How to Troubleshoot MEM Intune

Microsoft Fix Intermediate 14 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Happens
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why MEM Intune Troubleshooting Is Such a Pain

I've seen this play out on dozens of enterprise deployments: someone's device shows as "Not compliant" in the Microsoft Endpoint Manager admin center, policies refuse to apply, apps sit in a perpetual "Pending install" state, and nobody can figure out why. Meanwhile, Intune's error messages are spectacularly unhelpful , you get cryptic codes like 0x80180014 or 0xcaa2000c with zero context about what actually went wrong.

MEM Intune troubleshooting isn't a single-problem fix. It's a category of issues. The three most common complaints I field from IT admins are: devices that enrolled but never receive policy, apps that deploy to zero devices despite assignments looking correct, and conditional access blocking users who should be compliant. Each of these has a different root cause, but they all trace back to the same handful of underlying problems.

At its core, Microsoft Endpoint Manager Intune is a cloud-based MDM (Mobile Device Management) and MAM (Mobile Application Management) service. It talks to devices through the Windows MDM stack, which is built on the OMA-DM protocol. When you change a policy in the admin center, that change has to travel through Azure AD, the Intune service, the device's MDM enrollment channel, and finally the local policy engine. Any break in that chain causes issues , and each layer fails silently in its own special way.

The people who run into MEM Intune problems most often are IT admins managing hybrid Azure AD-joined fleets, organizations migrating from SCCM (now Microsoft Configuration Manager) to Intune, and help desk staff dealing with BYOD enrollment failures. If you're a solo admin managing 200+ devices, you're probably seeing these problems weekly.

Why don't Microsoft's built-in error messages help? Because most of them are surfaced from deep inside the MDM client stack and were never designed to be human-readable. The code 0x80070005 technically means "Access denied," but that tells you nothing about what was denied, where, or why. You need to correlate that with Event Viewer logs, MDM diagnostic reports, and the Intune device blade simultaneously, which is exactly what this guide walks you through.

I know this is frustrating, especially when a compliance block is stopping users from accessing corporate email while you're scrambling to figure out the cause. Let's fix it. Browse all Microsoft fix guides →

The Quick Fix, Try This First

Before you go deep into logs and registry edits, run through this fast sequence. In my experience, it resolves about 60% of MEM Intune troubleshooting cases in under ten minutes.

On the affected device, open a PowerShell window as Administrator and run:

# Force an immediate Intune policy sync
$session = New-Object -ComObject Microsoft.MDM.AutoEnrollment
Start-Process "ms-settings:workplace"

Then navigate to Settings → Accounts → Access work or school, click your enrolled account, then click Info, then click Sync. Watch the "Last attempt to sync" timestamp. If it refreshes and shows the current time, the device is communicating with Intune successfully.

If that doesn't update, open an elevated PowerShell and run the full MDM diagnostic sync:

Start-Process "$env:windir\system32\deviceenroller.exe" -ArgumentList "/o 3 /c /h" -Wait

Then check the Intune admin center. Go to Devices → All devices, find the device, click it, and look at the Device sync status field. If it shows "Sync succeeded" with a recent timestamp, the channel is clear and your policy should apply within the next check-in cycle (usually 8 hours for policy refresh, though you just forced it).

One more thing to try immediately: in the Intune admin center, navigate to Devices → [device name] → Sync and click the Sync button from the portal side. This pushes a notification to the device rather than waiting for the device to poll. It's faster and more reliable than waiting.

Pro Tip
The single most common cause of "policy not applying" in MEM Intune is a stale MDM certificate. Before digging into policies, check the certificate expiry in certmgr.msc → Personal → Certificates and look for a certificate issued by MS-Organization-Access. If it's expired or missing entirely, that's your culprit, re-enrollment is faster than trying to manually renew it.
1
Verify Device Enrollment Status and MDM Authority

Half the time when someone tells me "Intune isn't applying policies," the device isn't actually fully enrolled, it just looks like it is. Here's how to confirm.

In the Intune admin center (intune.microsoft.com), navigate to Devices → All devices and search for the device by name or serial number. Look at the Managed by column, it should say Intune. If it says Co-managed or ConfigMgr, your workloads may be split, meaning Intune only controls certain policy categories while SCCM controls others. That's intentional for co-management, but it's often the source of confusion.

On the device itself, open an elevated Command Prompt and run:

dsregcmd /status

Look for these three fields in the output:

AzureAdJoined     : YES
MDMUrl            : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
EnterpriseJoined  : NO

If MDMUrl is blank, the device has no MDM enrollment at all. If AzureAdJoined is NO, you have a hybrid join issue that needs to be resolved before Intune can function. You should also check the MDM enrollment URL matches your tenant, wrong URLs indicate the device enrolled into a different Intune tenant, which happens more often than you'd think in multi-tenant organizations.

If you see WPJ (Workplace Joined) instead of Azure AD Joined, the device is doing MAM-only enrollment. Policies that require full MDM enrollment won't apply. You'll need the user to unenroll and re-enroll properly through Settings → Accounts → Access work or school → Connect using their work credentials.

When this step is done correctly, dsregcmd /status should show AzureAdJoined : YES and a populated MDMUrl.

2
Run the MEM Intune MDM Diagnostic Report

Microsoft built a diagnostic tool directly into Windows that generates a detailed report on MDM enrollment health, applied policies, and sync errors. This is the single most useful tool for MEM Intune troubleshooting, and most admins don't know it exists.

Open an elevated PowerShell window and run:

$path = "$env:TEMP\MDMDiagReport"
New-Item -ItemType Directory -Path $path -Force | Out-Null
MdmDiagnosticsTool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip "$path\MDMDiag.zip"
Write-Host "Report saved to: $path\MDMDiag.zip"

Extract the zip and open MDMDiagReport.html in a browser. This file contains your complete enrollment state, every applied policy with its OMA-URI and current value, any provisioning errors with full error codes, and Autopilot profile status if applicable.

Look specifically at the Policies section. Each policy entry shows its Source (the policy CSP path), Value (what Intune sent), and Status (whether it applied or failed). An error status of 0x87D1FDE8 means a remediation failed, the policy reached the device but the system rejected it, usually due to a conflict with a local Group Policy. An error of 0x80070005 is an access denial, typically a permissions issue with the MDM client itself.

Also check the Enrollment section for your certificate details. Note the expiry dates on the MDM certificates, anything expiring within 30 days warrants a re-enrollment before it fails outright.

When you've run this successfully, you'll have a clear list of exactly which policies are failing and why, no more guessing.

3
Diagnose and Fix Compliance Policy Failures

Compliance policy issues are the most business-impacting MEM Intune problem because they trigger Conditional Access blocks. A device marked non-compliant can't access Exchange Online, SharePoint, or Teams, and users get blocked from their work with a message that says essentially nothing useful.

In the Intune admin center, go to Devices → [device name] → Device compliance. You'll see each compliance policy assigned to the device and its per-setting status. Look for any items showing Not compliant with a red indicator. Common offenders:

  • BitLocker: reports not compliant when the encryption is still in progress or when the device hasn't uploaded its recovery key to Azure AD yet, even if BitLocker is actually enabled
  • Windows Defender: reports non-compliant if the service is in a "Limited" state, which happens after a failed signature update
  • OS version: Windows Update for Business rings and compliance minimum version requirements frequently drift out of sync after feature updates

For BitLocker specifically, run this on the device to check key escrow status:

manage-bde -status C:

If Key Protectors shows Numerical Password but the key hasn't uploaded to Azure AD, force the upload:

$BLV = Get-BitLockerVolume -MountPoint "C:"
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

After forcing the key upload, resync the device. Compliance status should update within 5–10 minutes. If Conditional Access is still blocking the user, check whether the CA policy has a grace period configured, if it does, the user can access resources during the grace period while compliance catches up.

4
Fix Intune App Deployment and Installation Failures

App deployment failures are a special kind of frustrating because the admin center often just shows "Install failed" with no further detail. Here's how to get the actual error.

In the Intune admin center, navigate to Apps → All apps → [App name] → Device install status. Find the specific device and click it. The Status details column will show an error code. Write it down, the most common ones I see are:

  • 0x87D13B68, Win32 app content download failed (network or CDN issue)
  • 0x80070643, MSI installation failed (check the application's own installer log)
  • 0x87D1041C, Device not checked in recently enough to receive the assignment
  • 0x80004005, Unspecified failure in the Intune Management Extension (IME)

On the device, open Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin. Filter for Error-level events. You'll find IME (Intune Management Extension) failures logged here with much more detail than the portal shows.

For Win32 apps, the IME writes detailed logs to:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

Open this file (it's plain text) and search for your app's name or the error code. You'll see the full installation command, the return code from the installer, and whether the detection rule matched after installation. If the detection rule is wrong, for example, checking for a registry key that the installer writes to a different path on 64-bit systems, the app installs successfully but Intune thinks it failed and retries repeatedly.

Fix the detection rule in Apps → [App] → Properties → Detection rules, resave the app, and force a sync. The app should show as installed within one sync cycle.

5
Resolve Enrollment Errors and Re-Enroll When Necessary

Sometimes the cleanest path forward is a full re-enrollment. This sounds drastic, but for Windows 10/11 devices it's actually non-destructive, user data stays intact, and the process takes about 15 minutes.

Before re-enrolling, you need to cleanly remove the existing MDM enrollment. Do NOT just click "Disconnect" in Settings, as that sometimes leaves orphaned registry entries that cause the new enrollment to fail with error 0x80180014 (The device is already enrolled).

Instead, run this in an elevated PowerShell to fully clean the enrollment:

# Remove all MDM enrollment registrations
$enrollPath = "HKLM:\SOFTWARE\Microsoft\Enrollments"
$entries = Get-ChildItem $enrollPath
foreach ($entry in $entries) {
    $providerID = (Get-ItemProperty -Path $entry.PSPath -Name "ProviderID" -ErrorAction SilentlyContinue).ProviderID
    if ($providerID -eq "MS DM Server") {
        Write-Host "Removing enrollment: $($entry.Name)"
        Remove-Item -Path $entry.PSPath -Recurse -Force
    }
}

Then go to Settings → Accounts → Access work or school and verify the work account is gone. If you see the account still listed, click it and choose Disconnect to finish the cleanup.

Now re-enroll. Have the user navigate to Settings → Accounts → Access work or school → Connect and sign in with their work Azure AD account. If your organization has auto-enrollment configured via Group Policy or Azure AD join, the MDM enrollment will trigger automatically when they sign in. If not, they'll step through the manual enrollment wizard.

Watch the enrollment complete in real-time in the Intune admin center under Devices → Monitor → Enrollment failures. If a new failure appears, you'll see the error code immediately and can address it before the user walks away from their desk.

After successful enrollment, wait one full sync cycle (or manually force sync) and verify policies are applying in the MDM Diagnostic Report.

Advanced MEM Intune Troubleshooting

When the standard steps don't resolve it, you're likely dealing with one of three scenarios: a Group Policy conflict, a hybrid Azure AD join problem, or a tenant-level configuration issue. Here's how to work through each.

Group Policy vs. MDM Policy Conflicts

In domain-joined environments, Local Group Policy and Domain Group Policy both take precedence over MDM policies by default, unless you've configured the MDM over GP policy. This is the most common reason a device receives Intune policy (visible in the MDM Diagnostic Report as "Applied") but the setting doesn't take effect on the machine.

Check whether MDM over GP is configured by running:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\MDM" /v UserEnrollmentMaxDeviceCount

To give MDM policies priority over Group Policy, you need to enable this via a GPO or registry setting. In your Group Policy Management Console, navigate to Computer Configuration → Administrative Templates → Windows Components → MDM and enable Enable MDM Enrollment overrides Group Policy. Alternatively, push this through Intune itself using a custom OMA-URI policy:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data type: Integer
Value: 1

Event Viewer Analysis for Enrollment Errors

The two most important Event Viewer channels for MEM Intune troubleshooting are:

  • Microsoft-Windows-AAD/Operational, Azure AD join and token acquisition events. Look for Event ID 1098 (token refresh failure) and Event ID 1104 (Azure AD join failure). These indicate the device can't get a valid Azure AD token, which breaks MDM entirely.
  • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin, MDM engine events. Event ID 404 indicates a policy processing failure. Event ID 208 is an enrollment certificate issue.

Hybrid Azure AD Join Sync Lag

Hybrid Azure AD-joined devices must sync their computer object from on-premises AD to Azure AD before Intune can manage them. If Azure AD Connect hasn't synced recently, the device shows up in the Intune console but can't receive policy. Run this on your Azure AD Connect server to check:

Get-ADSyncScheduler

If SyncCycleEnabled is False, start a manual delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

Intune Service Connectivity Test

Devices need outbound HTTPS access to specific Microsoft endpoints. Network filtering, web proxies, or overzealous firewall rules frequently break this. Test connectivity from the device:

Test-NetConnection -ComputerName "enrollment.manage.microsoft.com" -Port 443
Test-NetConnection -ComputerName "fef.msuc03.manage.microsoft.com" -Port 443
Test-NetConnection -ComputerName "dm3p.wns.windows.com" -Port 443

All three should return TcpTestSucceeded : True. If any fail, work with your network team to whitelist Microsoft's Intune endpoint URLs as documented in the Microsoft Support network requirements documentation.

When to Call Microsoft Support
Escalate to Microsoft Support when: your tenant's Intune service is showing errors across ALL devices simultaneously (indicating a service-side outage, check the Microsoft 365 Service Health dashboard first at admin.microsoft.com → Service Health), when a device has a corrupted MDM enrollment that the re-enrollment steps above can't fix, or when you're seeing certificate chain validation errors that point to PKI infrastructure problems beyond the scope of Intune itself. Have your tenant ID, a support ticket from the affected device's Event Viewer export, and the MDMDiagReport.zip ready before you call, it'll cut your support call time in half.

Check Intune License Assignment

This one is embarrassingly simple but I've seen it bite large organizations: if a user's Intune or EMS license was removed (during a license reorg, for example), their device will stop receiving policy updates silently. In the Intune admin center, navigate to Users → [user] → Licenses and verify they have an active Intune Plan 1, EMS E3, or Microsoft 365 Business Premium license assigned. No license means no MDM management, period.

Prevention & Best Practices for MEM Intune Health

Once you've fixed the immediate problem, here's how you keep MEM Intune running cleanly going forward. I've seen organizations go from weekly Intune fires to almost zero troubleshooting calls by putting these practices in place.

The biggest preventive step is setting up Intune Device Compliance Monitoring proactively. In the Intune admin center, navigate to Reports → Device compliance → Non-compliant devices and bookmark that view. Set up an email alert via Endpoint security → Monitor → Audit logs → Notifications so you're notified when compliance drops below a threshold before users start calling.

For hybrid deployments, schedule a weekly Azure AD Connect health check. The Azure AD Connect Health portal (aadconnect.msappproxy.net) shows sync latency, object errors, and connectivity status. A sync that's been failing for 3 days is far easier to fix than one that's been silently broken for three weeks.

Keep your Intune Management Extension (IME) healthy. The IME is required for Win32 app deployment and PowerShell script execution. It auto-updates, but you can verify the version by checking Apps → Monitor → App install status and filtering for "Microsoft Intune Management Extension." Version mismatches between IME and the Intune service are a frequent source of app deployment breakage after service updates.

Document your co-management workload split. If you're running SCCM alongside Intune, write down (literally, in a wiki) exactly which workloads are managed by which system. "Compliance policies, Intune. App deployment, SCCM until Q3." This documentation alone prevents hours of troubleshooting when a new admin joins and can't figure out why some policies seem to apply and others don't.

Quick Wins

Frequently Asked Questions

My device shows "Compliant" in Intune but Conditional Access is still blocking me, what's going on?

This is a token freshness problem. Azure AD caches the compliance state in the user's access token, and that token might be hours old even though Intune now shows the device as compliant. The fastest fix is to sign out of the Office app (or browser session) completely, clear cached credentials in Windows Credential Manager under Windows Credentials → Microsoft office account, and sign back in. The new token will pick up the current compliant state. If that doesn't work, check whether the Conditional Access policy has a sign-in frequency control enforcing token re-evaluation, sometimes a forced MFA re-authentication is required to trigger a fresh compliance check.

Intune enrollment keeps failing with error 0x80180014, how do I fix it?

Error 0x80180014 means "The device is already enrolled", but there's a ghost enrollment in the registry that's blocking a fresh one. Run the PowerShell cleanup script from Step 5 of this guide to remove the stale enrollment entries from HKLM\SOFTWARE\Microsoft\Enrollments. Also check Task Scheduler → Microsoft → Windows → EnterpriseMgmt for any leftover scheduled tasks from the previous enrollment and delete them. After that, reboot the device once before attempting re-enrollment, a reboot ensures the MDM service starts clean.

Why are my Intune PowerShell scripts not running on devices?

PowerShell scripts in Intune run through the Intune Management Extension (IME), which requires the device to be Azure AD-joined or Hybrid Azure AD-joined and have a valid Intune license. First confirm IME is installed by checking Apps & features for "Microsoft Intune Management Extension." If it's not there, trigger an app sync, IME installs automatically when a device receives its first Win32 app or PowerShell script assignment. Second, check your script's Run this script using the logged on credentials setting, if it's set to "Yes" but no user is logged in during the scheduled run, it will silently fail. Switching to System context fixes this for most background scripts.

Intune shows my device as "Pending" for days and it never becomes managed, why?

A permanently pending device almost always means the MDM auto-enrollment isn't triggering. Check three things: first, confirm the user has an Intune license assigned in the Microsoft 365 admin center. Second, verify the MDM User Scope in Azure AD → Mobility (MDM and MAM) → Microsoft Intune, the user must be in a group that's covered by the MDM scope, or it must be set to "All." Third, if the device is hybrid-joined, run dsregcmd /status and check that the hybrid join completed successfully (both AzureAdJoined: YES and DomainJoined: YES should be present). A failed hybrid join is the single most common cause of permanently pending Intune enrollment.

How long should it take for a new Intune policy to apply after I save it?

For devices that are actively on and connected, expect 15–30 minutes after you save a policy change. Intune sends a push notification to the device via the Windows Notification Service (WNS), which prompts an immediate check-in rather than waiting for the standard 8-hour polling interval. If the device is offline or WNS is blocked by your firewall, it will pick up the change on the next 8-hour poll. App deployments can take longer, Win32 apps typically start downloading within 30 minutes of check-in but installation time depends on package size and the device's processing state at the time.

Can I troubleshoot MEM Intune issues on macOS and iOS devices the same way?

The core troubleshooting concepts are the same, check enrollment state, verify policy sync, review compliance, but the tools are completely different. On macOS, use the Console app (filter for "mdmclient" process) and run sudo mdmclient QueryDeviceInformation in Terminal to check MDM enrollment status. On iOS/iPadOS, go to Settings → General → VPN & Device Management to see the MDM profile and last sync time. The Intune admin center's device blade works identically for all platforms, the device compliance and policy assignment views are your starting point regardless of OS.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.