Tutorials 16 min read

Intune Device Enrollment Troubleshooting: The Complete IT Helpdesk Guide

Fix the most common Microsoft Intune enrollment errors — including 80180014, 0x8007064c, and 80180031. Covers PowerShell diagnostics, Autopilot v1 and v2, the January 2026 update disruption, and a full enrollment reset procedure.

Editorial Team

Why Intune Enrollment Tickets Are Flooding Your Queue

If you work an IT helpdesk, you already know: Intune enrollment failures are one of those tickets that just never stop coming. Microsoft Intune is the backbone of modern endpoint management, but device enrollment issues remain stubbornly common in organizations running Microsoft 365.

Whether it's a laptop stuck on the Enrollment Status Page, an Autopilot deployment stalling at "Identifying your device," or the dreaded 0x80180014 error — the root causes are usually straightforward once you know where to look.

This guide gives you a structured, error-code-driven approach to diagnosing and resolving Intune enrollment issues on Windows 10 and Windows 11 devices. We'll cover manual enrollment, Group Policy auto-enrollment, and both Windows Autopilot v1 (classic) and the newer Autopilot Device Preparation (v2) — including the January 2026 update disruption that caught a lot of organizations off guard.

Prerequisites: Verify Before You Troubleshoot

Before you start chasing error codes, run through this quick checklist. Honestly, most enrollment tickets resolve right here:

  • Intune license assigned: The user needs a valid license that includes Intune — Microsoft 365 E3/E5, Microsoft 365 Business Premium, or the standalone EMS E3/E5 add-on. No license, no enrollment. Simple as that.
  • MDM scope configured: In the Entra admin center under Mobility (MDM and MAM) > Microsoft Intune, confirm the MDM user scope is set to All or to a security group that includes the user.
  • MDM URLs are intact: Verify the MDM discovery URL is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc. If the URLs are blank, click Restore default MDM URLs.
  • Enrollment restrictions allow the platform: In the Intune admin center, go to Devices > Enrollment > Device Platform Restrictions and confirm Windows (MDM) is set to Allow.
  • Device limit not exceeded: The default limit is 15 devices per user. Check the user's current count under Users > All users > [user] > Devices.
  • No conflicting MDM: If the device was previously managed by another MDM solution (Jamf, VMware Workspace ONE, another Intune tenant), it must be fully unenrolled first.
  • Supported Windows edition: Windows 11 Home and Windows 10 Home don't support MDM enrollment. You need Pro, Enterprise, or Education edition.

Common Intune Enrollment Error Codes and Fixes

The table below maps the most frequently seen error codes to their root cause and resolution. Bookmark this section — it's the fastest path to closing enrollment tickets.

Error 80180014 — Device Cannot Be Enrolled

This is the single most common Intune enrollment error, and you'll probably see it more than any other. The device shows "Something went wrong" with error code 80180014 during Autopilot OOBE or manual enrollment via Settings > Accounts > Access work or school.

Root causes (in order of likelihood):

  1. Personal device blocked: The enrollment restriction policy blocks personally owned Windows devices, and the device is categorized as personal. Fix: In the Intune admin center, go to Devices > Enrollment > Device Platform Restrictions, edit the restriction policy, and set Personally owned to Allow — or change the device ownership to Corporate.
  2. Windows MDM enrollment disabled: The device type restriction policy has Windows (MDM) set to Block. Fix: Set it to Allow.
  3. Device limit reached: The user's hit the maximum enrolled devices count. Fix: Remove stale device records or increase the limit.
  4. Missing Intune license: The user doesn't have a valid Intune license. Fix: Assign the correct license in the Microsoft 365 admin center.
  5. Invalid hardware hash (Autopilot): The device's hardware hash is missing or outdated. Fix: Re-export the hash using the Get-WindowsAutopilotInfo script and reimport it.

Error 0x8007064c — Machine Is Already Enrolled

Enrollment fails with "The machine is already enrolled." You'll see this on reimaged or cloned devices where the previous enrollment certificate wasn't cleaned up.

Fix:

  1. Open certlm.msc (Certificates — Local Computer).
  2. Navigate to Personal > Certificates.
  3. Find and delete any certificate issued by SC_Online_Issuing.
  4. Open Registry Editor and delete all GUID subkeys under HKLM\SOFTWARE\Microsoft\Enrollments that contain a UPN value.
  5. Run dsregcmd /leave from an elevated command prompt.
  6. Reboot and retry enrollment.

Error 80180031 — MDM Not Configured

This one means the MDM authority or scope hasn't been configured for the user. The device simply can't discover the Intune MDM endpoint.

Fix: Go to the Entra admin center > Mobility (MDM and MAM) > Microsoft Intune. Verify the MDM user scope includes the affected user (set to All or the correct security group). Confirm the MDM URLs are populated — click Restore default MDM URLs if they're blank.

Error 80180032 — Enrollment Restriction Block

The device is blocked by an enrollment restriction policy — usually a device-type or device-limit restriction.

Fix: Review both device-type and device-limit restriction policies in Devices > Enrollment > Enrollment Restrictions. Make sure the platform (Windows) is allowed and the user hasn't exceeded the device limit.

Error 0x8018002b — Auto-Enrollment Failed

This error shows up in Event Viewer (Event ID 76) when Group Policy-triggered auto-enrollment fails. It means the device couldn't complete the MDM enrollment handshake.

Fix:

  1. Verify the GPO: Computer Configuration > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Microsoft Entra credentials is set to Enabled.
  2. Confirm the user has an Intune license and is in the MDM scope.
  3. Check that the device is Entra hybrid joined: run dsregcmd /status and confirm AzureAdJoined = YES and DomainJoined = YES.
  4. Run gpupdate /force and check Event Viewer for Event ID 75 (success) or 76 (failure).

Error 2149056522 (Event ID 7016) — Stale Enrollment Registry Keys

This error surfaces in the Task Scheduler Operational event log. It's telling you that stale registry keys from a previous enrollment are blocking a new one.

Fix: Open Registry Editor and navigate to HKLM\SOFTWARE\Microsoft\Enrollments. Delete all GUID subkeys that reference the old enrollment (check for old UPN values). Also clean up HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked. Reboot and retry enrollment.

The January 2026 Windows Update Enrollment Disruption

So, this one was rough. In January 2026, the cumulative updates KB5074109 (Windows 11) and KB5074752 (Windows 10) triggered an issue where devices lost their Intune enrollment. The update reset certain MDM enrollment certificates and modified the workplace join state during restart, effectively unenrolling managed devices.

If you were working helpdesk that week, you probably remember the flood of tickets.

How to identify affected devices:

  • Run dsregcmd /status — if AzureAdJoined shows NO or the MDMURL is blank on a device that was previously enrolled, it was likely affected.
  • In the Intune admin center, check Devices > Monitor > Enrollment Failures for a spike in failures after January 14, 2026.

Remediation steps:

  1. Verify Entra join status with dsregcmd /status.
  2. Check that the MDM enrollment certificate exists under the Local Computer certificate store (Personal > Certificates, look for issuer Microsoft Intune MDM Device CA).
  3. If the device is unjoined or the certificate is missing, re-enroll through Settings > Accounts > Access work or school > Connect.
  4. Make sure the Intune Management Extension is up to date — a fresh agent sync may be required after re-enrollment.

PowerShell and CLI Diagnostic Commands

These are the commands you should have ready to go when working Intune enrollment tickets. Seriously, copy them into your runbook if you haven't already.

Check Device Join and Enrollment Status

dsregcmd /status

Look for these key fields in the output:

  • AzureAdJoined: YES means the device is Entra-joined.
  • DomainJoined: YES means the device is AD domain-joined (hybrid join if both are YES).
  • MDMURL: Should show https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc.
  • MDMEnrollmentState: Should show as enrolled/successful.
  • AzureAdPrt: YES confirms the device has a Primary Refresh Token for SSO.

Verify the Intune MDM Certificate

Get-ChildItem 'Cert:\LocalMachine\My\' | Where-Object { $_.Issuer -match "Microsoft Intune MDM Device CA" } | Format-List Subject, Issuer, NotAfter

If this returns nothing, the MDM certificate is missing — a strong indicator the device isn't enrolled or enrollment was interrupted.

Check Enrollment Registry Keys

Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Enrollments -Recurse | Where-Object { $_.Property -like "*UPN*" } | ForEach-Object { Get-ItemProperty $_.PSPath }

This shows all enrollment entries. Stale entries from previous enrollments should be removed before retrying.

Check MDM Scheduled Tasks

Get-ScheduledTask | Where-Object { $_.TaskPath -like "*EnterpriseMgmt*" } | Format-Table TaskName, TaskPath, State

Active MDM scheduled tasks confirm enrollment is in place. If these tasks are missing, enrollment likely failed or was removed.

Generate a Full MDM Diagnostic Report

MdmDiagnosticsTool.exe -out "$env:TEMP\MDMDiag"

This creates an HTML report at the specified path with detailed enrollment, policy, and configuration data. Open it in a browser for a full picture of the device's MDM state.

Force Leave and Rejoin Entra ID

# Leave Entra ID (run as admin)
dsregcmd /leave

# Verify the device is no longer joined
dsregcmd /status

# Rejoin: navigate to Settings > Accounts > Access work or school > Connect
# Or trigger via Group Policy: gpupdate /force

Event Viewer: Where to Look and What to Find

Event Viewer is your first stop for understanding what actually happened during enrollment on the device itself.

Navigate to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin

Key Event IDs:

  • Event ID 75: "Auto MDM Enroll: Succeeded" — enrollment completed successfully. The one you want to see.
  • Event ID 76: "Auto MDM Enroll: Failed" — enrollment failed. The error code in the message tells you why (e.g., 0x8018002b for MDM not configured).
  • Event ID 7016: Found in the Task Scheduler Operational log — error code 2149056522 indicates stale enrollment keys blocking re-enrollment.

Also check the AAD Operational Log under Applications and Services Logs > Microsoft > Windows > AAD > Operational for Entra join and token acquisition errors that may precede enrollment failure.

Windows Autopilot Troubleshooting

Autopilot adds another layer of complexity because enrollment happens during OOBE, where your access to diagnostic tools is pretty limited.

Autopilot v1 (Classic) Issues

  • Device stuck at "Identifying your device": The hardware hash wasn't imported, or there's a hash mismatch. Re-export using Get-WindowsAutopilotInfo.ps1 and reimport.
  • ESP timeout: The Enrollment Status Page times out if apps or policies take too long to apply. Check the ESP profile settings — consider increasing the timeout or reducing the number of required apps.
  • Hybrid join ESP hang: This is probably the most common cause of ESP timeout with hybrid join. It's usually because the "Assign user" feature in the Autopilot profile is enabled, which forces an Entra join during initial sign-in and conflicts with the hybrid join flow.
  • Access Command Prompt during OOBE: Press Shift + F10 to open a command prompt. From here you can run dsregcmd /status, check Event Viewer, and inspect registry keys.

Autopilot v2 (Device Preparation) — What's New in 2026

Autopilot Device Preparation (v2) is a significant re-architecture that changes how enrollment works. Here's what you need to know:

  • No hardware hash required: Devices don't need to be pre-registered. The user just signs in with their work account during OOBE.
  • Up to 25 apps during OOBE: v2 now supports installing up to 25 apps before the user reaches the desktop, including Enterprise App Catalog apps.
  • Enrollment time grouping: Replaces dynamic group membership, delivering apps and policies more efficiently.
  • Requires Windows 11: v2 only works on Windows 11 22H2+ with the latest updates. Windows 10 devices must continue using v1.
  • Downloadable diagnostic logs: Failed deployments now generate diagnostic logs accessible directly from the deployment status report in the Intune admin center.

Important limitation: v2 doesn't yet support hybrid join, self-deploying mode, or white-glove provisioning. If your organization depends on these, stick with Autopilot v1 for now.

Intune Connector for Active Directory — 2026 Security Update

As part of Microsoft's Secure Future Initiative, the Intune Connector for Active Directory was updated in early 2026 to use a Managed Service Account instead of the local SYSTEM account. If you deploy Entra hybrid joined devices with Autopilot, you need to update to the new connector. The old one won't enroll new devices anymore.

Step-by-Step: Complete Enrollment Reset Procedure

When all else fails and you need to fully reset a device's Intune enrollment from scratch, follow this procedure in order. I'd recommend saving this as a runbook entry — you'll use it more often than you'd think.

  1. Remove the work account: Go to Settings > Accounts > Access work or school, select the connected account, and click Disconnect.
  2. Leave Entra ID: Open an elevated command prompt and run dsregcmd /leave.
  3. Remove stale certificates: Open certlm.msc, navigate to Personal > Certificates, and delete any certificates issued by SC_Online_Issuing or Microsoft Intune MDM Device CA.
  4. Clean up registry: In Registry Editor, delete all GUID subkeys under HKLM\SOFTWARE\Microsoft\Enrollments that contain a UPN value. Also clean HKLM\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked.
  5. Delete device records in the cloud: In the Intune admin center, find and delete the device under Devices > All devices. Also delete the device object in the Entra admin center under Devices > All devices.
  6. Reboot the device.
  7. Re-enroll: Go to Settings > Accounts > Access work or school > Connect and sign in with the user's work account. For Autopilot devices, reset the device to trigger OOBE.

Using the Intune Admin Center for Enrollment Diagnostics

Don't overlook the built-in tools in the Intune admin center — they can save you a lot of troubleshooting time:

  • Troubleshooting + Support blade: Enter the affected user's email to see their enrollment status, assigned licenses, group memberships, and device compliance state in one view. This should honestly be your first stop before touching the device.
  • Enrollment Failures monitor: Under Devices > Monitor > Enrollment Failures, view failed enrollments with error codes, timestamps, and user details.
  • Microsoft 365 admin center diagnostics: Run automated enrollment tests by describing the issue (e.g., "user cannot enroll Windows device") — the system runs diagnostic scenarios and gives you step-by-step fixes.
  • Device Diagnostics (Autopilot): For Autopilot deployments, logs are automatically collected on failure and available under the device's diagnostics section in the Intune admin center.

Frequently Asked Questions

How do I check if a device is enrolled in Intune?

Run dsregcmd /status in an elevated command prompt. If MDMEnrollmentState shows as enrolled and the MDMURL field contains the Intune discovery URL, the device is enrolled. You can also verify in the Intune admin center under Devices > All devices by searching for the device name or serial number.

Why does Intune enrollment fail with error 80180014?

Error 80180014 almost always means the device is blocked by an enrollment restriction policy. The most common cause? Personally owned Windows devices are blocked in the device platform restriction policy, and the device is categorized as personal. Check Devices > Enrollment > Device Platform Restrictions in the Intune admin center and make sure Windows MDM and personal devices are set to Allow.

How do I fix Intune auto-enrollment not working after a Windows update?

Start with dsregcmd /status to confirm the device is still Entra-joined and the MDM URL is populated. Then look at Event Viewer under DeviceManagement-Enterprise-Diagnostic-Provider > Admin for Event ID 76 with the specific error code. Worth noting: the January 2026 updates (KB5074109/KB5074752) are known to have disrupted enrollment — if that's the case, re-enroll through Settings > Accounts > Access work or school.

What is the difference between Windows Autopilot v1 and v2?

Autopilot v1 (classic) requires pre-registering device hardware hashes, supports hybrid join and self-deploying mode, and works on both Windows 10 and 11. Autopilot v2 (Device Preparation) eliminates the hardware hash requirement, uses enrollment time grouping instead of dynamic groups, supports up to 25 apps during OOBE, but requires Windows 11 and doesn't yet support hybrid join or self-deploying mode.

How do I completely reset Intune enrollment on a Windows device?

Disconnect the work account in Settings, run dsregcmd /leave, delete Intune certificates from the local machine certificate store, clean up enrollment registry keys under HKLM\SOFTWARE\Microsoft\Enrollments, delete the device from both the Intune and Entra admin centers, reboot, and re-enroll through Settings or by resetting for Autopilot. (There's a detailed step-by-step walkthrough earlier in this guide.)

About the Author Editorial Team

Our team of expert writers and editors.

Related Articles