🔵Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations:
-
Task Scheduler → EnterpriseMgmt
-
Registry → HKLM\SOFTWARE\Microsoft\Enrollments
These two locations always contain matching GUID folders, and together they show the full state of the device’s MDM enrollment.
📌 Introduction: Why do these GUID folders exist?
When a Windows device enrolls into Intune (MDM), Windows generates a unique GUID folder for that enrollment.
That GUID is used in two places:
🔹 1. Task Scheduler
Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID}
This folder contains scheduled jobs that handle:
-
MDM sync
-
certificate renewal
-
policy retrieval
-
push notification handling
🔹 2. Registry
HKLM\SOFTWARE\Microsoft\Enrollments\{GUID}
This folder contains detailed information:
-
tenant ID
-
enrollment type
-
certificate thumbprints
-
renewal status
-
MDM server URLs
-
device identity
👉 Both folders describe the same enrollment.
If you have 2 or more GUIDs, it means the device has multiple MDM registrations, usually because:
-
the device was re-enrolled
-
co-management / dual MDM (ConfigMgr + Intune)
-
enrollment became corrupted
-
an older enrollment was never removed
⚠️ Multiple GUIDs often indicate problems — that’s why checking them is important.
🟧 Why You Must Check BOTH Registry & Task Scheduler
| Location | What it tells you | Why it matters |
|---|---|---|
| Task Scheduler → EnterpriseMgmt | Whether the MDM sync tasks are running successfully | If tasks fail → device cannot sync with Intune |
| Registry → Enrollments | The identity of the MDM enrollment | You can see if device is correctly enrolled and if certs are valid |
Together, they give a full “health picture” of the Intune enrollment.
🟩 STEP 1 — Check Task Scheduler (EnterpriseMgmt)
Open:
Task Scheduler → Microsoft → Windows → EnterpriseMgmt
You will see one or more folders named like this:
0914EAF8-5CB3-4F9D-84E3-E1678561E3EE
E2B9AB74-0254-4166-967E-F2F357A4627B
Inside each folder you will find tasks such as:
-
PushLaunch
-
PushUpdate
-
Schedule created for session retry
✔ What you’re checking:
-
Does a task show an error?
-
Has it never run?
-
Does “Last Run Result” show a failure (0x800… etc.)?
❗ Why this matters:
If these tasks fail → the device cannot sync with Intune.
🟩 STEP 2 — Match the GUID in the Registry
Open:
HKLM\SOFTWARE\Microsoft\Enrollments
Find the same GUID you saw in Task Scheduler.
Inside each GUID folder, you will see many values.
🟩 STEP 3 — Check these 3 key values in the Registry
You only need to understand three values to diagnose most issues.
🔹 1. Check enrollment type
Value name:
EnrollmentType
Meaning:
-
0x0000000A → Intune MDM (correct)
-
0x0000000D → Autopilot MDM (correct)
-
0x00000000 → Azure AD registered only (NOT MDM)
If incorrect → device is not properly enrolled.
🔹 2. Check certificate status
Values:
DMPCertThumbPrint
RenewStatus
RenewTimestamp
Meaning:
-
RenewStatus = 0 → OK
-
RenewStatus ≠ 0 → certificate renewal failed
If incorrect → device cannot authenticate to Intune.
🔹 3. Check the Tenant ID
Value:
AADTenantID
Why:
If this GUID does not match your Intune tenant → the device is registered in the wrong environment.
🟦 STEP 4 — Why multiple GUID folders exist
You may see 2 or 3 GUIDs in:
-
Task Scheduler
-
Registry
This usually means:
How to identify the ACTIVE one:
-
The active GUID will have:
-
recent timestamps
-
valid certificate
-
tasks that have run recently
-
-
The inactive GUIDs will:
-
have old/empty values
-
show errors
-
have missing certificate info
-
🟦 SUMMARY — What this guide helps you understand
✔ Why GUID folders exist
(They represent Intune enrollment profiles)
✔ Why you check BOTH registry + Task Scheduler
(One shows identity, one shows activity)
✔ What the values mean in the registry
(Enrollment, certificate health, tenant)
✔ How to identify the active or broken enrollment
(By comparing GUIDs)
✔ How to understand sync failures
(Task Scheduler errors)
Kommentarer
Skicka en kommentar