Intune enrolment errors are frustrating because the error codes are rarely self-explanatory. This guide covers the most common ones you will hit when enrolling Windows devices, what actually causes them, and exactly how to fix each one.
MDM enrolment is blocked by an enrolment restriction policy
The device platform or OS version is blocked by an Intune Enrolment Restriction, or the device is a personal device and BYOD enrolment is disabled.
Fix: Go to Devices → Enrolment → Enrolment restrictions. Check the Default restriction and any group-targeted restrictions. Confirm that Windows (MDM) is set to Allow, and that the minimum and maximum OS version values are not blocking the device. If the device is personal, check whether the restriction allows personally owned devices.
0x80180026 - Terms of use not accepted
0x80180026
The user has not accepted the MDM terms of use
If you have configured a Terms of Use policy in Entra ID or Intune, the user must accept it before enrolment can complete.
Fix: Ask the user to sign in to myapps.microsoft.com or the Company Portal and accept any pending terms. Alternatively, check Entra Admin Centre → Protection → Conditional Access → Terms of use and verify the policy is configured correctly. If you don't intend to use Terms of Use, check whether one was accidentally created.
0x80070774 - Certificate error
0x80070774
A certificate required for enrolment could not be found or is invalid
This usually occurs when the device clock is significantly wrong, the device cannot reach the certificate revocation list (CRL), or the root CA certificate is not trusted.
Fix: First check the device clock - even a few minutes of drift can cause certificate validation failures. Run w32tm /resync /force in an admin command prompt. If the clock is correct, check that the device has internet access and can reach Microsoft enrolment endpoints.
w32tm /resync /force
0x80180003 - Device limit reached
0x80180003
The user has reached their device enrolment limit
By default Intune allows each user to enrol up to 5 devices. If the user has 5 devices already enrolled (including old devices they no longer use), new enrolment is blocked.
Fix: Go to Devices → Enrolment → Device limit restrictions and either increase the limit or create a group-targeted restriction with a higher limit for this user. Alternatively, delete old unused device records from Devices → All devices. For Autopilot deployments, device-assigned profiles are not subject to per-user limits.
0x8018000b - MDM policy conflict
0x8018000b
An MDM policy conflicts with an existing Group Policy Object
The device is domain-joined and an existing GPO is preventing or conflicting with Intune MDM enrolment. Common when migrating from on-prem management to Intune.
Fix: On the device, run gpresult /h C:\report.html and open the report to find conflicting policies. For co-managed devices (both SCCM and Intune), check the co-management workload settings. The cleanest resolution is to enable MDM wins over GPO via the MDM Wins Over GP setting in the Settings Catalog.
0x80180018 - Licence not assigned
0x80180018
The user does not have a valid Intune licence
Intune requires a licence assigned to the user. Microsoft 365 Business Premium, E3, and E5 include Intune. EMS E3 and standalone Intune licences also work.
Fix: Go to Microsoft 365 Admin Centre → Users → Active users → [User] → Licences and assign a licence that includes Intune. Licence assignment can take up to 30 minutes to propagate. Alternatively check Entra Admin Centre → Users → [User] → Licences.
Device shows as already enrolled
If a device was previously enrolled (perhaps as a personal device or under a different tenant) and you are trying to enrol it fresh, Intune may reject it.
To check: go to Settings → Accounts → Access work or school. If there is an existing connection, disconnect it first before re-enrolling.
If the device has a stale Autopilot record, delete it from Devices → Windows → Windows Autopilot devices before attempting re-enrolment.
💡
Resetting a device for fresh enrolment
If a device has a persistent enrolment problem and you need a clean start, running dsregcmd /leave in an admin prompt removes the existing Azure AD join. Then re-join via Settings → Access work or school.
Common Autopilot errors
Device not showing in Autopilot device list after hash upload
Wait at least 15 minutes after CSV import. If it still does not appear, check the import status under Devices → Windows Autopilot → Devices → Import status. A duplicate serial number or incorrectly formatted CSV are common causes.
Autopilot profile not assigned to the device
Check that the device is in the Entra dynamic device group used for Autopilot profile assignment. Dynamic groups can take up to 24 hours to update membership. You can manually add the device to a static group to speed up testing.
Enrolment Status Page stuck at one step
Run the Autopilot diagnostics script on the device:
This generates a colour-coded report showing exactly which policy or app is blocking the ESP.
// need this done for your business?
Fixed-price Intune setup for UK businesses
I set up Intune for UK small businesses at a fixed price - compliance policies, app deployment, Conditional Access, and full documentation handed over at the end.