Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)
iOS/iPadOS 15 devices enrolled with User Enrollment are unable to successfully update to iOS 16
Published Sep 08 2022 04:37 PM 9,585 Views

As highlighted in the Microsoft simplifies Endpoint Manager enrollment for Apple updates - Microsoft Tech Community post, we’ve been preparing for the iOS 16/iPadOS 16 by testing each beta release. We recently discovered an issue in Apple’s User Enrollment process. Both Intune and Apple are working on updates, but in the interim, if you enroll devices with User Enrollment you’ll want to understand the background and options as iOS/iPadOS 16 releases.


Impacted devices are:

  • Enrolled with User Enrollment, and on iOS 15 or iPadOS 15.
  • User Enrolled devices into Intune between September 16, 2021, (Intune’s 2109 service release) and the August (2208) Intune releases. You can see the device enrollment date within the Microsoft Endpoint Manager admin center reporting by going Devices > iOS/iPadOS, on the overview page see the Enrollment date column. If you’re looking on an actual iOS device, you can see the enrollment date under Settings -> General > VPN & Device management -> Management Profile -> then look at when the Device Identity Certificate expires – if it’s between September 2022 and September 2023 it’s likely impacted as most customers use a one-year certificate.


If we believe you have devices that meet the criteria above, we also posted Service Health Dashboard post IT428176 on your dashboard. It's closed now because Intune's changes are complete, we're just waiting for Apple's iOS/iPadOS release with the fix.


The user experience:

  • If the device updates from iOS/iPadOS 15 to iOS/iPadOS 16, the user will be presented with a “new MDM payload does not match the old payload" error. At the device level, the enrolled devices are not able to update their management profile. When management profiles are not updated, the device could lose compliance, which depending on your policies, may block access to company resources.


Immediate mitigation:

  • A device can be un-enrolled and re-enrolled which will apply a new management profile and the new OS. We're working on a mitigation where you don’t need to take this step.


Work underway for mitigation:

  • Intune is releasing a fix which will be completely rolled out to the entire Intune environment by September 18 (completed and devices are remediating); and
  • Apple is working on an update to iOS/iPadOS 16, however we don’t know if it’ll release with 16 or with 16.x (an upcoming release). We have tested with the beta version and have heard from Apple it's in iOS/iPadOS 16.1 and believe it resolves the issue, but still pending the app release to confirm. 


Once both fixes are complete, users will not receive the update error and can easily update to iOS 16/iPadOS 16.


Blog post updated

  • 9/19 with mitigation timeline updates.
  • 9/16 with mitigation timeline updates.


We will keep this post updated as we have additional information and as fixes are released. If you have questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Version history
Last update:
‎Sep 19 2022 02:07 PM
Updated by: