SOLVED

Trying to learn Intune - stuck at MDM "Your device is already being manged by an organization"

Copper Contributor

I'm trying to learn Intune and Endpoint manager so I'm going through the Pluralsight course Implementing Mobile Device Management (MDM) with Microsoft Intune by Greg Shields.

 

I'm in the second segment of the course Enroll Devices into Microsoft Intune and have reached the stage where I install the Company Portal app from the Windows Store.

 

Installing the app, I successfully sign into one of the user AAD accounts, then go into the MDM part.

 

Company Portal - Set up your device.PNG

Clicking next

Company Portal - Connect to work.PNG

Clicking Connect

Company Portal - set up a work or school account.PNG

Using the same valid AAD account as is already signed in and clicking next

Company Portal - already managed.PNG

 

In Windows Settings, Accounts, Access work or school, the test user account is listed. Clicking info shows that it is managed by mddprov account.

 

There are no errors in the DeviceManagement-Enterprise-Diagnostics-Provider event log section.

 

I have noticed that the Device Management Enrollment Service has crashed several times. This is a clean new install of windows 10 pro in eval mode. The crash occurs when I open Company Portal. Exception code 0xc0000005 in module windows.inernal.management.dll

 

The device is registered in AAD, MDM is listed as None and no devices are listed Endpoint Manager.

 

I'm lost as to a solution. If anyone has suggestions of how I can resolve this issue, I'd appreciate it.

24 Replies
best response confirmed by David-B (Copper Contributor)
Solution

The issue has been resolved. The default configuration was for MAM user scope to be set to All when it needs to be set to None.

 

To get to the correct screen, go to Microsoft Endpoint Manager, click Devices, Enroll Devices, click Automatic Enrollment. Changing MAM from All to None, unmanaging the devices currently in AAD, then adding them again via the Company Portal store app.

 

2020-11-22.png

 

@David-B Hi David,

 

Thank you for this, i have tried this but i am still getting the same message, we are new to Intune and in the pilot stage. 

 

Can you assist any further?

 

KR,

Nick

@NickZz95 

 

I stumbled on your post while trying to find an answer to a similar problem. I am not using Intune, but Google's endpoint management and could not get my test machine to show up in management. Since I found my answer, I thought I'd share what I found on the off chance that the issues are the same.

 

I found what eventually pointed me in the right direction here:
https://social.technet.microsoft.com/Forums/en-US/f2d29524-afce-42ab-9e48-673813c74c4e/unable-to-ree...

 

I had to look in the Registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

 

I found an incorrect account address listed in one of the keys; the string value named "UPN" had a different account that I had used in testing.  Since you mentioned that you are new and in the pilot stage, I thought perhaps you might have also attempted enrollment on this a time or two before.

 

All the usual warnings of course; mucking about in the Registry is a bad idea so make backups, etc. I have no idea if my fix will translate to a fix for you. I hope that it does.

 

@David-B

 

Hi David,

 

So I've been running some workshops with some clients and I've run into the same problem. It really sucked that it happend during a live demo but all assured I did some troubleshooting.

 

Apparently the Company Portal App is bugged...

Here are my settings:  MAM and MDM are set to all or can be set to some, it doesn't matter. They should work in tandem ...

Tic_Patrick_0-1618333774668.png

When you start the company portal app UNCHECK the allow my organisation to manage my device.

Tic_Patrick_1-1618333911051.png

 

Everything works smoothly afterwards. I don't even get why that option is there in the first place. Even if it's unchecked it still registers the device with Azure AD...

I simply proceed then to the allow the organisation to manage my device. It worked.

 

Hope it helps,

Patrick

 

@Tic_Patrick 

Hi, I guess everyone is wondering the same question. 

 

But working in tandem? Microsoft explains MAM and MDM very well

 

Rudy_Ooms_0-1618497449117.png

 

If you don't want to register the device, you will need to click on no, sign in to this app only

Or

 

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq

Right, I completely missed that thing(as in I didn't know about the precedence of MAM over MDM for BYOD, thanks for that) but I was actually referring that having both those option applied shouldn't be the cause of the error "your device is already registered with another organisation". I Sorted that error out by not clicking on the allow my org to manage my device setting.
Sheesh, I'm confused.. oh well, get your troubleshooting boots on!
Hi,

It's something that's quickly overlooked indeed. Old registry settings and old account connections could be the cause of the warning/error. When giving a demo, always make sure the device has a nice clean install :). I also made the mistake myself when I wanted to show something to a colleague
They are always clean installs(fresh VM). so no registry issues. just that silly manage my device option needs to be unchecked). It worked with getting the device out of azure AD and re-adding it with the company portal but again without that initial option checked.

Best of luck!
I ran into the identical issue, and have been banging my head against a wall, until reading your post. Thanks for sharing.
Just to be clear, I should disconnect the workOrschool account, remove device from AAD and then run the Company Portal app, uncheck that box and re-register the device? thanks - this is driving me crazy.

Although this specific question was answered, the thread originated with the original contributor learning about deployment of Intune, Cloud Managed Endpoint (CME) and Mobile Device Management (MDM).

 

If you are an IT Admin with access to the Microsoft 365 Admin Center, and you want step-by-step guidance on how to manage organization-owned or bring-your-own-device (BYOD) mobile devices and applications, be sure to review the Intune setup guide.

 

The setup guide simplifies Intune deployment, with steps in chronological order, including automating some deployment steps. 

 

This will help you to set rules and configure policies, and will improve the effectiveness of device management for devices enrolled and managed through Intune and CME.

@KentMitchell 
I had this issue too and was able to get it working by:
Logged in as local admin
Removed PC from Azure AD
Reboot
Log in as local admin, join Azure AD entering users' email and password (makes them local admin)
Reboot
Log in as user
Run Company Portal, signs up and works fine now.

Worked like a charm on getting a device enrolled in Endpoint Manager!
Or just use powershell to do so...... and use the deviceenroller.exe

https://call4cloud.nl/2021/04/alice-and-the-device-certificate/

because enrolling the device to intune with the company portal could mess up your intune device certificate
https://call4cloud.nl/2022/09/intune-the-legend-of-the-certificate/
Hi, does anyone know how/is it possible to delete an auto pilot device from AAD?
Thanks in advance for any replies :)
Remove the autopilot device first under intune enrollment and then you could delete the autopilot device
Hi Rudy,
Thanks for the reply. Sorry if I'm being thick but when you say "intune enrollment" do you mean "company portal" or "endpoint manager" ?
Regards
Endpoint Manager / Intune Portal --> Devices --> Enroll devices --> Below Windows Autopilot Deployment Program --> devices
1 best response

Accepted Solutions
best response confirmed by David-B (Copper Contributor)
Solution

The issue has been resolved. The default configuration was for MAM user scope to be set to All when it needs to be set to None.

 

To get to the correct screen, go to Microsoft Endpoint Manager, click Devices, Enroll Devices, click Automatic Enrollment. Changing MAM from All to None, unmanaging the devices currently in AAD, then adding them again via the Company Portal store app.

 

2020-11-22.png

 

View solution in original post