Guide: Troubleshooting Device Enrollment Failures with Logs

Endpoint configuration errors can significantly delay your onboarding process, making Intune device enrollment troubleshooting essential. Diagnostic logs, which are among Intune’s built-in tools, are valuable for tracking important processes and assessing the health of the device being enrolled.

This article explains how to diagnose and resolve Intune device enrollment issues for Intune MDM, Autopilot, Hybrid Entra Join, and more.

Microsoft Intune device enrollment troubleshooting guide

Keep your goals, scope, and operational capacity in mind before debugging Intune device enrollment issues.

📌 Prerequisites:

• Windows 10/11 Pro, Enterprise, or Education
• Entra Join or a hybrid Entra Join environment
• Intune license assigned to the target user
• Access to Microsoft cloud endpoints
• Administrator privileges
• Microsoft Entra Connect (for hybrid scenarios)

📌 Recommended deployment strategies:

How to use dsregcmd to check Entra Join and MDM state

📌 Use Cases: Check a device’s Entra Join status on a lightweight command shell after provisioning.

1. Press Win + R, type cmd, and press Ctrl + Shift + Enter.
2. Run the following command to analyze device join status:

dsregcmd /status

3. Key fields to check:
   1. AzureAdJoined
      1. YES: The device is joined.
      2. NO: Microsoft Entra ID registration hasn’t been completed yet.
   2. DeviceAuthStatus 
      1. SUCCESS: The device was authenticated by Entra Join.
      2. FAILED/UNKNOWN: Authentication issues due to certificate issues, incorrect time settings, connection difficulties, and more.
         1. Explore Microsoft’s official documentation on device health checks to find out more.
   3. TenantDetails 
      1. Correct tenant ID: Your device is joined to your organization (also known as “the tenant”).
      2. Incorrect or missing tenant ID: The device is joined to the wrong tenant or is currently waiting to be joined, blocking Intune policies.
   4. MDMUrl
      1. URL present: Your device is configured to enroll in Intune.
      2. Blank or incorrect URL: The device isn’t set up for MDM enrollment or is experiencing auto-enrollment issues and licensing problems.
   5. DMEnrollment and MDMEnrollmentStatus
      1. YES/SUCCESS: The device is enrolled in Intune and can receive policies you deploy.
      2. NO/FAILED: Enrollment failed due to licensing problems, misconfigured policies, or enrollment restrictions.
   6. Device State, User State, and Diagnostic Data
      1. Complete values: Your enrolled endpoint works as expected.
      2. Incomplete/invalid values: Misconfigured user/device settings leading to partial joins and sync issues.

How to check logs in Event Viewer

📌 Use Cases: Check for codes that correspond with your device’s current enrollment status.

1. Press Win + R, type eventvwr.msc, and press Ctrl + Shift + Enter.
2. Navigate to:

Applications and Services Logs > Microsoft > Windows > User Device Registration

3. Navigate to:

Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider

4. Right-click on the specific log folder and select View > Show Analytic and Debug Logs for detailed diagnostics logs.

1. 1. Click on the event log that matches your enrollment attempt’s timestamp and check for error codes.

5. Read the Event ID column for IDs related to enrollment.

How to verify enrollment and registration status via PowerShell

📌 Use Cases: Confirm if a device is network-joined or is experiencing registration problems.

📌 Prerequisites: Microsoft Graph API or Entra Join module for registration check.

1. Press Win + R, type powershell, and press Ctrl + Shift + Enter.
2. Run the following for your device’s MDM details and workplace join status:

Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_DevDetail_Ext01

3. Check if the device is registered in Entra Join:

Get-AzureADDevice -SearchString "<DeviceName>"

Replace <DeviceName> with the device’s computer name.

1. 1. Open PowerShell.
   2. Run this command to output your device’s name:

$env:COMPUTERNAME

4. Run these commands sequentially to confirm if the device is enrolled and managed by Microsoft Intune.

Connect-MSGraph

Get-IntuneManagedDevice | Where-Object {$_.DeviceName -eq "<DeviceName>"}

Replace <DeviceName> with the device’s computer name.

1. 3. Open PowerShell.
   4. Run this command to output your device’s name:

$env:COMPUTERNAME

How to check for enrollment artifacts via Registry Editor

⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.

📌 Use Cases: Inspect devices for proof of enrollment.

1. Press Win + R, type regedit, and press Ctrl + Shift + Enter.
2. Check registry keys to validate if enrollment or policy settings were applied locally.
   1. Autopilot/MDM Enrollment keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\

1. 1. 1. If this key stores enrollment data, the device has been enrolled in Intune/an MDM

1. 2. AAD Join artifacts:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin

1. 1. 1. If this key stores Entra Join information (e.g., join status, tenant ID), the device is Entra-joined or Entra hybrid-joined.

1. 3. Windows Health Monitoring and MDM diagnostics:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\

1. 1. 1. If this key contains implemented MDM policies and sync timestamps, your directives were pushed to this device via Intune.

How to validate Group Policy settings for auto-enrollment

📌 Use Cases: Ensure devices auto-enroll into Intune properly.

📌 Prerequisites: Hybrid Entra environment.

1. On a domain controller/server, press Win + R, type gpmc.msc, and press Ctrl + Shift + Enter.
2. Navigate to:

Computer Configuration > Policies > Administrative Templates > Windows Components > MDM

3. Scroll down and double-click Enable automatic MDM enrollment using default Entra Join credentials.
4. Click Enable.
5. Under Options, select Device Credential.
6. Click Apply, then OK.
7. Force a policy update:

gpupdate /force

8. Use Resultant Set of Policy (RSOP) or run the following to confirm your changes:

gpresult /h report.html 

⚠️ Things to look out for

Intune device enrollment troubleshooting involves low-level settings, so even slight mistakes can disrupt operations.

Common causes of enrollment failure

Troubleshooting Intune endpoint errors with dsregcmd

Here are the most common roadblocks IT pros encounter during Intune device enrollment troubleshooting:

Remove failed enrollment remnants

If your enrollment is being blocked, delete outdated records in your registry under HKLM\SOFTWARE\Microsoft\Enrollments and remove stale certificates via Microsoft Management Console.

Intune MDM certificates become obsolete after one year or when the device doesn’t connect to Intune 40 days before expiry and drops out.

💡 Note: Deleting registry entries carries considerable risk. Only remove unnecessary certificates and document modifications appropriately.

Wipe Workplace Join records

If you’re unable to enroll a BYOD device, it’s likely due to its existing Microsoft Entra ID record and/or local key, which makes the system view your device as already registered. To resolve this:

1. Remove the Workplace Join record.
   1. Run dsregcmd /leave with admin rights.
   2. Go to Settings > Accounts > Access work or school, and disconnect the account.
2. Delete stale objects in Microsoft Entra ID.

💡 Warning: Deleting Intune-managed devices on Entra results in the loss of access to company resources, affecting other services like Autopilot, Conditional Access, Hybrid Join, and more.

3. Reboot the system, then attempt to rejoin your device.

Rejoin manually

If auto-enrollment fails, do the following to manually join your device:

• Navigate to Settings > Accounts > Access work or school and connect the device, or
• Run dsregcmd /join with elevated permissions

Use Autopilot Reset (if enabled) for full reinitialization

If your devices need to be reconfigured for Intune enrollment, use Autopilot Reset to give them a fresh start while keeping their enrollment status and important data intact.

Device Cap Reached

This common error occurs when a user has registered the maximum number of devices allowed by policy. By default, Microsoft Entra caps devices at 5 per user. Any new device enrollment attempts fail until you remove old or unused devices, raise the device quota in the Entra admin center, or reassign devices to stay within compliance.

Restart the User Device Registration Service

Devices are registered on Microsoft Entra ID through the User Device Registration Service (UDRS), which can be refreshed for better functionality. To do this, run the following:

Restart-Service -Name “UserDeviceRegistration”

Use this when a device experiences an indefinitely pending registration status or can’t produce a Primary Refresh Token (PRT).

NinjaOne services

Streamline Intune device enrollment with custom scripting

Intune device enrollment troubleshooting requires several advanced tools. From checking event logs to removing any residue from previous MDMs, these methods use elevated permissions to modify important device settings. As such, you should always keep a backup for data integrity and possible redos.

Simplify IT management with automated solutions that empower MSPs and in-house sysadmins to control every process through a single pane of glass.

Related topics:

• Choosing the Right Software Deployment Tool: Intune vs. NinjaOne – A User’s Perspective
• How to Register Azure Devices into Intune
• How to Add a Corporate Device to Intune Device Management
• How to Add a BYOD Device to Intune Device Management
• How to Deploy Applications Using Microsoft Intune Admin Center