Intune compliance / enrolment failure

Indicators

• Autopilot deployment hung at 'Account setup' or 'Device preparation'
• Devices showing non-compliant in Intune for ambiguous reason
• Conditional Access blocking access tied to compliance
• MDM enrolment error 80180014, 80180023, etc.

Likely causes

• Hardware hash not registered correctly for Autopilot
• Intune licence not assigned to enrolling user
• Compliance policy thresholds set too aggressive
• Time skew on the device breaking initial token exchange
• TPM not ready / BitLocker conflict during Autopilot OOBE

Diagnostic steps

1. On device: dsregcmd /status — confirm Entra-joined, Domain-joined, Workplace-joined states and tenant ID
2. Event Viewer: Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider
3. Intune portal: Devices → check enrolment status / failure reason for the specific device
4. For Autopilot: review device hash registration and assigned profile
5. For compliance: review the specific failing setting in the compliance policy + device's reported value
6. Confirm user has Intune licence (P1/P2 or M365 BP/E3 with Intune)

Resolution path

• Determine layer — licence, enrolment, compliance, Autopilot
• Validate device prerequisites (TPM, time, network)
• Repair the specific layer (re-register hash, fix policy, assign licence)
• Re-enrol or re-trigger sync

Prevention

• Pre-flight checklist for new devices (licence, hash, group)
• Compliance policy graded — start permissive, tighten quarterly
• Autopilot profile audit before bulk rollouts
• Standardised device imaging baseline

Tools

• Intune portal (intune.microsoft.com)
• dsregcmd /status
• Event Viewer DeviceManagement-Enterprise-Diagnostics
• MDM Diagnostics report (Settings → Accounts → Access work or school → Export logs)
• PowerShell — Get-AutopilotDevice, Get-IntuneManagedDevice (Microsoft Graph)

References

• Microsoft Learn — Troubleshoot Intune enrolment
• Microsoft Learn — Autopilot troubleshooting