The Problem
Error 0x80180026 shows up during Intune enrollment and the event log message is almost useless: "The device is already enrolled." But the device clearly isn't enrolled. So what's going on?
This error is almost always a Hybrid Azure AD Join configuration issue — and it almost always happens silently, meaning the device looks fine in Active Directory but never actually completes cloud registration.
Why It Happens
Hybrid AAD Join requires three things to work in sync:
- A working Service Connection Point (SCP) in AD
- An AAD Connect sync that includes the device OU
- An MDM enrollment scope that covers the user or device
When any of these is misconfigured, devices fail to register. The tricky part is that dsregcmd /status might show the device as WorkplaceJoined rather than AzureAdJoined — and that's the silent failure mode.
The Diagnostic Tree
Step 1 — Verify the SCP
# Run on a domain controller
$scp = Get-ADObject -SearchBase "CN=Configuration,DC=yourdomain,DC=com" `
-Filter {objectClass -eq "serviceConnectionPoint" -and name -eq "62a0ff2e-97b9-4513-943f-0d221bd30080"} `
-Properties *
$scp.keywords
You should see your tenant ID and tenant name in the output. If this returns nothing, the SCP doesn't exist — you need to run the AAD Connect SCP configuration wizard.
Step 2 — Check Device Join Status
dsregcmd /status | Select-String "Join|MDM|Tenant"
Expected output for a properly Hybrid-joined device:
AzureAdJoined : YES
DomainJoined : YES
MDMUrl : https://enrollment.manage.microsoft.com/...
If you see AzureAdJoined : NO — the device hasn't completed cloud registration at all. If you see WorkplaceJoined : YES — it's personal device registered, not Hybrid joined.
Step 3 — Verify AAD Connect Sync Scope
The device OU must be included in AAD Connect sync. Check in the Synchronization Service Manager:
- Open Synchronization Service Manager
- Go to Connectors → your AD connector
- Properties → Configure Directory Partitions → Containers
- Verify the device OU is checked
Step 4 — Check MDM Enrollment Scope
In the Intune admin center, go to Devices → Enrollment → Automatic Enrollment.
Ensure the MDM user scope covers the affected users. A common mistake is setting scope to "Some" but the group not including the user.
The Fix
The most common root cause I see is the SCP pointing to the wrong tenant — especially in environments that had a tenant rename or a test tenant setup previously.
# Re-create the SCP (run as Domain Admin)
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"
Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount "DOMAIN\AADConnect" -AzureADCredentials (Get-Credential)
After fixing the SCP, force a sync cycle and then trigger re-registration on the device:
# On the affected device (as System or admin)
dsregcmd /forcerecovery
Then restart the device. Allow 5–10 minutes for the sync cycle to complete.
Verification
# Confirm successful join
dsregcmd /status
# Check in Graph API
GET https://graph.microsoft.com/v1.0/devices?$filter=displayName eq 'DEVICENAME'
In the Graph response, look for "trustType": "ServerAd" — that confirms it's a Hybrid joined device.
Summary
| Symptom | Likely Cause |
|---|---|
| 0x80180026 on enrollment | MDM scope or SCP issue |
| WorkplaceJoined: YES | Device registered as personal, not Hybrid |
| AzureAdJoined: NO | SCP missing or pointing to wrong tenant |
| Enrollment works for some users | MDM scope set to group, user excluded |