Step 1: Verify Configuration
✅ Licenses & Permissions
- Ensure the enrolling user has a valid Intune license.
- Confirm auto-enrollment is enabled for users in:
Microsoft Entra ID > MDM/MAM > Microsoft Intune (set MDM scope = All, MAM scope = None).
✅ Device Requirements
- Windows 10/11, version 1709+.
- Hybrid Azure AD Joined: Run
dsregcmd /statusand verify:plaintextCopyAzureAdJoined: YES DomainJoined: YES AzureAdPrt: YES
✅ Group Policy Settings
- Verify GPO is applied:
Computer Config > Policies > Admin Templates > Windows Components > MDM
→ Enable “Automatic MDM enrollment using default Microsoft Entra credentials”.
✅ Microsoft Entra & Intune Settings
- Entra ID: Allow “Users may join devices to Azure AD” (set to All).
- Intune: Ensure Windows enrollment is allowed under Enrollment Restrictions.
Step 2: Check Logs
🔍 Event Viewer
- Navigate to:
Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin- Event ID 75: Auto-enrollment succeeded.
- Event ID 76: Auto-enrollment failed (e.g., error
0x8018002b).
🔍 Task Scheduler
- Check task:
Task Scheduler > Microsoft > Windows > EnterpriseMgmt- Event ID 102: Task completed (success/failure).
- Event ID 107: Task triggered.
- Event ID 7016: Conflict with another MDM (error
2149056522).
Step 3: Troubleshoot Failures
🚨 Common Issues & Fixes
- MDM Conflict:
- Unenroll the device from other MDM providers.
- Group Policy Not Applied:
- Run
gpupdate /forceand verify GPO replication.
- Run
- SCP Misconfiguration:
- Ensure Service Connection Point (SCP) is published via Microsoft Entra Connect.
- Classic Agent Enrollment:
- Remove legacy Intune PC agent (causes error
0x80180026).
- Remove legacy Intune PC agent (causes error
Pro Tips
- Force Retry: Restart the device or manually trigger the scheduled task.
- Conditional Access: Bypass MFA prompts via Entra ID Conditional Access Policies.
- Logs: Use Intune Enrollment Diagnostics for deeper analysis.