Resolve the 0x80180006 error during Microsoft Intune device enrollment by troubleshooting MDM server exceptions, cleaning enrollment artifacts, and fixing configuration issues.
Error code 0x80180006 represents an unhandled exception on the Microsoft Intune MDM server during device enrollment. This error typically manifests when Windows devices attempt to register with Intune but encounter server-side processing failures due to configuration mismatches, corrupted enrollment artifacts, or connectivity issues.
The 0x80180006 error stems from several root causes. Network connectivity problems, particularly on corporate WiFi networks that don't whitelist Intune endpoints, frequently trigger this exception. Expired or corrupted enrollment certificates from previous failed attempts create conflicts during the enrollment handshake. Incorrect Entra ID (Azure AD) MDM scope configurations, where the MDM user scope isn't set to "All" or WIP scope isn't set to "None," prevent proper enrollment authorization.
When devices can't enroll in Intune due to 0x80180006 errors, organizations lose critical management capabilities. Affected devices can't receive security policies, compliance settings, or application deployments. This creates security gaps and prevents IT administrators from maintaining consistent device configurations across their fleet. The error particularly impacts hybrid work environments where remote devices need Intune management for secure access to corporate resources.
This comprehensive troubleshooting guide walks you through systematic resolution steps, from basic connectivity verification to advanced registry cleanup and alternative enrollment methods. Each step includes verification commands to confirm successful remediation before proceeding to the next phase.
Start by confirming that Microsoft Intune services are operational and your environment meets basic requirements. This error often stems from service disruptions or environmental issues.
Navigate to the Microsoft 365 admin center at admin.microsoft.com and check service health:
# Open admin center in browser
Start-Process "https://admin.microsoft.com"
# Navigate to Health > Service health > Microsoft IntuneVerify these basic requirements on the affected device:
# Check Windows version (must be Pro or higher)
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion
# Verify system time is correct
Get-Date
w32tm /query /status
# Test internet connectivity to Intune endpoints
Test-NetConnection -ComputerName "enrollment.manage.microsoft.com" -Port 443
Test-NetConnection -ComputerName "portal.manage.microsoft.com" -Port 443Verification: Confirm all connectivity tests return TcpTestSucceeded: True and service health shows no active incidents.
An outdated or corrupted Company Portal app frequently causes enrollment exceptions. Update to the latest version and clear any cached data.
Update Company Portal through Microsoft Store:
# Open Microsoft Store and update Company Portal
Start-Process "ms-windows-store://pdp/?productid=9WZDNCRFJ3PZ"
# Alternative: Use winget to update
winget upgrade "Microsoft Corporation.CompanyPortal"If the app continues causing issues, perform a complete reinstall:
# Uninstall Company Portal (run as admin)
Get-AppxPackage -Name "Microsoft.CompanyPortal" | Remove-AppxPackage
# Clear app data folders
Remove-Item -Path "$env:LOCALAPPDATA\Packages\Microsoft.CompanyPortal_*" -Recurse -Force -ErrorAction SilentlyContinue
# Reinstall from Microsoft Store
Start-Process "ms-windows-store://pdp/?productid=9WZDNCRFJ3PZ"Verification: Launch Company Portal and confirm it displays the latest interface without error messages. Check version in Settings > About.
Incorrect MDM user scopes in Entra ID are a primary cause of 0x80180006 errors. The MDM scope must be set to "All" and WIP scope to "None" for proper enrollment.
Access Entra ID admin center and configure MDM settings:
# Open Entra ID admin center
Start-Process "https://entra.microsoft.com"
# Navigate to Mobility (MDM and WIP) > Microsoft IntuneConfigure the following settings in the Entra ID portal:
You can also verify current settings using Microsoft Graph PowerShell:
# Install and connect to Microsoft Graph
Install-Module Microsoft.Graph -Force
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"
# Check current MDM configuration
Get-MgDeviceManagementMobilityManagementPolicy | Format-ListVerification: Confirm MDM user scope shows "All" and WIP user scope shows "None" in the Entra ID portal. The configuration should display "Microsoft Intune" as the MDM application.
Corrupted enrollment certificates and registry entries from previous failed attempts must be removed before re-enrollment. This step requires administrative privileges.
Remove enrollment certificates using MMC:
# Open Certificate Manager
mmc.exe
# Add Certificates snap-in > Computer account > Local Computer
# Navigate to Personal > Certificates
# Delete any certificates issued by "Sc_Online_Issuing"Clean enrollment-related registry entries:
# Run PowerShell as Administrator
# Remove enrollment registry keys
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Enrollments" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\OnlineManagement" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "HKCR:\Installer\Products\6985F0077D3EEB44AB6849B5D7913E95" -Recurse -Force -ErrorAction SilentlyContinue
# Clear additional enrollment artifacts
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MDM" -Recurse -Force -ErrorAction SilentlyContinueRemove any existing work or school accounts:
# List current work accounts
dsregcmd /status
# If domain joined, unjoin (requires restart)
# Remove-Computer -UnjoinDomainCredential (Get-Credential) -Restart
# Remove Azure AD registration if present
dsregcmd /leaveCheckpoint-Computer -Description "Before Intune cleanup"Verification: Run dsregcmd /status to confirm no existing enrollments. Check certificate store shows no Intune-related certificates.
Windows Firewall can block MDM communication, causing enrollment exceptions. Temporarily disable it to test if firewall rules are the root cause.
Disable Windows Firewall on all profiles:
# Run as Administrator
# Disable Windows Firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# Verify firewall status
Get-NetFirewallProfile | Select-Object Name, EnabledAlternative method using netsh:
# Disable firewall using netsh (run as admin)
netsh advfirewall set allprofiles state off
# Check status
netsh advfirewall show allprofilesIf disabling firewall resolves the issue, create specific rules instead of leaving it disabled:
# Create Intune firewall rules (after testing)
New-NetFirewallRule -DisplayName "Intune Enrollment" -Direction Outbound -Protocol TCP -RemotePort 443 -RemoteAddress "enrollment.manage.microsoft.com" -Action Allow
New-NetFirewallRule -DisplayName "Intune Portal" -Direction Outbound -Protocol TCP -RemotePort 443 -RemoteAddress "portal.manage.microsoft.com" -Action AllowGet-NetFirewallProfile | Export-Clixml -Path "C:\temp\firewall-backup.xml"Verification: Confirm all firewall profiles show Enabled: False. After testing, re-enable firewall: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
If standard Company Portal enrollment fails, use the alternative "Enroll only in device management" method through Windows Settings. This bypasses some Company Portal dependencies.
Access Windows Settings enrollment:
# Open Settings directly to Work or School accounts
Start-Process "ms-settings:workplace"
# Alternative: Use URI to open specific page
Start-Process "ms-settings:workplace"Follow this specific enrollment sequence:
After restart, register in Company Portal without full management:
# Launch Company Portal after restart
Start-Process "ms-windows-store://pdp/?productid=9WZDNCRFJ3PZ"
# In Company Portal: Sign in but do NOT check
# "Allow my organization to manage this device"Verification: Check enrollment status with dsregcmd /status. Look for "AzureAdJoined: YES" and "DomainJoined: NO" indicating successful Azure AD registration.
With cleanup complete and configurations corrected, attempt full enrollment through Company Portal. Monitor the process for any remaining errors.
Launch Company Portal and begin enrollment:
# Clear any cached credentials
cmdkey /list | findstr "MicrosoftAccount" | ForEach-Object { cmdkey /delete:($_ -split " ")[1] }
# Launch Company Portal
Start-Process "companyportal:"
# Alternative launch method
Start-Process "ms-windows-store://pdp/?productid=9WZDNCRFJ3PZ"Monitor enrollment progress and capture detailed logs:
# Enable MDM diagnostic logging
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MDM\Diagnostics" /v MdmLogLevel /t REG_DWORD /d 4 /f
# Start enrollment monitoring
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 50 | Format-Table TimeCreated, LevelDisplayName, Message -WrapCheck enrollment status during and after the process:
# Monitor enrollment status
dsregcmd /status
# Check MDM enrollment specifically
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments" -ErrorAction SilentlyContinue
# Verify Intune management
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Intune*" -or $_.TaskName -like "*MDM*"}Verification: Successful enrollment shows "MDMEnrolled: YES" in dsregcmd output, Intune scheduled tasks are present, and Company Portal displays device compliance status without errors.
If enrollment still fails, analyze Windows Event Logs for specific error details and implement advanced troubleshooting techniques.
Examine MDM-related event logs:
# Check Device Management logs
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | Where-Object {$_.Id -eq 1006 -or $_.Id -eq 1007} | Format-List TimeCreated, Id, LevelDisplayName, Message
# Check Enrollment logs
Get-WinEvent -LogName "Microsoft-Windows-AAD/Operational" | Where-Object {$_.Message -like "*enrollment*"} | Select-Object TimeCreated, Id, Message
# Check for certificate errors
Get-WinEvent -LogName "Application" | Where-Object {$_.Source -eq "Microsoft-Windows-CertificateServicesClient-Lifecycle-System" -and $_.LevelDisplayName -eq "Error"}Generate comprehensive diagnostic report:
# Create MDM diagnostic report
$OutputPath = "C:\temp\MDM-Diagnostics-$(Get-Date -Format 'yyyyMMdd-HHmmss').txt"
New-Item -Path "C:\temp" -ItemType Directory -Force
# Gather system information
@"
MDM Diagnostic Report - $(Get-Date)
=====================================
System Information:
$(Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, TotalPhysicalMemory | Out-String)
DSRegCmd Status:
$(dsregcmd /status)
Network Connectivity:
$(Test-NetConnection -ComputerName "enrollment.manage.microsoft.com" -Port 443 | Out-String)
$(Test-NetConnection -ComputerName "portal.manage.microsoft.com" -Port 443 | Out-String)
Enrollment Registry Keys:
$(Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments" -Recurse -ErrorAction SilentlyContinue | Out-String)
Recent MDM Events:
$(Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 20 -ErrorAction SilentlyContinue | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap | Out-String)
"@ | Out-File -FilePath $OutputPath -Encoding UTF8
Write-Host "Diagnostic report saved to: $OutputPath"Implement final troubleshooting steps:
# Reset Windows Update components (can affect enrollment)
Stop-Service wuauserv, cryptSvc, bits, msiserver -Force
Rename-Item "$env:SystemRoot\SoftwareDistribution" "SoftwareDistribution.old" -Force
Rename-Item "$env:SystemRoot\System32\catroot2" "catroot2.old" -Force
Start-Service wuauserv, cryptSvc, bits, msiserver
# Clear DNS cache
Clear-DnsClientCache
# Reset network stack
netsh winsock reset
netsh int ip resetVerification: Review the diagnostic report for patterns. Successful resolution shows clean event logs, proper registry entries, and successful test connections to Intune endpoints.
Deepen your knowledge with related resources
Share your thoughts and insights
Sign in to join the discussion