This article outlines common issues that can occur with devices enrolled in Windows MDM and how to resolve them.
If a device fails to enroll in ºÚÁϺ£½Ç91Èë¿Ú MDM, there are two common causes:
- It is still enrolled with another MDM provider.
- Or there are remnants of the previous MDM provider on the device.
When users try to enroll in ºÚÁϺ£½Ç91Èë¿Ú MDM via the User Portal and enrollment fails, the following error may appear: The device is already being managed by an organization.
You can use ºÚÁϺ£½Ç91Èë¿Ú Commands or the ºÚÁϺ£½Ç91Èë¿Ú PowerShell Module to check the MDM enrollment status of your devices.
Using ºÚÁϺ£½Ç91Èë¿Ú Commands to Confirm Enrollment
If the device has the ºÚÁϺ£½Ç91Èë¿Ú Agent installed, you can use the following command to check the status of a specific device.
To check the device’s enrollment status using ºÚÁϺ£½Ç91Èë¿Ú Commands:
- Log in to the .
- Go to DEVICE MANAGEMENT > Commands.
For more information on commands in ºÚÁϺ£½Ç91Èë¿Ú, see Get Started: ºÚÁϺ£½Ç91Èë¿Ú Commands.
- Click (+), then click Command to create a new command. The Details tab for the new command displays.
- In the Type field, click Windows.
- Select Windows PowerShell.
- In the Command field, paste the following:
get-jcsystem -hostname Workbox | select-object mdm
- Select the Devices tab. Select one or more devices where you want to apply this command.
- Click Save.
- From your list of commands, run the newly created command on the affected device by clicking Run Now.
- Go to the Results tab and click view. Locate the vendor value in the results.
In the following example, the vendor is Internal, meaning that this device has successfully enrolled in ºÚÁϺ£½Ç91Èë¿Ú MDM. If the Vendor is None there is no detected MDM provider on this device. If the vendor value is External, that means another MDM provider has been detected on the system.
mdm
---
@{vendor=internal; profileIdentifier=; dep=; userApproved=; enrollmentType=unknown; enrollmentAttempts=0; createdAt=2024-04-05T16:47:49.026Z; prov...
Using the PowerShell Module to Confirm Enrollment
You can also use the ºÚÁϺ£½Ç91Èë¿Ú PowerShell Module to check the enrollment status of all of your devices in ºÚÁϺ£½Ç91Èë¿Ú.
See Installing the ºÚÁϺ£½Ç91Èë¿Ú PowerShell Module to learn how to install and run the PowerShell Module.
To use the PowerShell Module to check enrollment status:
- Run the following command in the PowerShell Module:
$SystemMDMStatus = Get-JCSystem
foreach ($system in $SystemMDMStatus) {
$MDMStatus = $system.mdm.vendor
if ($system.hostname -ne $null) {
$Provider = $system.mdm.providerID
$hostname = $system.hostname
write-host "$hostname, $MDMStatus, $Provider"
}
}
- Check the $MDMStatus and $Provider values in the command results:
- If the device is enrolled with another MDM provider, follow the vendor’s specified steps to unenroll the device.
- If the device was unenrolled but it is still detected as an enrolled device, we recommend you contact the vendor for assistance with removing the remnants of the previous MDM enrollment.
There are times when a Windows device enrollment in ºÚÁϺ£½Ç91Èë¿Ú MDM can’t be removed by normal methods, such as when the device is still linked with a previous MDM provider. When normal MDM removal methods don’t work, you can run the ºÚÁϺ£½Ç91Èë¿Ú_MDM_Removal script to manually locate and remove an MDM profile.
Considerations:
- The MDM removal script can run either remotely (from the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal) or locally without user intervention.
- The script locates existing MDM Enrollment IDs in the HKLM:\SOFTWARE\Microsoft\Enrollments location of the registry then removes all other keys related to the MDM enrollment.
Prerequisites:
- Your device must have the ºÚÁϺ£½Ç91Èë¿Ú agent installed in order to receive PowerShell commands. See Install the ºÚÁϺ£½Ç91Èë¿Ú Agent.
The script will use the Enrollment ID to remove the device’s associated MDM enrollment data from the following locations:
- Registry Entries:
- HKLM:\SOFTWARE\Microsoft\Enrollments
- HKLM:\SOFTWARE\Microsoft\Enrollments\Status\
- HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\
- HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\
- HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\
- HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\
- HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\
- HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\
- Scheduled Tasks:
- Related tasks under \Microsoft\Windows\EnterpriseMgmt\
- Related tasks under \Microsoft\Windows\EnterpriseMgmt\
To run the MDM removal script on a Windows device in the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal:
- Download the PowerShell script from GitHub: .
- Log in to the .
- Go to DEVICE MANAGEMENT > Commands.
For more information on commands in ºÚÁϺ£½Ç91Èë¿Ú, see Get Started: ºÚÁϺ£½Ç91Èë¿Ú Commands.
- Click (+), then click Command to create a new command. The Details tab for the new command displays.
- In the Type field, click Windows.
- Select Windows PowerShell.
- In the Command field, paste the contents of the ºÚÁϺ£½Ç91Èë¿Ú MDM removal script.
- Select the Devices tab. Select one or more devices where you want to apply this command.
- Click Save.
- From your list of commands, run the newly created command on the affected device by clicking Run Now.
The MDM enrollment profile should now be removed from the Windows device. To confirm the command results, go to Device Management > Commands, then click the Results tab.
- (Optional) If the MDM enrollment removal script fails to run using ºÚÁϺ£½Ç91Èë¿Ú Commands (or the device is inaccessible for other reasons), you can run the script locally:
- Open an elevated PowerShell or PowerShell_ISE session on your Windows device.
- Paste the contents of the ºÚÁϺ£½Ç91Èë¿Ú MDM removal script.
- Press Enter to run the script.