This blog post details the troubleshooting steps taken to resolve an issue where a co-managed device wasn't enrolling successfully in Microsoft Intune. The user wasn't able to access applications through the Company Portal, receiving a message about belonging to another organization.
"This device is already set up in another organization. Contact company support."
Despite the device being co-managed and all workloads transitioned to Intune, the error persisted. Here's a step-by-step breakdown of the investigation and resolution process.
Check Device Status in Intune Console
The first step was to verify the device's status in the Intune console. I noted that there was no device entry available with the hostname, although a record was present in Entra ID.
1.Inspect Device Settings
- User Accounts: On the device, I checked the settings under "User Accounts" to ensure that no other organization accounts were added. Only the correct organization account was listed.
- Sync Status: Under user accounts, “Info," I observed that Intune sync had failed with error code
0x80072f9a. This error translates toERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY. 
- MDM Certificates: I confirmed that MDM certificates with a valid timestamp were present for device enrollment to Intune.
2.Examine Registry Keys
I reviewed the registry key to check for externally managed settings:
Registry Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\externallymanaged
The key with a value of 1 was not found.
3.Review Event Viewer
I checked the Event Viewer under "Device Management - Enterprise Diagnostics Provider" but found only informational messages, with no errors.
- Analyze Co-Management Logs I have also examined the
comanagementhandler.logfile located in C:\windows\ccm\logs, which indicated that the device was provisioned. However, this provisioning record was not reflected in the Intune console.
- Compare Registry Keys
To further diagnose the issue, I compared theDeviceManageabilityCSP(HKLM:\SOFTWARE\Microsoft) registry keys of the non-working device with those of a working device.The non-working device was missing theMS DM serverregistry key. I attempted to add this manually and restarted the SMS Agent service, but the issue persisted.
Non-working device:
working device:
Resolution
Given the situation, I decided to delete the device enrollment registry keys and re-enroll the device. This process does not require removing any accounts—simply delete the relevant registry keys and restart the SMS Agent Host service.
Registry Key to Delete:
- Locate (HKLM:\SOFTWARE\Microsoft\Enrollments) and remove the registry key where the
DiscoveryServiceFullURLequalshttps://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc.
Since manually checking each registry key was time-consuming, I used the following PowerShell script to automate the process:
powershell
<#
Description: This script will check and delete the registry keys for the co-management device enrollment and register/enroll the device to intune.
Name:CoManagement_reenroll-Device.ps1
#> $EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
$Enrollments = Get-ChildItem -Path $EnrollmentsPath
Foreach ($Enrollment in $Enrollments)
{
$EnrollmentObject = Get-ItemProperty Registry::$Enrollment if (($EnrollmentObject."DiscoveryServiceFullURL" -eq "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc" -or $EnrollmentObject."DiscoveryServiceFullURL" -eq "https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0"))
{
$EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName" Remove-Item -Path $EnrollmentPath -Recurse
}
}
Start-Sleep 5
#Restart SMS agent host service
restart-service ccmexec
Start-Sleep 120
#cmd.exe /c "c:\windows\system32\deviceenroller.exe /c /AutoEnrollMDM" #Run the co-management production baseline policy to trigger the baseline evalution. $BLName="CoMgmtSettingsProd"
$Baselines = Get-WmiObject -Namespace root\ccm\dcm -Class SMS_DesiredConfiguration | Where-Object {$.DisplayName -like $BLName}
try
{
$Baselines | % { ([wmiclass]"\root\ccm\dcm:SMS_DesiredConfiguration").TriggerEvaluation($.Name, $_.Version) }
write-host "Successfully ran CoMgmtSettingsProd"
}
catch
{
write-host "Failed to run CoMgmtSettingsProd"
}
Outcome
After executing the script and allowing some time for the process to complete, the device was successfully re-enrolled in Intune. The user was then able to see and install applications from the Company Portal.
The following is the output in the co-management handler log.
