Intune Enrollment has not succeeded
Written by Conrad Murray
Updated at March 5th, 2025
Table of Contents
Intune Enrol Entra Joined devices
The PowerSyncPro Runbook option “Enroll Devices to Intune”, when selected, will check if the device is enrolled to Intune.
The Migration Agent will report to the local Windows workstation Application event log success or fail, and the logs will be sent up to the PowerSyncPro server.
If the Migration Agent sees that the device is not yet enrolled, it will continue to execute the DeviceEnroller.exe every hour until it sees that it has successfully enrolled and will update the event logs.
Limitations
The PowerSyncPro Migration Agent cannot forcibly enrol a device. It is not possible to inject a device into Intune. Under normal operating conditions it is the scheduled task: "Schedule created by enrollment client for automatically enrolling in MDM from AAD" that is run once at user logon that attempts to enrol the device. This can be seen at: Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt
Hybrid Join - This KB article is not intended for troubleshooting Entra Hybrid join issues that use a GPO for MDM enrolment.
Tenant Configuration
Enrolling a device to Intune requires your tenant to be correctly configure for Intune Enrollment and users to be correctly licensed (e.g. EMS) to be allowed to enrol devices into Intune. Enrollment will occur when the first valid user logs in.
Enrolment issues are seen in these event logs: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
Common Issues for Intune Enrollment failures:
Testing
- For your migration event did your testing succeed on representative devices?
- Outside of a migration event, can you enrol a fresh Windows device using the normal methods?
No network.
It seems obvious but does the device actually have an Internet connection on ethernet or wi-fi, and can reach the Microsoft endpoints?
- https://login.microsoftonline.com
- https://device.login.microsoftonline.com
- https://enterpriseregistration.windows.net
The logged in user is incorrectly licenced.
Users need to be appropriately licensed to be able to enrol a device. This is usually with the EMS (Enterprise Mobility + Security) Add-On (E3 or E5) or any higher SKU that contains that option such as Microsoft 365 E3/E5 or Microsoft 365 Business Premium. https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses
MDM User Scope is not set correctly
Check MDM user scope. If your users are not in scope via All, or via a Group, then they will not be able to MDM Enrol a device.
-
Important notes - When a user is in both the MDM user scope and WIP user scope:
- The MDM user scope takes precedence if they are on a corporate-owned device.
- The WIP user scope takes precedence if they bring their own device “BYOD” Personal Device.
MDM user scope |
Windows Information Protection (WIP) user scope |
|
|
Device platform restrictions
Personally owned needs to be set to allowed for Intune Enrollment for Entra Joined devices
Device platform restrictions
Conditional Access
Conditional Access has not excluded Microsoft Intune Enrollment App from MFA
Supported Editions for Intune Enrollment
- Windows 10/11 Pro
- Windows 10/11 Enterprise
- Windows 10/11 Education
- Windows 10/11 Pro Education
Enrollment Methods and Version Requirements
Azure AD Join + Automatic Enrollment:
- Requires Windows 10, version 1709 or later.
Hybrid Azure AD Join:
- Supported on Windows 10, version 1607 or later but works best with version 1709+.
Bring Your Own Device (BYOD):
- Personal devices can be enrolled using the Company Portal app with Windows 10, version 1709 or later.
Further troubleshooting maybe be possible at:
Event Logs
Enrolment issues are seen in these event logs: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
Troubleshooting Windows device enrollment errors in Intune:
Intune Debug Toolkit
Try the IntuneDebugToolkit: https://github.com/MSEndpointMgr/IntuneDebugToolkit