- Article
This article provides suggestions for troubleshooting device enrollment issues in Microsoft Intune. Browse other sections of this guide for OS-specific enrollment troubleshooting.
Initial troubleshooting steps
Before you start troubleshooting, check to make sure that you've configured Intune properly to enable enrollment. You can read about those configuration requirements in our documentation:
- Set up Intune
- Enroll iOS/iPadOS devices in Intune
- Set up enrollment for macOS devices in Intune
- Set up enrollment for Windows devices in Intune
- Enroll Android devices in Intune - No additional steps required
Collect basic information
It's important to collect some basic information to help better understand the problem and reduce the time to find a resolution.
Collect the following information about the problem:
- What is the exact error message?
- Where do you see the error message?
- When did the problem start? Has enrollment ever worked?
- What platform (Android, iOS/iPadOS, Windows) has the problem?
- How many users are affected? Are all users affected or just some?
- How many devices are affected? Are all devices affected or just some?
- What is the MDM authority?
- How is enrollment being performed? For example, is it "Bring your own device" (BYOD) or Apple Automated Device Enrollment (ADE) with enrollment profiles?
Collect diagnostic logs
Your managed device users can collect enrollment and diagnostic logs for you to review. User instructions for collecting logs are provided in:
- Send Android enrollment errors to your IT admin
- Send iOS/iPadOS errors to your IT admin
Check device date and time
You can also make sure that the date and time on the user's device are set correctly:
- Restart the device.
- Make sure that the date and time are set close to GMT standards (+ or - 12 hours) for the end user's time zone.
- Uninstall and reinstall the Intune company portal (if applicable).
Device cap reached
A user receives an error during enrollment, such as "DeviceCapReached" or a general message such as "Company Portal Temporarily Unavailable".
Cause: This error indicates that a user is trying to enroll more devices than the device enrollment limit.
Solution: Check and adjust number of devices enrolled and allowed. Use these steps to make sure the user isn't assigned more than the maximum number of devices.
- In the Microsoft Intune admin center, choose Devices > Enrollment restrictions > Device limit restrictions. Note the value in the Device limit column.
- In the Microsoft Intune admin center, choose Users > All users > select the user > Devices. Note the number of devices the user has enrolled.
- If the user's number of enrolled devices already equals their device limit restriction, they can't enroll anymore until:
- Existing devices are removed, or
- You increase the device limit by setting device restrictions.
To avoid hitting device caps, be sure to remove stale device records.
Note
You can avoid the device enrollment cap by using Device Enrollment Manager account, as described in Enroll corporate-owned devices with the Device Enrollment Manager in Microsoft Intune.
A user account that is added to Device Enrollment Managers account will not be able to complete enrollment when Conditional Access policy is enforced for that specific user login.
Company Portal Temporarily Unavailable
Users receive a Company Portal Temporarily Unavailable error on their device.
Cause: The Company Portal app on the device is out of date or corrupted.
Solution:
- Remove the Intune Company Portal app from the device.
- On the device, open the browser, browse to https://portal.manage.microsoft.com, and try a user login.
- If the user fails to sign in, they should try another network.
- If that fails, validate that the user's credentials have synced correctly with Azure Active Directory.
- If the user successfully logs in, an iOS/iPadOS device will prompt you to install the Intune Company Portal app and enroll. On an Android device, you'll need to manually install the Intune Company Portal app, after which you can retry enrolling.
Note
This error can also occur if the user is attempting to enroll more devices than device enrollment is configured to allow. If these steps do not resolve the issue, follow the solution steps for Device cap reached.
MDM authority not defined
A user receives an "MDM authority not defined" error.
Cause: Either the MDM Authority has not been set or there is a user credential issue.
Solution:
Verify that the MDM Authority has been set appropriately.
Verify that the user's credentials have synced correctly with Azure Active Directory. You can verify that the user's UPN matches the Active Directory information in the Microsoft 365 admin center.If the UPN doesn't match the Active Directory information:
- Turn off DirSync on the local server.
- Delete the mismatched user from the Intune Account Portal user list.
- Wait about one hour to allow the Azure service to remove the incorrect data.
- Turn on DirSync again and check if the user is now synced properly.
Unable to create policy or enroll devices if the company name contains special characters
You can't create policy or enroll devices.
Solution: In the Microsoft 365 admin center, remove the special characters from the company name and save the company information.
Unable to sign in or enroll devices when you have multiple verified domains
This problem may occur when you add a second verified domain to your Active Directory Federation Services (AD FS). Users with the user principal name (UPN) suffix of the second domain may not be able to log into the portals or enroll devices.
Solution: Microsoft 365 customers are required to deploy a separate instance of the AD FS 2.0 Federation Service for each suffix if they:
- use single sign-on (SSO) through AD FS 2.0, and
- have multiple top-level domains for users' UPN suffixes within their organization (for example, @contoso.com or @fabrikam.com).
A rollup for AD FS 2.0 works in conjunction with the SupportMultipleDomain switch to enable the AD FS server to support this scenario without requiring additional AD FS 2.0 servers. For more information, see this blog.
Profile installation failed
Issue: A user receives a "Profile installation failed" error.
Solution:
- Confirm that the user is assigned an appropriate license for the version of the Intune service that you're using.
- Confirm that the device isn't already enrolled with another MDM provider.
- Confirm that the device doesn't already have a management profile installed.
- For iOS/iPadOS devices, confirm that Safari is the default browser and that cookies are enabled. For Android devices, confirm that Chrome is the default browser and that cookies are enabled.
IT admin needs to assign license for access
Users see the message "Your IT admin hasn't given you access to use this app. Get help from your IT admin or try again later."
Cause: The device can't be enrolled because the user's account doesn't have the necessary license. The user is either missing a license or has the wrong license type for the MDM authority. For example, they'll see this error if both of the following are true:
- Intune has been set as the mobile device management authority.
- They're using a System Center 2012 R2 Configuration Manager license.
Solution:Assign the appropriate license to the user. For more information, see Assign Intune licenses to your user accounts.
IT admin needs to set MDM authority
Users see the message "Looks like your IT admin hasn't set an MDM authority. Get help from your IT admin or try again later."
Cause: The mobile device management authority hasn't been defined in Intune.
Solution: Set the mobile device management authority.|
Enrollment error codes
| Error code | Possible problem | Suggested resolution |
|---|---|---|
| 0x80CF0437 | The clock on the client computer isn't set to the correct time. | Make sure that the clock and the time zone on the client computer are set to the correct time and time zone. |
| 0x80240438, 0x80CF0438, 0x80CF402C | can't connect to the Intune service. Check the client proxy settings. | Verify that Intune supports the proxy configuration on the client computer. Verify that the client computer has Internet access. |
| 0x80240438, 0x80CF0438 | Proxy settings in Internet Explorer and Local System aren't configured. | can't connect to the Intune service. Check the client proxy settings. Verify that Intune supports the proxy configuration on the client computer. Verify that the client computer has Internet access. |
| 0x80043001, 0x80CF3001, 0x80043004, 0x80CF3004 | Enrollment package is out of date. | Download and install the current client software package from the Administration workspace. |
| 0x80043002, 0x80CF3002 | Account is in maintenance mode. | You can't enroll new client computers when the account is in maintenance mode. To view your account settings, sign in to your account. |
| 0x80043003, 0x80CF3003 | Account is deleted. | Verify that your account and subscription to Intune is still active. To view your account settings, sign in to your account. |
| 0x80043005, 0x80CF3005 | The client computer has been retired. | Wait a few hours, remove any older versions of the client software from the computer, and then retry the client software installation. |
| 0x80043006, 0x80CF3006 | The maximum number of seats allowed for the account has been reached. | Your organization must buy additional seats before you can enroll more client computers in the service. |
| 0x80043007, 0x80CF3007 | Couldn't find the certificate file in the same folder as the installer program. | Extract all files before you start the installation. Do not rename or move any of the extracted files: all files must exist in the same folder or the installation will fail. |
| 0x8024D015, 0x00240005, 0x80070BC2, 0x80070BC9, 0x80CFD015 | The software can't be installed because a restart of the client computer is pending. | Restart the computer and then retry the client software installation. |
| 0x80070032 | One or more prerequisites for installing the client software weren't found on the client computer. | Make sure that all required updates are installed on the client computer and then retry the client software installation. |
| 0x80043008, 0x80CF3008 | Failed to start the Microsoft Online Management Updates service. | Contact Microsoft Support as described in How to get support in Microsoft Intune. |
| 0x80043009, 0x80CF3009 | The client computer is already enrolled into the service. | You must retire the client computer before you can re-enroll it in the service. |
| 0x8004300B, 0x80CF300B | The client software installation package can't run because the version of Windows that is running on the client isn't supported. | Intune doesn't support the version of Windows that is running on the client computer. |
| 0xAB2 | The Windows Installer couldn't access VBScript run time for a custom action. | This error is caused by a custom action that is based on Dynamic-Link Libraries (DLLs). |
| 0x80cf0440 | The connection to the service endpoint terminated. | Trial or paid account is suspended. Create a new trial or paid account and re-enroll. |
FAQs
Troubleshoot device enrollment in Intune - Intune? ›
Sign in to the Microsoft Intune admin center, go to Devices > Monitor > Enrollment failures. Select All users or Select user, depending on the scenario you're troubleshooting. Select a row in the table for more details about the failure and recommended remediation steps.
How do I check Intune enrollment errors? ›Sign in to the Microsoft Intune admin center, go to Devices > Monitor > Enrollment failures. Select All users or Select user, depending on the scenario you're troubleshooting. Select a row in the table for more details about the failure and recommended remediation steps.
How to check device enrollment status in Intune using CMD? ›Click on the Start button in the bottom left corner of your screen and search for "cmd" or "command prompt". Start Command Prompt. Type "dsregcmd /status" in the command prompt and click enter. If it says AzureAdJoined:YES as shown in the picture above, then you have an Intune device.
How do you check if a mobile device is enrolled in Intune? ›- Click Start on your Windows device.
- Click on Settings.
- Click Accounts.
- Click Access work or school.
- Click Connected to MESA AD domain then click Info. Note: If the Info button does not appear on your device, your device has not been successfully enrolled.
- Open Company Portal and sign in with your work or school account.
- On the Set up your device screen, select Next.
- On the Connect to work screen, select Connect.
- Sign in to the Microsoft Intune admin center.
- Select Troubleshoot + support.
- Click Select user to go to the Select users pane.
- Type the name or email address of the user you want to troubleshoot, and then click Select at the bottom of the pane.
In the admin center, go to Reports > Windows updates > select the Reports tab > select Windows Feature Update Report. Click on Select a feature update profile, select a profile, and then Generate report. Select Update status and Ownership to refine the report.
How to check activation status in cmd? ›Use one of the many ways to open Command Prompt or PowerShell on Windows. In the console, type slmgr /xpr and press Enter. In the dialog box, check Windows 11's activation status. If your machine is not activated, you should see the Windows is in notification mode message.
How do I view Intune diagnostics? ›- Sign in to the Microsoft Intune admin center.
- Navigate to Devices > Windows Devices.
- Select a device.
- Select Diagnostics > Download.
- The data zip file is added to your download tray and you can save it to your computer.
How long does the Intune Enrollment process take? We ask for your time and patience as the enrollment process can take up to 30 minutes.
What is Intune device enrollment? ›
Microsoft Intune Mobile Device Management (MDM) enables you to manage iOS, Android, and Windows devices securely. Using Intune MDM, you can fulfill the following requirements: Protect both corporate devices and users' mobile devices. Manage access to corporate data through corporate devices and users' mobile devices.
How do I check Intune installation status? ›Sign in to the Microsoft Intune admin center. Select Apps > All apps. In the list of apps, select an app to monitor. You'll then see the app pane, which includes an overview of the device status and the user status.
How do I check my Microsoft Intune status? ›Sign in to the Intune app. Select a device. On the device details page, select View Issues. This option is only available when issues are present.
Why is my device not showing up in Intune? ›Solution: Confirm that the user is assigned an appropriate license for the version of the Intune service that you're using. Confirm that the device isn't already enrolled with another MDM provider. Confirm that the device doesn't already have a management profile installed.
How do I use device enrollment manager? ›- Sign in to the Microsoft Intune admin center.
- Select Devices > Enroll devices.
- Select Device enrollment managers.
- Select Add.
- In the User name field, enter the user principal name of the user you're adding.
- Select Add. The new device enrollment manager is added to the list of DEM users.
There are two types of device enrollment restrictions you can configure in Microsoft Intune: Device platform restrictions: Restrict devices based on device platform, version, manufacturer, or ownership type. Device limit restrictions: Restrict the number of devices a user can enroll in Intune.
How do I test Intune app deployment? ›- Step 1: Define Content. Upload the intunewin package you choose. ...
- Step 2: Configure Test. Select powershell. ...
- Step 3: Edit Package. ...
- Set test matrix. ...
- Step 5: Review + Publish. ...
- Step 1: Define Content. ...
- Step 2: Configure Test. ...
- Step 3: Edit Package.
To manage the compliance policy settings, sign in to Microsoft Intune admin center and go to Endpoint security > Device compliance > Compliance policy settings.
How to setup Intune for mobile device management? ›- Sign in to the Microsoft Intune admin center with Azure AD Global or Intune service administrator rights.
- Navigate to Devices.
- The Add MDM Authority blade displays.
- To switch the MDM authority from Office 365 to Intune and enable coexistence, select Intune MDM Authority > Add.
Sign in to the Microsoft Intune admin center. Select Devices > All devices. In the list of devices you manage, select a device to open its Overview pane, and then select Sync. To confirm, select Yes.
What is the difference between device status and user status in Intune? ›
Device status tells you all the device and user combinations that has received the profile. User status tells on how many devices the user has received the profile. Device status reports include information such as the device name, its deployment status and its last status update.
How do I know if my Intune device is online? ›You can check that from the Intune Tenant Admin – tenant status tab from the MEM Admin Center portal. Under the Tenant status tab, there is a link to check the status of your Intune and other services for your tenant. Intune service status – See the current level of the service where you can get the position.
What is the command to check status? ›You can use the ps command to find out which processes are running and display information about those processes.
How do I check my Microsoft activation status? ›To check activation status in Windows 10, select the Start button, and then select Settings > Update & Security and then select Activation . Your activation status will be listed next to Activation.
How do I run diagnostics in device Manager? ›- Do one of the following: In Windows 10, go to Start , then select Settings > Privacy > Diagnostics & feedback. ...
- Under Diagnostic data, select the option you prefer. If the options are unavailable, you may be using a device managed by your workplace or organization.
Open the Company Portal app for Android on your device. Tap Devices and then select your device. Under Device Settings Status, tap Check device settings. Company Portal will check your device to confirm that it's meeting your organization's policy requirements.
How often do devices check into Intune? ›By default, Intune devices check in every 8 hours. If Last check in is more than 24 hours, there may be an issue with the device. A device that can't check in can't receive your policies from Intune.
How do I manually register a device in Intune? ›- In the Microsoft Intune admin center, select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Import.
- Under Add Windows Autopilot devices, browse to the CSV file that lists the devices that you want to add.
Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user an Intune Plan 1 license before users can enroll their devices in Intune.
How does device enrollment flow works? ›Device Enrollment allows organizations to have users manually enroll devices into a mobile device management (MDM) solution and then manage many different aspects of device use, including the ability to erase the device. On Mac computers using macOS 11 or later, Device Enrollment also enforces supervision on the Mac.
What license is required for Intune enrollment? ›
A Microsoft Intune license is created for you when you sign up for the Intune free trial. As part of this trial, you'll also have a trial Enterprise Mobility + Security (EMS) subscription. An Enterprise Mobility + Security (EMS) subscription includes both Azure Active Directory Premium and Microsoft Intune.
How do I check device status in Company Portal? ›Open the Company Portal app for iOS on your device. Tap Device and then select your device. Tap Check status. Company Portal checks your device to confirm that it's meeting your organization's policy requirements.
How do I view configuration profile in Intune? ›In Intune, select Devices > All Devices > select an existing device in the list. An end user can get the device name from their Company Portal app. Select Device configuration. All configuration policies that apply to the device are listed.
How to enable automatic MDM enrollment using device credentials? ›In Local Computer Policy, select Administrative Templates > Windows Components > MDM. Double-click Enable automatic MDM enrollment using default Azure AD credentials. Select Enable, select User Credential from the dropdown Select Credential Type to Use, then select OK.
Where can I find my MDM enrollment URL? ›You can find the URL, in the below-mentioned location: On the MDM Product server console, choose Enrollment. Under iOS choose Apple Configurator. Select Configuration Steps, navigate to the fifth slide and copy the URL.
What ports are required for Intune enrollment? ›Port requirements
For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.
As an Intune admin, you can create and import a comma-separated value (. csv) file that lists 14-digit IMEI numbers or serial numbers. Intune uses these identifiers to specify device ownership as corporate during device enrollment.
What is MAM vs MDM enrollment? ›MDM is a way of securing mobile devices such as smartphones and tablets, whereas MAM secures the applications on those devices that are used to access organizational data, such as Outlook, SharePoint, and OneDrive. MDM software is typically designed to support one or more operating systems such as iOS and Android.
How do I view Intune logs? ›- Sign in to the Microsoft Intune admin center.
- Select Tenant administration > Audit logs.
- To filter the results, select Filter and refine the results using the following options. ...
- Select Apply.
- Select an item in the list to see the activity details.
To confirm your Microsoft Intune license or trial, use the following steps: Sign in to Microsoft Intune admin center. Select Tenant administration > Tenant status. Under the Tenant details tab, you will see the MDM authority, the Total licenses users, and the Total Intune licenses.
How do I check Intune install logs? ›
Agent logs on the client machine are commonly in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. You can use CMTrace.exe to view these log files.
Where are Intune logs located? ›Intune log file location is C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
How do I Monitor Intune? ›Sign in to the Microsoft Intune admin center. Select Apps > All apps. In the list of apps, select an app to monitor. You'll then see the app pane, which includes an overview of the device status and the user status.
How do I check my MDM diagnostic logs? ›- On your managed device, go to Settings > Accounts > Access work or school.
- Click your work or school account, then click Info.
- At the bottom of the Settings page, click Create report.
- A window opens that shows the path to the log files.
Open the Company Portal app for Android on your device. Tap Devices and then select your device. Under Device Settings Status, tap Check device settings. Company Portal will check your device to confirm that it's meeting your organization's policy requirements.
Can you track a device with Intune? ›When you use the Locate device action for an Android Enterprise dedicated device that is off-line and unable to respond with its current location, Intune attempts to display its last known location. This capability uses data submitted by the device when it checks in with Intune.