Troubleshooting Intune Error 80180014

young business woman and futuristic graphical user interface concept, Internet of Things, Information Communication Technology, Heads up display, abstract mixed media

This lady is a professional and probably knows more about Intune than I ever will.

I ran into an unexpected issue when enrolling a new device. I kept getting the following error message, “Your organization does not support this version of Windows. (0x80180014).

Screenshot of error code

Can’t enroll due to error 80180014

I did a quick search to find out that the error code means the platform isn’t supported. The recommendation was to upgrade the OS. (See: )

Screenshot of Microsoft Docs translating the error code and recommending to upgrade

Documentation recommends upgrading.

I wasn’t too sure this was really an accurate error, or even solid remediation advice. I felt like Intune was trolling me with a “have you tried turning it off and on again” bit of help. The device in question was running Windows 10 v1703. I tried again on a device running Windows 10 v1709 expecting success this time. Instead I was greeted with the same error code.

This time I went to the event log on the device to see what I could glean from there. In event log, under Applications and Services – Microsoft – AAD – Operations, there were plenty of fun errors and warnings. Take this one for example:

A warning message in the event log stating that the text associated with the error message couldn't be found.

The text associated with this error code could not be found.

There were a few other cryptic errors as well. Then I stumbled across one that started to point me to believe there was something wrong with my tenant.

Error message stating I might have tried to authenticate to the wrong tenant

“You might have sent your authentication request to the wrong tenant.”

At this point, I turned to my tenant to review settings. As far as I could tell, everything was ok. I reached out to Jan-Ketil Skanke for a sanity check. We reviewed my settings together. Turns out my tenant was blocking (all) device enrollment for some reason. Here’s where it becomes super obvious that I’m an Intune noob 🙂 Also a good time to point out that there’s nothing at first glance on this page that would suggest you should click the text you see to uncover more settings #ImJustSaying.

A view of enrollment restrictions in Intune

They couldn’t put an arrow or a “click here” type indicator that there may be more settings to drill into? (Spoiler alert: if you actually hover over an item you can tell if it is expandable) #IntuneNoobProblems

Screenshot showing settings expanded in Intune

OK, so it miiiiight be my fault.

I enabled Windows devices and waited a few minutes. I returned to both Windows devices and tried to enroll again. This time with success!

Customizing Intel NUC BIOS with Intel Integrator Toolkit

I’ve noticed that the newer models of NUCs that I’m purchasing (specifically the NUC7i7BNH) ship with a 12 character serial number populated in BIOS. A while back, I wrote a post about how to add it should it be missing. The utility used in that post is no longer available for download, and the last time I used it, the NUC  bricked, so I set off to find a new tool to interact with NUC BIOS. Enter the Intel Integrator Toolkit.

This is a really pretty picture, strategically placed to reduce your disappointment that you will encounter in the next paragraph 🙂

Now, don’t get mad at me, but to use the Intel Integrator Toolkit, you have to disable Secure Boot to turn on the “Internal UEFI Shell” feature (which isn’t something you should leave on because it requires a keystroke to quit before it interrupts normal boot into Windows). I’m not really fond of tools that not only provide little automation in the end, but that also require you to turn off security features just to use it. Especially when you can manipulate BIOS properties of other major PC vendors from within Windows and it can be automated and distributed via a sequence engine and leave Secure Boot turned on.


Look, I have no idea what they were thinking. I’m just as confused as you.

Now on to the purpose of this post:

If you want to use the Windows Autopilot Script on your Intel NUCs, you’re in for some failure if the serial number is missing on account of the script requires a serial number 🙂

So, to fix it in a scenario where you want to add/change/remove/whatever a serial number or other bios properties, you need to:

  1.  Download the Intel Integrator toolkit (which is a .EFI file and some documentation)
  2. Format a USB drive in FAT32
  3. Copy the .EFI file from the download to your formatted USB drive
  4. Disable Secure Boot
  5. Enable Internal UEFI Shell

Now to manipulate the Serial Number property, simply boot into the Internal UEFI Shell (if it’s enabled in BIOS, it will give you a few seconds to cancel out of before it interrupts the normal Windows boot process, so best not to leave this turned on outside of this scenario).

To edit the serial number use the following syntax:

ITK6.efi –s –t system –f serial –v mySerial

Where “mySerial” is the serial number you want to enter. The -s, -t -f are flags that drill specifically to the Serial Number property. Full documentation on how to use the switches is in the guide that ships with the toolkit.

Here’s a list of customizations you can do with v 6.1.6 of the toolkit:


Product Name

Serial Number

SKU Number


Asset Tag

Chassis Type

OEM String (up to 3)




OneDrive Woes in the Win10 AU

I have a *workaround* for anybody experiencing One Drive crashing in the Windows 10 AU (1607). What I’m doing isn’t a sustainable practice if you’ve got the error across a large environment.

Not so shiny error in the event log!

Not so shiny error in the event log! Faulting application name: OneDrive.exe

Event Name: SkyDriveClientError

Event Name: SkyDriveClientError

My environment:
-Bare metal deployment of AU
-Domain Joined
-The domain account logging in is not an administrator account, although when signing in with an admin account, the problem persists.

I did my homework:
-There are no GPOs blocking MS accounts or One Drive – it works in Windows7, Windows 8.1, and Win10 1511.
-McAfee Enterprise: see above – it works in other environments, we’ve got nothing configured that would interfere.
-Firewall/QoS/etc: see above – nothing that would prevent the app from running.
-Obtained media from VLSC and imported into MDT – zero customization done here.

After doing a lot of reading, I’m kind of relieved I’m not the only person with the issue, a lot of you are having it. The only workaround I ever saw posted was to roll back to 1511 or check EMET settings. Neither applies here because I did a bare metal deployment and we aren’t using EMET.

So, if I can’t rollback, what can I do?
I decided to add a Microsoft account (not the same one I was using for One Drive mind you) as a user on the PC. I didn’t make it administrator, just a regular user. BAM! One Drive works. That MS account had ~20GB data I was able to sync. Time to test on the domain account – and what do you know? Now it works and is happily syncing 200GB data.

Edit: I’m told by Sandy that in an upgrade scenario if you’re having the issue you can delete HKLM\Software\Policies\Microsoft\Windows\OneDrive

#SQLSunday – Find Device Collections and Collection Membership

I try to use the ConfigMgr console as little as possible these days (long story).  So, here’s a SHINY and FUN thing you can do in SQL!

Want to know what device collection an endpoint belongs to?

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Here's the collections my MDT server currently belongs to.

Here’s all the collections my MDT server currently belongs to in this environment.

Alternatively, want to return all the rows?

select * from v_FullCollectionMembership
where name =’MDT01′

And the most useful I’ve found from that view for reports is:

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Very SHINY columns are returned when running this query!

Very SHINY columns are returned when running this query!

OSD – HP Driver Tips

Working on certifying drivers for some older model HPs in the shop. My options are:

1. Use Mikael Nystrom’s PowerShell is King – Export drivers from Windows good stuff if you have a box already configured how you want and it’s not Windows 7

(do a get-command export* and you'll see you can't use export-windowsdriver in Win 7)

(do a get-command export* and you’ll see you can’t use export-windowsdriver in Win 7)

Good Windows 7 Options:

2.  If you get stuck installing a driver as an application, check in Program Files/Program Files (x86) for the unpacked files to see if an .inf was dropped there.  Be careful pulling the .inf file as some of the softpaqs need the software stack to work properly (see method 4 below for this scenario).

Found the driver for bluetooth in this folder in Program Files (x86)

Found the driver for Bluetooth for a ZBook in this folder in Program Files (x86)

3. If HP, I generally find the majority of the unpacked files in c:\swsetup and then I search Program Files.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

4.  Another HP trick is to use the HP Softpaq Download Manager.  Once you load up the model you want, you can right click on any of the given drivers to get the fly out menu and select cva file.  If it exists, it will give you install + silent install instructions for those pesky drivers that need to be installed as applications.

Using HPSDM to get the driver package and install instructions.

Using HPSDM to get the driver package and install instructions.

Install instructions are in a cva that you open with notepad - then scroll to the install section.

Install instructions are in a cva that you open with notepad – then scroll to the install section.

A fun tip about the cva file is if you know the softpaq number, you can just find it in this URL  (this only works if there is actually a cva – not everything has one – but better than nothing, right??)

SQL Report: Unused Applications SCCM

This post is inspired by System Center Dudes post on auto uninstalling unused apps in your environment. It also has the same requirements (aka have Software Metering working in your environment if you want actual usage stats vs is this thing installed or not.)

Disclaimer: I’m non-technical so these SQL queries come without warranty.  The good news is it’s only reads, so you’re not destroying anything 🙂

System Center Dudes post uses WQL to create device collections that allow you to gather info on specific installed applications and also to be able to uninstall a specific application if it hasn’t been used within a certain time frame (120 days is good enough for me!) it’s an awesome idea, but I simply want to report on the presence of software and said usage to help management decide if we should buy the same amount of licenses for a specific software at renewal time.

Here’s what I came up with:

--Specific Product Installed
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
inner join v_GS_INSTALLED_SOFTWARE on v_GS_INSTALLED_SOFTWARE.ResourceID = v_r_system.ResourceID
v_GS_INSTALLED_SOFTWARE.ProductName0 like 'Stata%'

--Usage count Last 120 Days
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
inner join v_MonthlyUsageSummary
on v_R_System.ResourceID = v_MonthlyUsageSummary.ResourceID
inner join v_MeteredFiles
on v_MonthlyUsageSummary.FileID = v_MeteredFiles.MeteredFileID
v_MeteredFiles.ProductName like 'Stata%' AND DATEDIFF (day, v_MonthlyUsageSummary.LastUsage, GetDate()) < 120

Find text using PowerShell

I totally broke the setup of a non ConfigMgr system that I’ve been tasked with setting up.

Oops, I did something wrong!

Oops, I did something wrong!

Some how, in some way, I hard coded the TEST SQL server/database rather than the PROD SQL server/database into a config file.  The bigger problem was that this is a system I had never heard of  until a few days ago, so my only hope was combing through logs to find my error.

Log files always have the answer ;)

Log files always have the answer 😉

Once I found it, I started clicking through the install directory only to see there were too many config files and folders to know where to start.  I had two options, open every file or find it in PowerShell.

Here’s what I came up with to find what I was looking for:
dir "C:\program files\Ami FP Test" -I *.* -R | select-string SQLTEST
Sure enough, here’s the very config file where I made the mistake.

PowerShell is KING!

PowerShell is KING!

Found my mistake!

Found my mistake!

Hey, Scripting Guy has a more “pretty” and correct way of using this same method and you should read it.  But if you’re new to PowerShell, I want you to know that if it works, it doesn’t have to be pretty.  Use what works as your base to learn better ways to do things.

Create Local User Based on Serial Number

If you ever find yourself wanting to create a local user based on something super specific (like Serial Number) then this post is for you.

First you need your script:

#Created by Ami Casto Twitter:@MDTPro Blog:
#This script will create a local user account based on Serial Number, set the password to never expire, prevent user from changing the password, and add it to the Local Admin Group
#Make it all clean - this could be commented out if unwanted
$Error.clear() # Clear errors
#Queries Win32_Bios for Serial Number and pulls out the serial number to return it on a single line which gets captured as a variable
$SN = gwmi win32_bios | Select-Object -Expandproperty SerialNumber
# $SN now equals the hardware's Serial Number and this variable is used to create a user account, set a password, and prevent that user from changing it
net user $SN P@ssw0rd /add /passwordchg:no
#This step sets the password to never expire
wmic useraccount where "name='$SN'" set passwordexpires=false
#This step adds the newly created account to the Local Admin group
net localgroup administrators $SN /add

Just copy/paste and save it as user.ps1 in the Scripts folder.

In MDT, open your preferred task sequence and create a new group where you would like the step to go.  Since this account is a local user and won’t be able to access anything specific to the deployment anyway, I’m adding the account near the end.

I've added the PowerShell script in a group I created for this step.

I’ve added the PowerShell script in a group I created for this step.

Notice that I call on it this way %SCRIPTROOT%\user.ps1 .  You could create a separate folder within the scripts folder, but you’ll have to remember to include that in the path as well, otherwise your deployment will fail.

And, Success!


It worked as expected – the user account matches what’s in the Serial Number property.

Disclaimer: It is very important that you pick a property that is short and doesn’t have special characters.  So I wouldn’t do this on a VM for example, I’d pick something from win32_bios such as model.

If you want to make this work on a Intel NUC, then you need to read my post about how to assign a Serial Number for your NUC.

Add a Serial Number to your NUC

As an Intel NUC owner, you might have noticed that your NUC doesn’t come with the serial number hard-coded into the BIOS:

NUC with no Serial Number

NUC with no Serial Number

You can actually do this yourself with the Intel Integrator Toolkit.  The site says support ended for it and it would be taken down in 2015, but here we are mid 2016 and it’s still available :).  You get a list of client OS’s that support it but I installed it on Server 2016 TP 5 with no issues.

When you launch the application, you get a dialog box giving you some options.  As you can see, you could run this from another PC entirely (but don’t – you need to be present to accept the config changes).  If you’re running it from your NUC however, you can walk the wizard below to customize the BIOS and get right to it. (NOTE: You must have an active internet connection!)

Menu showing configuration options when you launch the tool.

Since I’ve picked to customize locally, the toolkit gives me a lot of options as you can see below.

Intel Integrator Toolkit

Lots of customization options!

In the SMBIOS menu, I simply input a value.  I had the Serial Number from an old HP laptop I happened to have written down handy so I input that as the value . Just kidding, I picked Beaker.  The toolkit allows you to paste in values, so you could create your own custom Serial Numbers and import them.

When you’ve finished your customization, you simply select “Save BIOS” from the ribbon.  This will install the BIOS and add all your custom configurations.

Save BIOSTime to make it happen!

YOU CANNOT DO THIS REMOTE – YOU NEED TO HAVE A KEYBOARD ATTACHED TO ACCEPT THE CONFIGURATION CHANGE (and a monitor to read the message, or just remember to press 9 on the keyboard).  Don’t say I didn’t warn you 🙂

Be ready to press 9 to accept the change

Be ready to press 9 to accept the change

When the configuration is complete and you sign in again, you’re greeted with a dialog box from the toolkit letting you know your change was successful.

Woohoo, you did it!

Woohoo, you did it!

And of course, you can validate in PowerShell too!

PowerShell is King! And your Intel NUC has a Serial Number!

PowerShell is King! And your Intel NUC has a Serial Number!



Another important feature to customize is the display image.  I opted for a picture of Beaker because he’s my hero.

changing images






Office 365 Advice!

Today I was a guest on On The Air a live tech talk show put on by Spiceworks.  In the episode we talked about deploying Office 365 and played Servers and Sysadmins (a super fun IT version of the popular Dungeons and Dragons RPG).  If you haven’t already seen it, here’s the link to the episode.


I wanted to also make sure to give some professional advice aside from the silliness on the show (but for real, I had a good time) so I have come up with some basic advice for getting started on your own.

Also, be sure to check out the EMS book by Kent Agerlund and Peter Daalmans.  It’s due to hit Amazon in May and will walk you through a full setup using both cloud and hybrid options.  I will post the link as soon as the book is available for purchase.

Preparing for Office 365 Migration:




Microsoft Online Services Sign-In Assistant for IT Professionals Beta


Azure AD cmdlets


Enable Script Execution (Admin PoSH)

Set-ExecutionPolicy -ExecutionPolicy Unrestricted


Get to know service descriptions – pick what’s best for your organization and understand what you’re signing up for – it would be better to sign up for too much than not enough service.


Office 365 Deployment Guide – advice on deployment models –these are my requirements – here’s the model that works best for me.

Deployment Readiness Toolkit – environment prechecker

Office 365 admin resource center

Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit – troubleshoot config issues

Know your network or get to know your network admins – bring whiskey!

The slowest connection to Office 365 is going to be from your gateway to ISP and then ISP to Office 365 data center (if your ISP isn’t part of the Internet Backbone)

Think about how users will be accessing services like OWA/ActiveSync and also how much data do you have to migrate to the cloud (think Exchange S4B and SharePoint)

Get to know your organization’s QoS settings (this is where the whiskey comes in handy!)

Office 365 Community site

Learning PowerShell for Office 365:

Simply put, you’re going to use PowerShell for automation and management.

Many of the administrative tasks can be performed through the admin center UI, some tasks are difficult to do without PowerShell and some tasks can be performed only with PowerShell.

Get to know/use PowerShell ISE because the complexity of PowerShell is reduced in ISE basically, you don’t have to memorize every single command ISE is pretty smart.

Pro tip: ALWAYS run as admin

It is a good idea to have a test tenant with a few users so you can test your PowerShell scripts. Alternatively, you can use your production tenant with test users. In both scenarios, the test users most likely will have to be assigned Office 365 licenses, at least during script testing. Microsoft does not provide free test tenants or free test user licenses.


Real-World Challenges (that I have seen):

Not understanding licensing or really not being ready to push users to the cloud because your legacy AD needs some love.  Take some time to review for stale accounts and clean them up before you migrate – it will save some pain on the other side.

Qos for Skype for Business – packet loss can really impact voice meetings so make sure you’re aware of/reviewing your organization’s QoS.  Really this isn’t just a step for review for S4B, but this is one area that’s really not going to play nice if you aren’t prepared properly.

UPN – vs.

Perficient has a really good blog post about the topic.

Not understanding the design/implementation of your legacy environment– if you want a seamless user experience, you need to understand how and why things are setup the way they are in your legacy environment.  From SharePoint layout and permissions to user vs equipment mailboxes in Exchange.  Some things you did in your legacy environment are now charged as per user license in your new environment.

Not testing – either with a test tenant or test users in production – you need to understand the impact of your changes!

Understand that in Exchange, some legacy features/resources won’t be available in the cloud.  So if a user connects to another mailbox or resource, it also needs to be available in the cloud.  We saw this with Public Folders and equipment mailboxes that were setup as user mailboxes.