Autopilot pre-provisioning failures are commonly caused by TPM attestation issues, network connectivity problems reaching the Intune service, or a device clock skew greater than five minutes. Check the Autopilot diagnostics page during provisioning for a specific error code, and confirm the device has network access to the required Microsoft endpoints.
- Common errors
- Troubleshooting steps
- Fix error 0x80180024
- Security risks
- Monitoring
- FAQ
Why Intune enrollment fails
Intune enrollment is what gets a device under MDM policy enforcement, compliance checks, and app deployment. When enrollment fails, the device sits outside your management boundary. No security baselines, no Conditional Access enforcement, no remote wipe.
Most enrollment failures trace back to a short list of causes:
- No Intune or Microsoft 365 license assigned to the user.
- The device enrollment limit has been hit (the default cap is 15 devices per user).
- MDM scope is set to "None" in Microsoft Entra ID.
- A stale device object is blocking re-enrollment.
- A conflicting MDM authority exists.
- Auto-enrollment Group Policy is misconfigured in hybrid environments.
Figuring out which one you're dealing with means checking the device state, the user's license assignment, and the enrollment logs, in that order.
Common Intune enrollment error codes
| Error code | Description | Common cause |
|---|---|---|
| 0x80180024 | Device already enrolled or conflicting MDM registration | Stale enrollment artifacts, device not properly unenrolled before re-enrollment |
| 0x80180001 | MDM enrollment failed | MDM authority not set or MDM terms of use not accepted |
| 0x8018002b | MDM enrollment failed | UPN issues, MDM scope misconfiguration, missing license |
| 0x80180026 | Enrollment blocked | Device ownership type mismatch (personal vs. corporate) |
| 0x8018002a | Enrollment failed | Corrupt Windows installation or registry |
| 0x80192ee2 | Enrollment server unreachable | Network, proxy, or firewall blocking MDM endpoints |
Not every error code points to a single cause. The troubleshooting steps below help you narrow down the specific issue regardless of which code you're seeing.
Troubleshooting steps for enrollment failures
Step 1: Verify enrollment prerequisites
Before you dig into logs, confirm the basics are in place.
- Open the Microsoft Intune admin center and confirm the user has an active Intune or Microsoft 365 license assigned.
- Navigate to Microsoft Entra ID > Mobility (MDM and MAM) and confirm the MDM scope is set to "Some" or "All," not "None."
- Check the device enrollment limit under Devices > Enrollment restrictions and confirm the user hasn't exceeded the maximum number of enrolled devices.
Step 2: Check device join and MDM state with dsregcmd
Run dsregcmd /status on the affected device in an elevated command prompt. Look at three fields in the output:
- AzureAdJoined: Should show "YES" if the device is Azure AD joined or hybrid Azure AD joined.
- DomainJoined: Should show "YES" for hybrid environments.
- MdmUrl: Should display the Intune MDM enrollment URL. If this field is blank, MDM auto-enrollment is not configured for the device.
A blank MdmUrl combined with AzureAdJoined = YES typically means the auto-enrollment Group Policy or Microsoft Entra ID MDM scope isn't targeting the user or device.
Step 3: Check enrollment logs in Event Viewer
Open Event Viewer on the device and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. Filter for error-level events.
Each error entry includes a specific error code and a failure description. Cross-reference the error code against the table above or the Microsoft Intune documentation to identify the root cause.
Step 4: Verify Group Policy auto-enrollment settings (hybrid environments)
In hybrid Azure AD join scenarios, auto-enrollment depends on a Group Policy setting. Open the Group Policy Management Console and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials.
Confirm the setting is enabled and the credential type is set to "User Credential" (for user-driven enrollment) or "Device Credential" (for device-driven scenarios). If this policy is not configured or is set to "Not Configured," devices in that OU won't auto-enroll.
Step 5: Run Microsoft self-help diagnostics
The Microsoft Intune admin center includes built-in diagnostic tools. Navigate to Troubleshooting + support > Diagnostics and run the enrollment diagnostics for the affected user.
The tool checks license assignment, device cap, enrollment configuration, and MDM authority in one pass. It surfaces specific failures with recommended actions, which saves you time compared to checking each prerequisite manually.
Step 6: Collect diagnostic logs from the device
If the issue persists after the checks above, collect detailed diagnostic logs from the device.
On the device, go to Settings > Accounts > Access work or school > Export your management log files. Alternatively, run the following command in an elevated command prompt:
mdmdiagnosticstool.exe -area DeviceEnrollment -cab c:\temp\enrollment.cab
This generates a CAB file containing enrollment logs, registry snapshots, and event traces that Microsoft support or your internal team can analyze.
How to fix error 0x80180024
Error 0x80180024 means the device has an existing MDM enrollment that conflicts with the new enrollment attempt. This commonly happens when a device was reimaged or reset without being properly unenrolled first.
- Run
dsregcmd /statusand check the MdmUrl field. If it shows an existing enrollment URL but the device doesn't appear in the Intune admin center, the enrollment is stale. - Open Settings > Accounts > Access work or school on the device. If an MDM account is listed, click it and select Disconnect to remove the stale enrollment.
- If the Disconnect option is unavailable or grayed out, remove the enrollment manually through the registry. Open Registry Editor and navigate to
HKLM\SOFTWARE\Microsoft\Enrollments\. Identify the GUID subfolder that matches the stale enrollment (check the UPN value inside each GUID folder). Delete that GUID folder, then restart the device. - After the restart, re-enroll the device manually through Settings > Accounts > Access work or school > Connect, or allow Autopilot to re-enroll it on next boot.
- If the error occurs during an Autopilot pre-provisioning scenario, check two things. First, confirm TPM attestation is succeeding by reviewing the Autopilot diagnostics page during provisioning. Second, verify the device clock is accurate. A clock skew of more than five minutes can cause attestation failures that surface as 0x80180024.
Troubleshooting in hybrid environments
Hybrid Azure AD join environments introduce extra enrollment failure points that don't apply to cloud-only deployments.
Windows Information Protection policy conflicts. If a Windows Information Protection (WIP) policy is deployed alongside enrollment, WIP policy precedence can block MDM enrollment in some configurations. Review WIP policy assignments and test enrollment with WIP temporarily removed to isolate this as a cause.
MFA-backed Primary Refresh Tokens. If Conditional Access requires MFA but the Primary Refresh Token (PRT) doesn't carry an MFA claim, enrollment stalls. The device can't satisfy the Conditional Access requirement during the enrollment handshake. Confirm the user completed MFA before the PRT was issued, or adjust the Conditional Access policy to exclude the enrollment process.
Intune Connector for Active Directory. In hybrid Azure AD join Autopilot scenarios, the Intune Connector for Active Directory must be installed and running on an on-premises server. This connector creates the computer object in AD during provisioning. If the connector service is stopped or the service account lacks permissions to create objects in the target OU, enrollment fails after the Azure AD join step completes.
Confirm the connector is running by checking the Intune Connector service on the host server and verifying the target OU is correctly configured in the Intune admin center under Devices > Windows > Windows enrollment > Intune Connector for Active Directory.
Security risks of unmanaged devices
Devices that fail enrollment stay outside your MDM policy enforcement boundary. No compliance checks run on them, no Conditional Access gets enforced at the device level, and you can't remote wipe them if they're lost or compromised.
These endpoints lack enforced security baselines, disk encryption policies, and app protection policies. An unmanaged laptop connecting to your network is a device you can't patch, can't restrict, and can't wipe.
In hybrid environments, a device that is Azure AD joined but not Intune-enrolled can authenticate to cloud resources without meeting compliance requirements. This gap exists unless Conditional Access explicitly blocks non-compliant or unregistered devices, and many organizations haven't enabled that policy yet.
ADAudit Plus surfaces Intune enrollment events in the Cloud Directory tab, giving you visibility into which devices enrolled successfully and which failed so you can spot unmanaged endpoints before they become a problem.
What native monitoring misses
The Intune admin center shows enrollment status per device, but it doesn't correlate enrollment data with Active Directory logon activity or file access from the same device. You see whether a device enrolled, but not what that device's user did before or after the enrollment event.
Event Viewer logs for enrollment diagnostics are local to each device. There's no centralized view of enrollment failures across your fleet without manually collecting logs from each machine or building a custom Windows security event log forwarding pipeline.
Native tools don't offer real-time alerting on enrollment failures without custom scripting. If 50 devices fail enrollment overnight, nobody finds out until someone checks the admin center the next morning.
Diagnostic log collection requires manual intervention on each device, either through the Settings app or the mdmdiagnosticstool.exe command. There's no built-in way to push log collection across multiple devices at once.
You also can't get historical trend data from native tools. If you want to know how many enrollment failures happened this week compared to last week, you're looking at manual data exports and building your own reporting.
Monitoring Intune enrollment with ADAudit Plus
What ADAudit Plus monitors
ADAudit Plus provides pre-configured Intune reports under Cloud Directory > Intune Reports. The Intune Device Enrollment report shows all devices enrolled in Intune with enrollment details, including who enrolled the device and when. The Device Compliance Policies report tracks compliance policy changes and status across your managed fleet.
Other Intune reports cover device sync actions, application deployment activity, app protection policy creation, managed device deletion, remote restart actions, device configuration policy changes, and all remote device actions performed through Intune. You can filter each report by time period, export it in CSV, PDF, HTML, CSVDE, or XLSX format, and schedule automatic email delivery on a daily, weekly, or monthly basis.
You can also set up real-time alert profiles for enrollment events, so your team gets notified the moment a device fails to enroll rather than discovering the failure during a manual review.
Native tools vs. ADAudit Plus
| Capability | Native tools | ADAudit Plus |
|---|---|---|
| Centralized enrollment status view | Intune admin center only | Single console with AD, Microsoft Entra ID, and Intune data |
| Correlation with AD logon activity | Not available | Hybrid logon activity correlated with enrollment |
| Real-time alerts on enrollment failures | Requires custom scripting | Pre-configured alert profiles |
| Scheduled enrollment reports | Not available | Automated email delivery (daily, weekly, monthly) |
| Historical enrollment trend analysis | Limited to Intune retention period | Archived data with long-term reporting |
| Device compliance policy change tracking | Intune audit logs | Device Compliance Policies report with who-what-when detail |
A one-stop solution for all your IT auditing, compliance, and security needs
Try ADAudit Plus free for 30 days. No credit card required.
FAQ
Error 0x80180014 means the MDM server rejected the enrollment request. This typically happens when the device type isn't allowed by enrollment restrictions or when the MDM terms of use haven't been accepted. Check your enrollment restriction profiles in the Intune admin center and confirm the device platform is permitted.
Run dsregcmd /status on the device and review the AzureAdJoined and MdmUrl fields. In the Intune admin center, navigate to Devices > All devices and search for the device by name or serial number. The enrollment status column shows whether the device is enrolled, pending, or failed.
To disable MDM auto-enrollment, navigate to Microsoft Entra ID > Mobility (MDM and MAM) and set the MDM scope to "None." To unenroll a device that's already enrolled, go to Settings > Accounts > Access work or school on the device, select the MDM account, and click Disconnect.
Yes. Intune enrollment requires HTTPS access to several Microsoft service endpoints, including enrollment.manage.microsoft.com and login.microsoftonline.com. If your firewall or proxy blocks these URLs, enrollment fails with error 0x80192ee2 or a generic network connectivity error.
Verify that the required endpoints are allowlisted in your network configuration.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Get full visibility into logons
- Monitor employee attendance
- Detect attacks like Kerberoasting
- Generate logon audit trails
- And much more
