This article provides suggestions for troubleshooting most common device enrollment issues in Microsoft Intune.
Windows
MacOS
Windows
When you encounter issues during the process of Windows device enrollment in Intune, use the Event Viewer on the device to search enrollment logs under Applications and Services Logs > Microsoft > Windows > Device-Management-Enterprise-Diagnostic-Provider > Admin
"Securing your hardware" error
Upon attempting to enrol if you see this error message while you are in the staging process, clear the TPM on the device by opening the command prompt by clicking Shift and F10, once the command prompt is loaded, type tpm.msc this will open the TPM management console window. Click Clear TPM on the right hand side, read the cautionary message if this applies to your setup and then click Restart to reset the TPM.
"This device is already enrolled" error
While attempting to join a device to Azure AD, you receive the error "This device is already enrolled. You can contact your system administrator with the error code 0x8018000a" and an Intune administrator has confirmed the device is not listed in Endpoint Manager's All Devices report (i.e. is not currently enrolled in Intune).
This is happening because the residual information from devices past Intune enrollment is still present in Windows Registry. To resolve this issue, perform the following:
- Open Registry editor, go to the following entries, and delete all the GUIDs in these keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\[guid]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\[some guid which has the enrolment information]
- Open an elevated Command Prompt window, and then run the
dsregcmd /leave command.
Reboot the machine and attempt enrollment again.
Provisioning package fails to join device to Azure AD
When the provisioning package is applied on a device, either during OOBE or through Windows Settings, it appears that everything worked fine. Device rebooted, its name was changed to UWIN-%SERIAL% and uwinadmin local admin account was created, but the package failed to join device to Azure AD. After the reboot, Windows login screen does not allow signing in with Azure accounts ("Other User" option missing), only local account, and device is not found in Endpoint Manager.
Most likely, this computer had network connectivity issues while the provisioning package was being applied. To confirm or eliminate this possibility, look in Event View log for these events:
Event ID 44: MDM Push: Failed to renew WNS Push Channel for MDM Push Sessions. Result: (The network is not present or not started.).
Event ID 212: MDM Session: Failed to get AAD Token for sync session User Token: (Unknown Win32 Error code: 0xcaa10001) Device Token: (The network location cannot be reached. For information about network troubleshooting, see Windows Help.).
For best outcome, connect your computer to a wired network on a subnet outside of the University firewall during provisioning.
Provisioning via Group Tag
Upon trying to join your device via group tag i.e. (SharedOfficePC or ITS-GPClassroom) if this fails to provision your device correctly you may see this screen:
When at this screen it is evident that the configuration did not apply correctly. In order to resolve this issue you will need to sign in as the defaultuser0 which has no password as this account is built into Windows and is only active at OOBE. Once signed in type in: Reset this pc. Ensure that the device is plugged into an ac adapter if it's a laptop and hard wired to Ethernet if possible. Once the reset reboots the PC you should be able to see the correct group tag profile applied.
MacOS
It is important to note that Mac devices purchased through the University are pre-registered by Apple in Automated Device Enrolment (ADE) via the Apple Business Manager. These devices will be automatically registered in Entra during the Setup Assistant after unboxing and device management profile will be added to device.
It is not possible for the user to remove the corresponding management profile on ADE-registered device. Apple implemented this to prevent the user from being able to un-enroll their corporate device from device management.
Duplicate entries in Entra
Often, you will see more than one entry for a single Mac device in Entra ID portal. These duplicate entries were created during unsuccessful/incomplete attempts at enrolment through the Company Portal. Entries that do not list Intune as the MDM, and have the least recent Last Activity date can be deleted without affecting device enrolment.
Incomplete enrolment via Company Portal (MacOS vs MacMDM OS)
When a primary-user device, that is not in ADE, is enrolled via the Company Portal app, the "OS" value is recorded initially as "macOS" when device's profile is added during the Entra registration step. The enrolment is not completed at this point. Last three columns have no values. Once the enrolment completes, this entry will be updated and will list "macMDM" as OS, and all columns will have values.
If user interrupts the enrolment process, the incomplete device profile remains in Entra and will need to be cleaned up manually. On the device, management profile may need to be removed before user can re-attempt enrolment. An incomplete enrollment happens when the user takes any of the following actions:
- Explicitly chooses an action to halt enrollment, such as Decline all, Cancel, or Postpone.
- Closes the Company Portal during enrollment.
- Spends more than 30 minutes between enrollment sections.
Incomplete enrolment of all shared devices
At this time, all shared devices enrolled either via ADE or Direct Enrolment (DE) do not show any value in the "Join Type" column in Entra portal, which is an indication of incomplete enrolment. This issue is being investigated and tracked in TeamDynamix under Issue #191119
For those devices, you may see duplicate entries in in Entra ID portal where one entry lists "MacMDM" and the other lists "MacOS" in OS column. The entry with MacMDM as OS, was created during the Setup Assistant enrolment - this entry needs to stay even though it has no value in the Join Type column. If Company Portal was installed on this shared device, it prompted the user on its first launch to create a new management profile adding a duplicate entry to Entra with "MacOS" listed as OS - this entry needs to be deleted. Company Portal should not be used on shared MacOS devices as it is intended only for primary-user devices.
Incomplete enrolment of ADE-registered primary-user devices
When it comes to primary-user devices registered in ADE, an entry is added to Entra during the Setup Assistant device registration step but the enrolment is not completed (i.e. Join Type column remains empty) until the user signs into Company Portal on that device, once it's installed. This will complete the enrolment and update the original entry adding the Join Type value.
In some cases, ADE-registered primary-user device is registered in Entra and enrolled in Intune but its entry in Intune Admin portal does not list enrolment profile that was assigned to this device in ADE:
At the same time, its ADE profile does not recognise that this device as enrolled:
This issue is being tracked as TeamDynamix Issue #191120
In such cases, you can attempt to refresh the management profile on the device following steps below:
-
Sign in to the device with a local administrator account.
-
To trigger enrollment refresh, from the Home page open Terminal, and run the following command:
sudo profiles renew -type enrollment
-
Enter the device password for the local administrator account.
-
On Device enrollment, select Details.
-
On System preferences, select Profiles.
-
Follow the onscreen prompts to download the Microsoft Intune management profile, certificates, and policies.
Tip: You can confirm which profiles are on the device anytime by returning to System Preferences > Profiles.
-
Sign in to the Company Portal app to complete Microsoft Entra registration and conditional access requirements, and finish enrollment.
You can tell that the issue was resolved if you see this:
If this does not resolve the issue, you will need to perform macOS reset.
Unable to complete enrolment using Company Portal
If you attempt to use Company Portal on a device registered in Apple Automated Device Enrolment (ADE) and it prompts you to create a new management profile, it will fail with an error message:
It is not possible for the user to remove the management profile on ADE-registered device in settings or using Terminal command, ot to overwrite it with a new profile. Apple implemented this to prevent the user from being able to un-enroll their corporate device from device management. You need to perform macOS factory reset after backing up data.
Stale devices
ADE devices that need to be re-enrolled in Intune because they are not communicating with Intune service, or were removed from Intune then Entra as stale devices, you need to perform macOS factory reset after backing up data.
Stale devices that are not in ADE, can be re-enrolled using the Company Portal after manually removing the original management profile on the device.
Additional Resources