Windows AD authenticated enrollment struck

Valentine
expand collapsive

We are trying to enroll some on-prem AD joined windows Pcs using AD authenticated enrollment method.
The devices show the error “Your device is already being managed by an organization” even though we don’t have any active MDM enrollment.
We do have some Group policies associated with these devices through AD. but on that we have set the option as “Not configured” under Enable automatic MDM enrollment using default Azure AD credentials.

All Replies

  • Zach Goodman

    Zach Goodman

    Hexnode

    Zach Goodman

    Moderator

    Hi @Valentine, thanks for bringing up the issue.

    If your device is already enrolled on Microsoft’s Intune or other MDM service this should be the error coming up. Also, you’ve set the automatic enrollment settings as non-configured.

    However, this error could be occurring because the device was already set up with Microsoft SCCM (System Center Configuration Manager). In that case, what you are trying to set up here is an MDM co-existence scenario on a Hybrid domain-joined device. Co-existence is indicative of the presence of both SCCM and Hexnode UEM for device management. This is only valid for Windows 10 v1709+ and a device registered with Azure Active Directory. For you, the device is also joined with your on-premises Active Directory, such devices are Hybrid domain-joined devices.

    Could you verify if the registry keys are set correctly to match the required settings –
    1. Open the Registry Editor by pressing Windows key + R and running ‘regedit’.
    2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments and find the key ExternallyManaged on the right pane.
    3. If its current value is 1 change it to 0 and try enrolling the device again.

    If this was not the case, please don’t hesitate to right away contact our support team regarding your issue.

    Additional Notes:
    When the Configuration Manager client detects that an MDM service is also managing the device, it will automatically deactivate the following workloads –
    ● Resource access policies for VPN, Wi-Fi, email, and certificate settings
    ● Application management, including legacy packages
    ● Software update scanning and installation
    ● Endpoint protection, the Windows Defender suite of antimalware protection features
    ● Compliance policy for conditional access
    ● Device configuration
    ● Office Click-to-Run management

    The Configuration Manager client will be continuing the following read-only operations –
    ● Hardware and software inventory
    ● Asset Intelligence
    ● Software metering
    ● Power management reporting

    Hope this helps.
    Cheers!
    Zach Goodman
    Hexnode UEM

  • Valentine

    Valentine

    Participant

    Valentine

    Participant

    @zach Indeed, the devices were configured in SCCM. I checked the registry key and there it was set to 1. Changed that and the enrollment worked!! Thanks for the input, it was educative.