Troubleshooting device enrollment in Intune
This article provides suggestions for troubleshooting device enrollment issues in Microsoft Intune. Browse other sections of this guide for OS-specific enrollment troubleshooting.
Initial troubleshooting steps
Before you start troubleshooting, check to make sure that you've configured Intune properly to enable enrollment. You can read about those configuration requirements in our documentation:
- Set up Intune
- Enroll iOS/iPadOS devices in Intune
- Set up enrollment for macOS devices in Intune
- Set up enrollment for Windows devices in Intune
- Enroll Android devices in Intune - No additional steps required
Run self-help diagnostics
To help administrators successfully use Microsoft Intune, Microsoft has developed diagnostic scenarios that cover top support topics and the common tasks for which administrators request help with configuration. It's important to note that these diagnostics can't make changes to your tenant, but they do provide insight into known issues and instructions to fix them quickly.
Note
These diagnostics aren't available for GCC High and DoD environments or Microsoft 365 operated by 21Vianet.
Run diagnostics
As an administrator, navigate to the Microsoft 365 admin center. In the navigation pane, select Show all > Support > Help & support. Alternatively, select Help & support on the bottom right side of the page. After you briefly describe your issue (for example, "I need help enrolling Windows devices"), the system determines whether a diagnostic scenario matches your issue.
For the user having a device that fails to enroll in Intune, type their email address and then select Run tests. After the diagnostic checks finish and a configuration issue is found, the system provides steps to resolve the issue.
Note
If a diagnostic detects an issue and you implement a fix based on the results, consider rerunning the diagnostic to ensure the issue is completely resolved.
Scenarios covered by diagnostics
Note
You have to run the diagnostics as an administrator.
The following diagnostics are currently available for Intune enrollment issues. The diagnostics help identify the cause of the issue that a user-based device fails to enroll in Intune due to various failures.
Diagnostics | Links |
---|---|
Intune Windows enrollment | Run Tests: Intune Windows enrollment |
Intune iOS/iPadOS enrollment | Run Tests: Intune iOS/iPadOS enrollment |
Intune Android enrollment | Run Tests: Intune Android enrollment |
Intune macOS enrollment | Run Tests: Intune macOS enrollment |
Collect basic information
It's important to collect some basic information to help better understand the problem and reduce the time to find a resolution.
Collect the following information about the problem:
- What is the exact error message?
- Where do you see the error message?
- When did the problem start? Has enrollment ever worked?
- What platform (Android, iOS/iPadOS, Windows) has the problem?
- How many users are affected? Are all users affected or just some?
- How many devices are affected? Are all devices affected or just some?
- What is the MDM authority?
- How is enrollment being performed? For example, is it "Bring your own device" (BYOD) or Apple Automated Device Enrollment (ADE) with enrollment profiles?
Collect diagnostic logs
Your managed device users can collect enrollment and diagnostic logs for you to review. User instructions for collecting logs are provided in:
Check device date and time
You can also make sure that the date and time on the user's device are set correctly:
- Restart the device.
- Make sure that the date and time are set close to GMT standards (+ or - 12 hours) for the end user's time zone.
- Uninstall and reinstall the Intune company portal (if applicable).
Device cap reached
A user receives an error during enrollment, such as "DeviceCapReached" or a general message such as "Company Portal Temporarily Unavailable".
Cause: This error indicates that a user is trying to enroll more devices than the device enrollment limit.
Solution: Check and adjust number of devices enrolled and allowed. Use these steps to make sure the user isn't assigned more than the maximum number of devices.
- In the Microsoft Intune admin center, choose Devices > Enrollment restrictions > Device limit restrictions. Note the value in the Device limit column.
- In the Microsoft Intune admin center, choose Users > All users > select the user > Devices. Note the number of devices the user has enrolled.
- If the user's number of enrolled devices already equals their device limit restriction, they can't enroll anymore until:
- Existing devices are removed, or
- You increase the device limit by setting device restrictions.
To avoid hitting device caps, be sure to remove stale device records.
Note
You can avoid the device enrollment cap by using Device Enrollment Manager account, as described in Enroll corporate-owned devices with the Device Enrollment Manager in Microsoft Intune.
A user account that is added to Device Enrollment Managers account will not be able to complete enrollment when Conditional Access policy is enforced for that specific user login.
Company Portal Temporarily Unavailable
Users receive a Company Portal Temporarily Unavailable error on their device.
Cause: The Company Portal app on the device is out of date or corrupted.
Solution:
- Remove the Intune Company Portal app from the device.
- On the device, open the browser, browse to https://portal.manage.microsoft.com, and try a user login.
- If the user fails to sign in, they should try another network.
- If that fails, validate that the user's credentials have synced correctly with Microsoft Entra ID.
- If the user successfully logs in, an iOS/iPadOS device will prompt you to install the Intune Company Portal app and enroll. On an Android device, you'll need to manually install the Intune Company Portal app, after which you can retry enrolling.
Note
This error can also occur if the user is attempting to enroll more devices than device enrollment is configured to allow. If these steps do not resolve the issue, follow the solution steps for Device cap reached.
MDM authority not defined
A user receives an "MDM authority not defined" error.
Cause: Either the MDM Authority has not been set or there is a user credential issue.
Solution:
Verify that the MDM Authority has been set appropriately.
Verify that the user's credentials have synced correctly with Microsoft Entra ID. You can verify that the user's UPN matches the Active Directory information in the Microsoft 365 admin center. If the UPN doesn't match the Active Directory information:
- Turn off DirSync on the local server.
- Delete the mismatched user from the Intune Account Portal user list.
- Wait about one hour to allow the Azure service to remove the incorrect data.
- Turn on DirSync again and check if the user is now synced properly.
Unable to create policy or enroll devices if the company name contains special characters
You can't create policy or enroll devices.
Solution: In the Microsoft 365 admin center, remove the special characters from the company name and save the company information.
Unable to sign in or enroll devices when you have multiple verified domains
This problem may occur when you add a second verified domain to your Active Directory Federation Services (AD FS). Users with the user principal name (UPN) suffix of the second domain may not be able to log into the portals or enroll devices.
Solution: Microsoft 365 customers are required to deploy a separate instance of the AD FS 2.0 Federation Service for each suffix if they:
- use single sign-on (SSO) through AD FS 2.0, and
- have multiple top-level domains for users' UPN suffixes within their organization (for example, @contoso.com or @fabrikam.com).
A rollup for AD FS 2.0 works in conjunction with the SupportMultipleDomain
switch to enable the AD FS server to support this scenario without requiring additional AD FS 2.0 servers. For more information, see this blog.
Profile installation failed
Issue: A user receives a "Profile installation failed" error.
Solution:
- Confirm that the user is assigned an appropriate license for the version of the Intune service that you're using.
- Confirm that the device isn't already enrolled with another MDM provider.
- Confirm that the device doesn't already have a management profile installed.
- For iOS/iPadOS devices, confirm that Safari is the default browser and that cookies are enabled. For Android devices, confirm that Chrome is the default browser and that cookies are enabled.
Expired certificates within the management profile
The IOSProfileSigning.manage.microsoft.com
certificate is required to install the management profile on iOS/iPadOS devices during the enrollment process. When the certificate is no longer needed after initial use, it remains on the devices due to the design of iOS/iPadOS. Enrolled devices will work as expected, while new enrollments will receive the same certificate but with a new date. Because of the platform design, some expired certificates that are unverified might appear, but this doesn't affect existing enrollments.
IT admin needs to assign license for access
Users see the message "Your IT admin hasn't given you access to use this app. Get help from your IT admin or try again later."
Cause: The device can't be enrolled because the user's account doesn't have the necessary license. The user is either missing a license or has the wrong license type for the MDM authority. For example, they'll see this error if both of the following are true:
- Intune has been set as the mobile device management authority.
- They're using a System Center 2012 R2 Configuration Manager license.
Solution: Assign the appropriate license to the user. For more information, see Assign Intune licenses to your user accounts.
IT admin needs to set MDM authority
Users see the message "Looks like your IT admin hasn't set an MDM authority. Get help from your IT admin or try again later."
Cause: The mobile device management authority hasn't been defined in Intune.
Solution: Set the mobile device management authority.|
Enrollment error codes
Error code | Possible problem | Suggested resolution |
---|---|---|
0x80CF0437 | The clock on the client computer isn't set to the correct time. | Make sure that the clock and the time zone on the client computer are set to the correct time and time zone. |
0x80240438, 0x80CF0438, 0x80CF402C | can't connect to the Intune service. Check the client proxy settings. | Verify that Intune supports the proxy configuration on the client computer. Verify that the client computer has Internet access. |
0x80240438, 0x80CF0438 | Proxy settings in Internet Explorer and Local System aren't configured. | can't connect to the Intune service. Check the client proxy settings. Verify that Intune supports the proxy configuration on the client computer. Verify that the client computer has Internet access. |
0x80043001, 0x80CF3001, 0x80043004, 0x80CF3004 | Enrollment package is out of date. | Download and install the current client software package from the Administration workspace. |
0x80043002, 0x80CF3002 | Account is in maintenance mode. | You can't enroll new client computers when the account is in maintenance mode. To view your account settings, sign in to your account. |
0x80043003, 0x80CF3003 | Account is deleted. | Verify that your account and subscription to Intune is still active. To view your account settings, sign in to your account. |
0x80043005, 0x80CF3005 | The client computer has been retired. | Wait a few hours, remove any older versions of the client software from the computer, and then retry the client software installation. |
0x80043006, 0x80CF3006 | The maximum number of seats allowed for the account has been reached. | Your organization must buy additional seats before you can enroll more client computers in the service. |
0x80043007, 0x80CF3007 | Couldn't find the certificate file in the same folder as the installer program. | Extract all files before you start the installation. Do not rename or move any of the extracted files: all files must exist in the same folder or the installation will fail. |
0x8024D015, 0x00240005, 0x80070BC2, 0x80070BC9, 0x80CFD015 | The software can't be installed because a restart of the client computer is pending. | Restart the computer and then retry the client software installation. |
0x80070032 | One or more prerequisites for installing the client software weren't found on the client computer. | Make sure that all required updates are installed on the client computer and then retry the client software installation. |
0x80043008, 0x80CF3008 | Failed to start the Microsoft Online Management Updates service. | Contact Microsoft Support as described in How to get support in Microsoft Intune. |
0x80043009, 0x80CF3009 | The client computer is already enrolled into the service. | You must retire the client computer before you can re-enroll it in the service. |
0x8004300B, 0x80CF300B | The client software installation package can't run because the version of Windows that is running on the client isn't supported. | Intune doesn't support the version of Windows that is running on the client computer. |
0xAB2 | The Windows Installer couldn't access VBScript run time for a custom action. | This error is caused by a custom action that is based on Dynamic-Link Libraries (DLLs). |
0x80cf0440 | The connection to the service endpoint terminated. | Trial or paid account is suspended. Create a new trial or paid account and re-enroll. |