-Path -Path HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\$EnrollID
if ($EnrollmentReg) {
	Remove-Item -Path HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\$EnrollID -Recurse -Force -Verbose 
}
##### Run this if Remove-Item -Path "C:\windows\System32\Tasks\Microsoft\Windows\EnterpriseMgmt\$EnrollID" -Force -Verbose FAILED
<#
$EnrollmentReg = Test-Path -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\EnterpriseMgmt\$EnrollID"
if ($EnrollmentReg) {
	Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\EnterpriseMgmt\$EnrollID" -Recurse -Force -Verbose 
}
#>
Write-Host "Checking for Intune MDM cert" -ForegroundColor Yellow
$Certs = $null
$Certs = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object { $psitem.issuer -like '*Intune*' }
if ($null -ne $Certs) {
	$(Get-Item ($Certs).PSPath) | Remove-Item -Force -Verbose 
	Write-Host "Removed" -ForegroundColor Green
} else {
	Write-Host "Not found" -ForegroundColor Yellow
}
Write-Host "Downloading psexec" -ForegroundColor Yellow
Invoke-RestMethod -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile $env:TEMP\PSTools.zip
Write-Host "Expanding psexec" -ForegroundColor Yellow
Expand-Archive -Path $env:TEMP\PSTools.zip -DestinationPath $env:TEMP\PSTools -Force
Write-Host "Starting psexec with AutoEnrollMDM" -ForegroundColor Yellow
$Process = Start-Process -FilePath $env:TEMP\PSTools\psexec.exe -ArgumentList "-i -s -accepteula cmd  /c `"deviceenroller.exe /c /AutoEnrollMDM`"" -Wait -NoNewWindow -PassThru
if ($process.ExitCode -eq 0) {
	Write-Host "Started AutoEnrollMDM" -ForegroundColor Green

} else {
	Write-Host "Exit code 1. Please verify manually" -ForegroundColor Red
}
if ((Get-Service *intune*).Status -ne 'Running') {
	Get-Service *intune* | Start-Service
}

First section is to check if the device is AAD joined. If it is not, script will terminate and you will need to fix that first. Try running:

dsregcmd /join

Be sure to run this in SYSTEM context. If no issue is found in AAD join you will need to find enrollment ID. It will be needed for finding and wiping registry keys. If no enrollment ID is found script will terminate and I recommend doing re-enrollment with standard method which is disconnecting device from domain and reconnecting.

With enrollment ID you can now un-register scheduledTasks that reside in EnterpriseMgmt folder. Then remove the folder itself.

Next you will be searching for registry keys that match enrollment ID and then deleting them. There also should be a MDM certificate in Personal vault but if its not there then do not worry (if there is, remove it).

Now that you have cleared all traces of enrollment you will need psexec to impersonate SYSTEM to jump start enrollment. Download it, extract the psexec from archive and run it:

psexec.exe -i -s -accepteula cmd

Then in the new window you can begin enrollment

deviceenroller.exe /c /AutoEnrollMDM

All the things that you deleted will be recreated and new enrollment ID will be assigned. After minute or so you will see device in Intune portal again.

Summary

While this method is not supported I’ve reconnected 3 devices using this script and it worked. So if you are at the dead end may it serve you well!

See you in next! 😉 🧠

Share on

Twitter Facebook LinkedIn

Reenroll HAADJ Device to Intune

Intro

The Script

Summary

Share on

You may also enjoy

The Hidden Pitfall of Windows Autopilot - Avoiding Device Duplication

Truly user-driven Windows Autopilot

Export, Fix, Import - Settings Catalog

How to easily move MDM Security Baseline profile