Troubleshoot device enrollment

  • 7 minutes

When a user reports a device issue—such as failing to access work email or missing a required application—you need to know exactly where to look. Troubleshooting requires understanding the difference between a device's management status (handled by Intune) and its foundational identity (handled by Microsoft Entra ID).

Here's how to effectively use both portals to monitor health and isolate the root cause of device failures.

Troubleshoot the management layer (Microsoft Intune)

The Intune admin center is your primary tool for diagnosing issues related to policies, apps, and compliance. It displays only devices that are actively enrolled in your Mobile Device Management (MDM).

  1. Sign in to the Microsoft Intune admin center.
  2. Select Devices from the left navigation pane.
  3. Use the following views to debug management issues:

  • All devices (The primary diagnostic hub): Locate the user's specific device here.

    • Check Sync Status: Look at the Last check-in time. If the device hasn't synced in days, policies and apps won't apply. You can use the remote actions menu here to force a Sync.
    • Verify Compliance: If a device is marked Not Compliant, drill into the Device compliance tab to see exactly which setting (e.g., missing an OS update or a disabled firewall) is causing the failure.

  • Monitor > Enrollment failures: If a user can't get their device enrolled in the first place, don't guess the cause. This report explicitly lists which devices failed onboarding and whether they were blocked by a specific restriction policy or a missing license.

  • Overview: Use this dashboard for a macro-level health check. If you see a sudden, massive drop in compliant devices, you likely have a newly deployed policy that's causing widespread conflicts.

Troubleshoot the identity layer (Microsoft Entra ID)

Not all devices are managed by Intune, but all connected devices rely on Entra ID for authentication. If a user can't sign in, or if Windows Autopilot is failing before MDM even starts, you must troubleshoot the identity layer.

  1. Sign in to the Microsoft Entra admin center (or access Entra ID via the Azure portal).
  2. Expand the Identity menu and select Devices.
  3. Use the following views to debug identity and trust issues:
  • All devices (The trust anchor): This list shows every device registered or joined to your domain.
    • Check the "Enabled" status: If a helpdesk agent accidentally disabled the device here, the user's token is revoked. Even if the device looks healthy in Intune, it will be completely blocked from accessing Office 365 or syncing new policies until it's re-enabled in Entra ID.
    • BitLocker Recovery: If a Windows device is locked at the boot screen, you'll find the BitLocker recovery keys attached to the device object here.
  • Audit logs: Use this to trace the exact timeline of a device's lifecycle. If a device suddenly disappeared from Intune, the Entra ID audit logs will tell you exactly which administrator (or automated cleanup rule) initiated the deletion.
  • Device settings: If multiple users are suddenly failing to register personal devices, check here to ensure someone didn't mistakenly toggle "Users may register their devices with Microsoft Entra ID" to None.

If the user sees an error such as "Your organization does not support this version of Windows" or "Personal devices are not allowed," the enrollment is blocked by a Device platform restriction.

Resolving blocked personal devices

If your organization blocks personally owned devices but a corporate device is being blocked, Intune may be incorrectly identifying the corporate hardware as "Personal."

To fix this for Windows or macOS:

  1. Ensure the device hardware hash is properly registered in Windows Autopilot, or the Mac's serial number is synced from Apple Business Manager. Devices registered via these corporate programs are automatically flagged as Corporate.
  2. If you aren't using Autopilot or Apple Business Manager, you must manually pre-declare the device as corporate. Go to Devices > Enrollment > Corporate device identifiers.
  3. Add the device's MAC address or serial number. Once added, the device will bypass the "block personal devices" restriction.

Resolving blocked OS versions or platforms

If the policy is legitimately blocking an OS that should be allowed:

  1. In the admin center, go to Devices > Enrollment.
  2. Select the Windows or macOS tab, and then choose Enrollment Device Platform Restrictions.
  3. Select the restriction policy assigned to the user and choose Properties.
  4. Next to Platform settings, select Edit.
  5. Ensure the platform is set to Allow. Check the Minimum / Maximum versions fields and clear them or adjust them to include the user's OS version.
  6. Select Review + save.

If you have verified that no enrollment restrictions are blocking the user, but Windows devices are still failing to automatically enroll, the issue often lies in the Microsoft Entra ID configuration.

  1. Sign in to the Microsoft Entra admin center.
  2. Navigate to Microsoft Entra ID > Mobility > Microsoft Intune.
  3. Verify that the MDM user scope is set to All (or set to Some with the correct user group selected).
  4. Ensure the MAM user scope is set to None, as overlapping MDM and MAM scopes during Windows enrollment can cause failures.