Case Study

Windows 365 Provisioning Failure Due to Intune Policy Conflict

A Windows 365 enrollment failure caused by overlapping Intune policy assignments, with the fix centered on separating Cloud PC enrollment scopes from legacy baselines.

Windows 365 Intune Endpoint Management Provisioning Published Mar 2026

Overview

During Windows 365 provisioning, affected users failed at the enrollment stage and Cloud PCs remained in Provisioning failed. Investigation showed conflicting Intune policy assignments applying incompatible enrollment and compliance settings to the same user scope.

Problem Statement

Cloud PC provisioning failed consistently during enrollment, preventing users from receiving their Windows 365 desktop despite valid licensing and successful policy targeting.

Symptoms

  • Cloud PC status switched from Provisioning to Provisioning failed in under 15 minutes.
  • Enrollment errors appeared in Endpoint Manager and Windows 365 provisioning diagnostics.
  • The same user failed repeatedly even after reprovisioning attempts.
  • Device object creation succeeded, but post-enrollment policy processing failed.

Environment

Component Value Why it mattered
Endpoint Windows 365 Cloud PC The failure occurred during Cloud PC enrollment and provisioning.
Management plane Intune + Windows 365 admin center Used to inspect policy assignments and provisioning diagnostics.
Recovery method Policy redesign and scope separation Removed the conflicting assignment overlap.

Root Cause

The tenant had overlapping Intune assignments that pushed incompatible enrollment and compliance requirements to the same users during provisioning.

Investigation Process

  1. Validated user licensing and Windows 365 provisioning policy assignment.
  2. Collected provisioning diagnostics from Windows 365 admin center.
  3. Correlated enrollment failures with Intune device configuration and compliance assignments.
  4. Compared policy target groups and identified assignment overlap in dynamic user groups.
  5. Excluded pilot users from the legacy compliance baseline and retested provisioning.

Troubleshooting Flow

  • Configuration Profile (Endpoint Security Baseline): 9e4f56be-6a5b-4d34-9b0c-12f0a5d1f801
  • Configuration Profile (Cloud PC Enrollment Controls): 5b2d91a1-2ef0-47f2-a1b0-9478cb0ac4d6
  • Compliance Policy (Strict Legacy Template): d3f7bf19-cc9e-4820-8bd7-c605f8a9e213

These overlapping policies created contradictory requirements during enrollment, causing the provisioning sequence to abort.

Solution

  • Created a dedicated Windows 365 enrollment group with explicit include assignments.
  • Moved legacy baseline policies to a separate scope with explicit exclusions for Cloud PC users.
  • Consolidated duplicate configuration settings into one approved Cloud PC baseline profile.
  • Documented assignment ownership and added change control for Intune policy updates.

Validation

  • Provisioning success rate improved from 42% to 100% for the affected group.
  • No enrollment-stage failures were observed in the next two deployment cycles.
  • Reprovisioning was no longer required for policy-related enrollment issues.

Lessons Learned

Tip

Policy assignment design is as important as policy content. Separate Cloud PC enrollment scopes from legacy endpoint baselines.

Key Takeaways

Separating Windows 365 enrollment scopes from legacy endpoint baselines prevents conflicting controls and stabilizes provisioning.

References

Windows 365 provisioning diagnostics Intune assignment troubleshooting guidance