Encountering the Azure Active Directory (Azure AD) join error code 8018000a, accompanied by the message “This device is already enrolled,” is a common hurdle for IT professionals transitioning Windows 10 devices to Azure AD. This error typically arises when a user has previously registered the device by selecting “YES” during an Office 365 application login, linking a work profile to the device. While beneficial for individual use, this registration can impede subsequent attempts to join the device to Azure AD.
A Simple Solution Using PowerShell
To mitigate these challenges, a more efficient solution involves using a PowerShell script to clear residual enrollment information without affecting user profiles. This method focuses on specific registry keys and scheduled tasks associated with device enrollment.
Open PowerShell as Administrator: Right-click on the Start menu, select “Windows PowerShell (Admin).”
Run the Script: Copy and paste the above script into the PowerShell window and press Enter. Follow the on-screen prompts to remove the detected device registrations.
Re-attempt Azure AD Join: After the script completes, reboot and try joining the device to Azure AD again.
##This script checks for devices registered to AzureAD and removes them so you can successfully perform an AzureAD join.
# We recommend you backup your registry prior to running. We take no responisbility for the use of this script.
$sids = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked' -name |where-object {$_.Length -gt 25}
Foreach ($sid in $sids){
Write-host "Found a registered device. Would you like to remove the device registration settings for SID: $($sid)?" -ForegroundColor Yellow
$Readhost = Read-Host " ( y / n ) "
Switch ($ReadHost)
{
Y {Write-host "Yes, Remove registered device"; $removedevice=$true}
N {Write-Host "No, do not remove device registration"; $removedevice=$false}
Default {Write-Host "Default, Do not remove device registration"; $removedevice=$false}
}
if ($removedevice -eq $true) {
$enrollmentpath = "HKLM:\SOFTWARE\Microsoft\Enrollments\$($sid)"
$entresourcepath = "HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\$($sid)"
##Remove device from enrollments in registry
$value1 = Test-Path $enrollmentpath
If ($value1 -eq $true) {
write-host "$($sid) exists and will be removed"
Remove-Item -Path $enrollmentpath -Recurse -confirm:$false
Remove-Item -Path $entresourcepath -Recurse -confirm:$false
}
Else {Write-Host "The value does not exist, skipping"}
##Cleanup scheduled tasks related to device enrollment and the folder for this SID
Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\$($sid)\*"| Unregister-ScheduledTask -Confirm:$false
$scheduleObject = New-Object -ComObject Schedule.Service
$scheduleObject.connect()
$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
$rootFolder.DeleteFolder($sid,$null)
Write-Host "Device registration cleaned up for $($sid). If there is more than 1 device registration, we will continue to the next one."
pause
} else { Write-host "Removal has been cancelled for $($sid)"}
}
write-host "Cleanup of device registration has been completed. Ensure you delete the device registration in AzureAD and you can now join your device."Code language: PowerShell (powershell)Note: Always ensure you have backed up the registry before making any modifications. Use the script at your own discretion and risk.
Credits to anspired.com.au for this script.
