Bulk enrolment inconsistencies


Hi guys,


Wondering if you could help, we're using a provisioning package to bulk enrolment Windows 11 endpoints into Azure AD and enrol into Intune, however, we've found the enrolment into Intune element to be rather inconsistent.


The devices ALWAYS join to Azure AD, however, it's rare that endpoints enrol into Intune. 


Here's a picture of the status: 



As you can see the top device was successful, other two, not. Same provisioning package, same USB, same models, same patch level.


  • I have ensured the MDM enrolment scope includes the package account that is created when the bulk token is created.
  • I have used the latest Windows Configuration Designer from the Windows 11 ADK (Not the store, as that had issues)
  • I have ensured that the AAD device join permissions include the package account.
  • I have also tried completely recreating the provisioning package
  • I have tried various USB's
  • I have checked enrolment failures report within intune and none are listed.
  • I have checked default enrolment restrictions and Windows MDM is allowed.


Any ideas?

2 Replies

Hi @Durrante, did you manage to solve this? Looks like you've did most of the troubleshooting already. Did you also have a look at the event logs? Perhaps there's a clue hidden in one of the device management and provisioning logs. You could start here:

  • Provisioning-Diagnostics-Provider Admin
  • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

Since most of the time enrollment will fail. Did you by any chance changed the default enrollment restriction policy? I assume you also reached out to support about this?

that event log : Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider shoud mention it .. when using deviceenroller.exe it is also mentioned there so I should expect something to pop up there