Microsoft Intune Device Enrollment & Policy Errors, Complete Fix Guide
Why Microsoft Intune Device Enrollment Errors Keep Happening
Picture this: you're an IT admin, it's Monday morning, and you have fifteen new laptops to enroll into Microsoft Intune before 9 AM. You open the Intune admin center, kick off enrollment, and immediately get slapped with an error that says absolutely nothing useful. No error code, no hint at what went wrong, just a vague failure message and a device sitting in limbo. I've been in that exact situation more times than I care to admit, and I know it's equal parts frustrating and baffling.
Microsoft Intune device enrollment failures can come from half a dozen different directions at once. The most common culprits I see in enterprise environments are MDM certificate mishandling, compliance policy conflicts, Enrollment Status Page (ESP) timeouts, and network conditions that quietly block the enrollment handshake. What makes troubleshooting especially painful is that Intune's error messages rarely map cleanly to the actual root cause. The device shows "enrollment failed", but that's the outcome, not the reason.
Let's talk about who actually runs into these problems. Most enrollment failures hit in a few specific scenarios: when an organisation upgrades Android devices from one major OS version to another (Android 11 to 12, for instance), when a new compliance policy is pushed without accounting for multi-range OS build settings, when macOS MDM agent updates go sideways, and when Windows devices in hybrid Azure AD environments hit certificate trust chain problems. Android Enterprise enrollment errors are especially common right now because the platform's management modes, dedicated, fully managed, and corporate-owned work profile, behave very differently under the hood.
Here's the thing Microsoft's own error messages won't tell you: a huge percentage of Intune enrollment failures and policy-not-applying situations are caused by known, documented bugs, not something you did wrong. Microsoft actively tracks these on the Known Issues page, and several are currently marked as Active with no ETA for resolution. The Company Portal app loading issue for Configuration Manager apps, the noncompliance remediation message only showing the first OS build range, and Android Enterprise OS filtering failures in exported reports are all real, live problems affecting production environments today.
Understanding the architecture helps. Intune enrollment works through a chain of trust: the device contacts the MDM enrollment service, exchanges certificates, downloads policy packages, and then reports compliance status back to Azure. Break any link in that chain, a certificate that fails to install, a network proxy that intercepts MDM traffic, or an Android OEM's custom ROM handling MDM headers incorrectly, and enrollment silently collapses. The client doesn't always know how to recover, and sometimes it doesn't even try.
That's why this guide exists. We're going to work through Microsoft Intune device enrollment troubleshooting systematically, covering the actual fixes that work in production, not theory. Browse all Microsoft fix guides →
The Quick Fix, Try This First for Intune Enrollment Issues
Before you dig into logs or start modifying policies, try this sequence. It resolves somewhere around 40% of Microsoft Intune device enrollment and policy sync failures in my experience, and it takes under five minutes.
Step 1, Force a manual device sync from the Intune admin center. Log into endpoint.microsoft.com, navigate to Devices → All devices, find the affected device, click on it, and hit Sync from the top action bar. Intune will queue a fresh policy pull. Wait two to three minutes, then refresh the device page and check the Last check-in timestamp. If it updates, the sync worked.
Step 2, On the device itself, open Company Portal. Sign out completely (go to Settings → Sign out within the app), close Company Portal, reopen it, and sign back in with the user's corporate account. This forces a fresh token exchange and re-registration with the Intune service. A huge number of "policy not applying" complaints are actually just stale auth tokens.
Step 3, Trigger a sync from the device side on Windows. Go to Settings → Accounts → Access work or school, click the connected account, then click Info. Scroll down and hit the Sync button. You'll see a sync status timestamp. If it successfully connects, your device is talking to Intune again.
Step 4, For Android devices specifically, go to Settings → Apps → Company Portal → Storage → Clear Cache. Do NOT clear data unless you're ready to re-enroll, just the cache. Restart Company Portal after clearing.
If the device syncs successfully but policies still aren't applying after 15 minutes, move on to the step-by-step section. If the device won't sync at all, the sync button in the admin center stays grayed out or the device shows "Not checked in" for hours, you're likely dealing with a certificate or enrollment state corruption that requires the deeper fixes below.
The Enrollment Status Page is where a lot of Windows device enrollment errors surface visibly. If the device gets stuck at ESP during Autopilot or fresh enrollment, spinning indefinitely or throwing a generic failure, here's how to get actionable data out of it.
First, collect the ESP diagnostic log. When a device is stuck on the ESP screen, press Ctrl + Shift + J. This opens the MDM Enrollment Diagnostics report in a browser-style pane on the right side of the screen. Scroll through and look for any policy or app installation failures. Note exact error codes, they'll look like 0x80070005, 0x800705b4, or 0x8024200d. These map to specific failure types.
Next, review what's blocking ESP completion. In the Intune admin center, go to Devices → Windows → Windows enrollment → Enrollment Status Page. Open your ESP profile and check the list of apps and certificates configured to block the device use phase. If a single app in that list fails to install, ESP halts the entire process. Remove any non-critical apps from the required list temporarily to isolate whether the ESP blocker is app-related or policy-related.
For apps deployed via Configuration Manager that appear in Company Portal, this is a known active issue right now. Apps delivered through ConfigMgr can take minutes to appear on the Windows apps page in Company Portal. If your ESP timeout is set below five minutes, it may fail before the ConfigMgr-sourced apps even appear. Extend the ESP timeout under the profile settings to at least 60 minutes for co-managed scenarios.
# Pull ESP-related event logs for offline analysis
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" |
Where-Object { $_.Message -like "*EnrollmentStatusPage*" } |
Select-Object TimeCreated, Id, Message |
Format-ListIf this returns events with ID 75 or 76, ESP hit a timeout or application failure respectively. The message body will name the specific policy or app that caused the halt, target that for remediation.
Once you've identified the blocker, either fix the app deployment or temporarily exclude the device from the restrictive ESP profile, re-enroll, then add it back. You should see the ESP progress cleanly through all phases and the device land in a Ready state.
Android Enterprise enrollment errors are some of the most confusing in the Intune ecosystem because there are actually three distinct corporate enrollment modes, dedicated, fully managed, and corporate-owned work profile, and they fail in different ways. The Intune admin center often groups them, which makes pinpointing the problem harder.
If you're seeing Android devices fail to enroll or lose access to Intune-managed resources, start here. Navigate to Devices → Android → Android enrollment in the Intune admin center and confirm the enrollment profile assigned to the device actually matches the intended management mode. A mismatch here silently breaks enrollment in ways that look like authentication failures.
For OPPO, OnePlus, and Realme devices specifically, there was a resolved issue where upgrading from Android 11 to Android 12 would cause these devices to lose access to Intune-managed resources entirely due to OEM-specific MDM header handling. If you're still seeing enrollment failures on these brands post-upgrade, install the latest OTA update from the OEM first. Microsoft confirmed the fix is rolled out on their side, but the device needs to be on a recent enough OEM build to pair with it correctly.
For Android 12 and later devices in general, be aware of a current active issue: Android 12 introduced a clipboard access toast notification that fires whenever any application touches the clipboard. Users running Company Portal version 5.0.5450.0 or later will see notifications like "Outlook pasted from your clipboard" appear during normal app use. This is an Android OS behavior, not a policy misconfiguration. The clipboard data is not stored locally or sent to Microsoft, it's purely a visual notification. Communicate this to users proactively so they don't flag it as a data breach.
For Android Enterprise personally-owned work profile enrollment failures, check that the user's Intune license is correctly assigned in Microsoft Entra ID (Azure AD) → Users → Licenses. Missing or incorrectly scoped licenses are a very common cause of enrollment failing silently at the token exchange step. The error shown in Company Portal will look like a generic network error, which is misleading.
# Verify Intune license assignment via Microsoft Graph (PowerShell)
Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All"
Get-MgUserLicenseDetail -UserId "user@yourdomain.com" |
Select-Object SkuPartNumberLook for INTUNE_A, EMS, or M365_F1 in the output. If none of those appear, the user can't enroll devices regardless of any other configuration.
Windows device enrollment errors are the most diagnosable category in Intune because Windows writes detailed MDM enrollment events to dedicated event logs that most people don't know exist. Once you find these logs, the root cause usually becomes obvious within a minute.
Open Event Viewer on the affected Windows device. Navigate to Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin. This is your primary diagnostic source. Sort by date descending and look for Error-level events. The most common enrollment-blocking events you'll find here:
- Event ID 32, MDM enrollment failed; usually a certificate issue or connectivity problem to the enrollment endpoint
- Event ID 64, Certificate installation failure during enrollment; the MDM agent couldn't install the required client certificate
- Event ID 76, Policy application failure; a specific configuration policy failed to apply after enrollment completed
For Event ID 64 specifically, certificate installation failures, this directly maps to a known issue where the MDM agent mishandles failed MDM certificate installations. On macOS the result is automatic unenrollment (discussed later), but on Windows you'll see enrollment appear to succeed and then silently degrade. The fix is to clear the existing enrollment state and re-enroll cleanly:
# Remove stale MDM enrollment state (run as Administrator)
# First, identify the enrollment ID
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments" |
Select-Object -ExpandProperty PSChildName
# Then remove the specific enrollment entry (replace {GUID} with actual ID)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Enrollments\{GUID}" -Recurse -Force
# Clear the enrollment task schedule entries
Get-ScheduledTask -TaskPath "\Microsoft\Windows\EnterpriseMgmt\*" |
Unregister-ScheduledTask -Confirm:$falseAfter running this, go to Settings → Accounts → Access work or school, disconnect the existing work account, restart the device, and re-enroll. This clears the corrupted enrollment state that causes persistent sync failures even when the device shows as enrolled in the admin center.
For hybrid Azure AD joined devices that can't sync with Intune, also check Applications and Services Logs → Microsoft → Windows → AAD → Operational for token acquisition failures alongside the MDM logs. Hybrid join problems almost always have a footprint in both log channels.
App Protection Policies (APP) in Microsoft Intune are the layer that controls data handling in managed apps, things like blocking copy-paste from managed to unmanaged apps, requiring PIN, or wiping corporate data on unenrolled devices. When APP isn't applying, users typically notice because managed app restrictions aren't working, or conditional access blocks them despite compliant devices. Here's how to work through it.
Start in the Intune admin center at Apps → Monitor → App protection status. Find the user and check their APP status. You're looking for "Checked in" status. If it shows "Not checked in" or the policy assignment is blank, the policy isn't reaching the app at all. This is almost always an assignment issue, the policy isn't targeted at the right user group.
Go to Apps → App protection policies → [Your policy] → Properties → Assignments. Verify the user's group is listed under Included groups. A common mistake is assigning APP to a device group instead of a user group, APP is always user-targeted, not device-targeted. If the assignment looks correct, check for an exclusion group that might be inadvertently capturing the user.
If assignment is correct but policy still isn't applying, the issue is often the parent setting problem. Microsoft identified a category of Office settings in the Settings Catalog that don't automatically enable required parent settings when a child setting is configured. These settings are now marked as (deprecated) in the Settings Catalog UI. If you see any deprecated markers on your APP-related settings, you need to manually enable the parent setting first, then re-configure the child setting. This is a known active issue with no automatic remediation, it requires manual policy reconstruction.
# Check APP status for a specific user via Graph API
GET https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppStatuses('userstatus')
# Or use PowerShell with the Graph module
Get-MgDeviceAppManagementManagedAppStatus -ManagedAppStatusId "userstatus"For Android APP issues post-Android 12 upgrade, the clipboard toast notifications (described in Step 2) sometimes cause users to believe their APP isn't working correctly, they see unexpected messages and assume something is broken. Verify with the user whether their concern is a behavior change or a complete policy failure before diving into technical remediation. Many APP "issues" reported after Android 12 upgrades are actually just this notification behavior.
Once you've corrected the assignment and parent settings, have the user sign out of the affected managed app completely, sign back in, and wait up to 8 hours for the policy to fully propagate. The Intune APP check-in cycle isn't instant.
Compliance policies are the backbone of Intune's conditional access story, get them wrong and either devices get incorrectly blocked or non-compliant devices slip through. There's a live bug affecting compliance messaging right now that's tripping up a lot of organisations, and it's worth understanding exactly what it does and doesn't affect.
Here's the situation: when you configure a compliance policy with the Valid operating system builds setting and specify multiple OS build ranges, devices that fall outside those ranges show a remediation message in Company Portal. That message is supposed to list all valid ranges the user could update to. Right now, it only shows the first range. The compliance policy itself is enforcing all ranges correctly, this is purely a display bug in Company Portal for Windows 10/11. Users aren't getting wrong guidance on whether they're compliant; they're just not seeing all their valid update targets.
The practical impact: users whose build falls within a second or third valid range may think they need to update even when they don't, and they'll contact your helpdesk. Your communication to users should be: "Check the OS build range in your compliance policy settings, not just the Company Portal message."
For the underlying compliance policy configuration, go to Devices → Compliance policies → [Policy] → Properties and review the Device Health and System Security sections carefully. The most common misconfiguration I find is BitLocker compliance set to Required on devices that have BitLocker pending a restart, the policy reports the device as non-compliant even though BitLocker is technically enabled. Have the user restart the device, then trigger a compliance re-evaluation:
# Force compliance evaluation on Windows device (run as Administrator)
Start-Process -FilePath "C:\Windows\System32\deviceenroller.exe" -ArgumentList "/c /AutoEnrollMDM"
# Or trigger sync via scheduled task
Start-ScheduledTask -TaskName "\Microsoft\Windows\EnterpriseMgmt\*\Schedule created by enrollment client"After forcing the evaluation, check the Intune admin center under Devices → [Device] → Device compliance → Check compliance. The compliance state should update within a few minutes. If BitLocker was the blocker and the user restarted, it should flip to Compliant. If the device remains non-compliant after this, pull the compliance report from Reports → Device compliance → Reports → Noncompliant devices to see exactly which policy setting is failing.
For Azure enterprise applications not appearing in Company Portal for Windows, this is another current active known issue Microsoft is investigating. If users report missing apps in the Company Portal website or the Windows app, verify first whether the apps are Azure enterprise apps versus apps deployed directly through Intune. If they're Azure enterprise apps and they're assigned but not showing, this is the known issue. The workaround is to provide users direct links to the applications through MyApps (myapps.microsoft.com) while Microsoft resolves this on the backend.
Advanced Troubleshooting for Microsoft Intune Device Enrollment
If the steps above didn't resolve your issue, you're in deeper territory. Here's how enterprise IT pros handle the cases that don't respond to standard fixes.
macOS Device Unexpectedly Unenrolling. This is one of the more disruptive issues I've seen in production, a Mac that was happily enrolled just drops off Intune with no warning. The root cause is the MDM agent mishandling failed MDM certificate installations. When the agent doesn't receive the expected HTTP headers during a certificate operation, it interprets this as a fatal error and automatically removes the MDM enrollment profile. The device is now completely unmanaged.
There's no remote fix for this, you have to physically re-enroll the device. Before you do, check the device's Console logs (open Console.app on the Mac and filter for "mdmclient") for entries around the time of unenrollment. Look for messages referencing certificate failures or unexpected server responses. Document these before re-enrolling, and if you see a pattern across multiple Macs, report it to Microsoft Support with the Console logs attached, this helps Microsoft identify whether there's a network or certificate infrastructure factor on your end driving the MDM header issue.
SCEP Certificate Profile Failures. For devices that need certificates pushed via Intune, VPN, Wi-Fi, email authentication, SCEP (Simple Certificate Enrollment Protocol) failures are particularly damaging because they silently break connectivity. Navigate to Devices → [Device] → Device configuration and look at the certificate profile status. A failure here will show a red X with a vague error. The detailed diagnostics live in the NDES (Network Device Enrollment Service) event logs on your NDES server:
# On the NDES server, check the NDES policy module logs
Get-WinEvent -LogName "Microsoft-Windows-NetworkDeviceEnrollmentService/Admin" |
Where-Object { $_.Level -eq 2 } |
Select-Object TimeCreated, Id, Message -First 20 |
Format-ListEvent IDs 2 (request rejected) and 4 (SCEP request failed) are the key ones. The message body will tell you whether the failure is at the NDES challenge password validation stage, the CA submission stage, or the certificate delivery stage, each has a different fix path.
Android Enterprise OS Filtering in Reports. If you're exporting the All Devices report or using the Export API and your Android Enterprise device counts look wrong, this is a known active issue. The Export API doesn't distinguish between Android Enterprise management modes, dedicated, fully managed, and corporate-owned work profile are all grouped together. If you filter an exported report for one management type, you'll get all three. This affects the /deviceManagement/managedDevices Graph API endpoint as well. The UI-based filtering in the Intune admin center is not affected. For reporting accuracy, work with admin center UI exports until Microsoft resolves the API-level filtering.
Conditional Access Blocking Correctly Enrolled Devices. If devices pass compliance checks but conditional access still blocks them, the issue is almost always a timing or token freshness problem. The device's compliance token needs to be refreshed after a compliance state change. Have the user sign out of the affected app completely, then sign back in. If that doesn't resolve it, check Azure AD → Sign-in logs for the user and look at the Conditional Access column, expand the failed sign-in and it will show you exactly which CA policy is firing and why.
BitLocker Reporting Discrepancies. If the Intune encryption report shows BitLocker as not encrypted when the device is actually encrypted, the reporting agent may need a kick. Go to Reports → Endpoint security → Encryption report and check the Encryption readiness column versus the Encryption status column. A mismatch usually means the device hasn't checked in since encryption completed. Force a device sync, wait 30 minutes, and re-check.
mdmdiagnosticstool.exe -out C:\MDMLogs on Windows), and tenant ID before calling. Microsoft Support will ask for all of these upfront.
Prevention & Best Practices for Intune Device Enrollment
The best Intune troubleshooting session is the one you never have to run. Here's what keeps environments clean in my experience.
Monitor Known Issues proactively. Microsoft maintains the Intune Known Issues page and the Intune Customer Success blog where they post active issues, blog post deep-dives, and resolution timelines. Subscribe to the Microsoft Intune blog RSS feed and review the Known Issues page before any major OS rollout in your environment. If you'd rolled out Android 12 devices and read the Known Issues page first, you'd have known about the access loss issue for OPPO/OnePlus/Realme before it hit your users.
Stage OS upgrades for enrolled devices. Don't let Android or Windows devices update to a new major OS version without first testing Intune enrollment and compliance policy behavior on that OS in a controlled group. Create a test ring of five to ten devices, upgrade them, run a full compliance and app policy check, and only then allow broader rollout via your update rings. This catches OEM-specific MDM handling differences before they become a helpdesk incident wave.
Review Settings Catalog policies for deprecated parent settings. After the known issue with Office settings in the Settings Catalog, do a full audit of your configuration profiles. In the Intune admin center, go to Devices → Configuration → Policies, open each policy, and look for any settings marked as (deprecated) in the Settings Catalog view. Rebuild those settings by enabling the parent setting first, then re-configuring the child. This prevents silent policy failures where the setting appears configured but never actually applies.
Set realistic ESP timeouts. The default Enrollment Status Page timeout is often too short for environments with heavy app deployment or slow internet connections at field sites. For co-managed environments with Configuration Manager apps in the mix, set the ESP timeout to at least 90 minutes. A failed ESP due to timeout causes re-enrollment loops that waste hours of helpdesk time.
Document your Android Enterprise enrollment mode decisions. Because the Export API and managedDevices API currently group all Android Enterprise corporate modes together, maintain an internal record of which device groups use which management mode. This is your source of truth until Microsoft fixes the API-level filtering. Without it, exported reports become nearly impossible to parse for compliance audits.
- Bookmark the Intune Known Issues page and check it every two weeks, active issues change and some have workarounds that aren't obvious from the article title alone
- Set up Microsoft Endpoint Manager health alerts in the admin center so you get proactive notification when enrollment services degrade, rather than finding out from users
- Use Assignment filters in Intune to scope policies precisely to device types and OS versions, this prevents compliance policies from applying to devices with legitimately different OS build ranges and triggering false non-compliance
- Keep Company Portal updated on all managed devices, many enrollment and policy sync issues are resolved in minor Company Portal updates, and outdated versions create compatibility gaps with the Intune service
Frequently Asked Questions About Microsoft Intune Device Enrollment
Why does Intune show my device as enrolled but compliance says "Not evaluated"?
"Not evaluated" means the compliance policy hasn't had its first check-in cycle complete yet, it doesn't mean the device is non-compliant. This status appears immediately after enrollment and clears within 15–30 minutes as Intune evaluates the device against your compliance policies. If it stays "Not evaluated" for more than an hour, trigger a manual sync from the Intune admin center under Devices → [Device] → Sync, then check again. Persistent "Not evaluated" after a sync usually indicates the compliance policy isn't assigned to the device's group, double-check your policy assignments.
My macOS device keeps dropping off Intune by itself, how do I stop it from happening again?
This self-unenrollment behavior is caused by the MDM agent removing the enrollment profile when it encounters unexpected responses during MDM certificate operations, specifically when the expected HTTP headers aren't returned correctly. You have to re-enroll each affected device manually (there's no remote fix once the MDM profile is gone). To reduce recurrence, ensure your network isn't inspecting or modifying MDM traffic, SSL inspection proxies are a common cause of the header issue. If multiple Macs are dropping off within the same time window, that's a strong indicator of a network-level interference rather than individual device problems. Check with Microsoft Support with Console logs from the affected devices showing events around the unenrollment time.
Users are seeing "Outlook pasted from your clipboard" pop-ups on their Android phones, is this an Intune breach or bug?
This is not a data breach and not a bug in Intune. Android 12 introduced an OS-level clipboard access notification that fires whenever any app accesses the clipboard, regardless of whether the device is enrolled in MDM or whether Intune App Protection Policies are active. Users running Company Portal version 5.0.5450.0 or later will see this message. Microsoft has confirmed that clipboard data is never stored locally or transmitted anywhere, this is purely a visual notification from the Android operating system. The best resolution is proactive user communication explaining what the notification is before your users start calling the helpdesk alarmed about data leaks.
Why is the Company Portal showing only one valid OS build range when my compliance policy has three?
This is a documented known issue affecting Windows 10 and Windows 11 devices. When you configure the Valid operating system builds compliance setting with multiple OS build ranges, Company Portal's remediation message only displays the first range, the other valid ranges are invisible to the user. Importantly, the compliance policy itself is enforcing all ranges correctly, a device within any valid range will be marked compliant regardless of what the message shows. The workaround is to communicate the full list of valid OS ranges to your users directly (through IT communications or your intranet portal) so they're not confused by the truncated message. Microsoft is aware of this issue and working on a fix.
My Android Enterprise device filter in exported Intune reports keeps showing all device types, is this a configuration error?
No, this is a known active platform issue with Intune's Export API and native managedDevices API calls. The API currently doesn't distinguish between Android Enterprise dedicated devices, fully managed devices, and corporate-owned work profile devices, they're all grouped together. If you filter an export for one management mode, the report will include all three. The admin center UI-based filtering works correctly and is not affected. For accurate per-mode reporting until Microsoft fixes the API layer, use the Intune admin center's UI for report generation instead of the Export API or direct Graph API calls. If you need programmatic reporting, maintain your own device mode mapping in a supplemental data source.
How long does it take for a new Intune compliance policy to apply after it's created?
After you create or modify a compliance policy in Intune, device check-in cycles determine when it actually evaluates. Windows devices check in approximately every 8 hours by default, though you can trigger an immediate evaluation via Settings → Accounts → Access work or school → Info → Sync. Android and iOS devices have similar check-in intervals. For a freshly enrolled device, expect the first compliance evaluation within 15–30 minutes. For existing enrolled devices picking up a new policy, assume up to 8 hours without a forced sync. If a device hasn't evaluated after a forced sync and 30 minutes, check that the compliance policy is assigned to the correct user or device group, unassigned policies never evaluate.