My day job at Microsoft is to author Enterprise Mobility + Security cross-service usage scenarios. Of course, before I can write about them, I must configure the products & services and push the appropriate buttons to see what happens. This means I spend many hours leveraging various lab environments in Hyper-V and Azure learning what makes EMS tick. Every now and then, I also like to throw in a monkey wrench to try and break things to see what happens. Fun job eh? Don’t tell my boss, she pays me for this!
As I come across little tidbits of know-how that don’t easily fit into the narrative I’m describing on docs.microsoft.com, I store them in my mental toolbox for later use. Sadly, I only have so many brain cells left to remember this stuff so I figured it would be a good thing to share some of these random tips and tricks with all of you—as well as keep a cheat sheet on TechNet for my own later reference. Win-win! I’ll start posting these every now and again, but now you know why some of my blog titles will start with tips and tricks. Here’s your first one: tips to help you troubleshoot Windows 10 PC device enrollment errors with Intune.
Note: I’ll even put the error codes in as plain text in case someone has spent hours searching the web trying to figure out what they mean. That said, please don’t hold me to them because these error codes could change tomorrow without me knowing and there’s probably a thousand other error codes you could run into depending on your setup that I don’t see in my labs. In other words, this post is based on my own testing and is provided ‘as is’ with no warranty and confers no rights. Your mileage may vary, but I’m betting it’s close.
Trying to install the PC agent when the computer is already enrolled as a device
If you read my last post about enrolling Windows 10 PCs as mobile devices with Intune then you might remember me saying this, “after you enroll a Win10 PC into management with Intune as a mobile device you cannot install the Intune client software to manage it as a computer. If you really want to install the client software you’ll need to un-enroll the device first.”.
The fun ends quickly when you attempt this. You just can’t do it. You can try, but the setup will fail with an error (error code 0x80043010). It will look something like this:
Trying to enroll as a device when the PC is already managed
Wait. I know what you’re thinking, “why would I ever try to enroll a device into management when it’s already enrolled?!”. Well, I’m guessing you wouldn’t on purpose, but I’ll give you two example scenarios of how this might happen accidentally to save you and the help desk some avoidable gnashing of teeth.
Let’s say you want to ensure your user’s devices are all registered in Azure AD and managed by Intune. Easy to do right? Just enable auto-MDM enrollment in your organization’s Azure AD Premium tenant (aka enable the Microsoft Intune application in Azure AD Premium). So, now if someone has already enrolled their device into management and tries to join it to Azure AD, they’ll get the dreaded 8019000a error:
That’s not an issue for you? OK, then let’s say that you’ve heard about this cool new MDM enrollment for Windows-based devices (Windows 10 1607 feature) so you’ve sent an email to your organization’s users asking them to enroll their Windows 10 PCs into management with Intune. Your dutiful users click the enrollment link in the email, but because their PCs are already Azure AD joined and managed by Intune (auto-MDM enrollment), they’ll get the message below and wonder what you were smoking when you sent the email for them to enroll their device. This will happen even if they’re not joined to Azure AD as well if they’ve previously enrolled their device somehow—say an overly-eager or forgetful user clicks the email link twice maybe. Either way, they’ll see this:
Tip: Using this deep link method to enroll Windows 10 PCs as devices does not join them to Azure AD. In fact, it does basically the same thing as a user navigating through settings and clicking the “Enroll only in device management” option.
Bonus tip: Don’t know what MDM enrollment for Windows-based devices is? It’s using link like this, “Enroll your Win10 1607 PC here” to start the enrollment process without the user going through settings. The link text is up to you, just make sure the link target is ms-device-enrollment:?mode=mdm. Go ahead, click the enroll link above on your Win10 1607+ device. It’s fun! Peter van der Woude did a nice write up about this feature on his blog too.
So, if you’re the system administrator referenced in the above error message you now know what error code 8019000a means, but whatcha gonna do when the help desk calls for you? If you still want to get a device both managed by Intune and joined to Azure AD in this situation, you’ll need to do one of two things: The Azure AD admin can disable auto-MDM enrollment in Azure AD or remove the user from a targeted group and try joining Azure AD again (not my first choice) or the user can disconnect the work or school account on the affected PC to remove it from management and then try joining Azure AD again later.
I’m sure there are a myriad of other scenarios and situations that might cause these issues, but there’s what I’ve seen happen anyway. Hopefully this tip helps!
You’ve seen my blog; want to follow me on Twitter too? @JeffGilb.
469 total views, 2 views today