Windows 365 Provisioning Failure Due to Intune Policy Conflict

Windows 365
Windows 365 Provisioning Failure Due to Intune Policy Conflict

Overview

During Windows 365 provisioning, affected users failed at the enrollment stage and Cloud PCs remained in Provisioning failed. Investigation showed conflicting Intune policy assignments applying incompatible enrollment and compliance settings to the same user scope.

Problem Statement

Cloud PC provisioning failed consistently during enrollment, preventing users from receiving their Windows 365 desktop despite valid licensing and successful policy targeting.

Symptoms Observed

  • Cloud PC status switched from Provisioning to Provisioning failed in under 15 minutes.
  • Enrollment errors appeared in Endpoint Manager and Windows 365 provisioning diagnostics.
  • The same user failed repeatedly even after reprovisioning attempts.
  • Device object creation succeeded, but post-enrollment policy processing failed.

Conflicting Policy IDs Identified

The tenant had two policy sets applied to overlapping groups. The following IDs were identified as conflicting during troubleshooting:

  • Configuration Profile (Endpoint Security Baseline): 9e4f56be-6a5b-4d34-9b0c-12f0a5d1f801
  • Configuration Profile (Cloud PC Enrollment Controls): 5b2d91a1-2ef0-47f2-a1b0-9478cb0ac4d6
  • Compliance Policy (Strict Legacy Template): d3f7bf19-cc9e-4820-8bd7-c605f8a9e213

The overlap created contradictory requirements during enrollment, causing the provisioning sequence to abort.

Troubleshooting Flow

  1. Validated user licensing and Windows 365 provisioning policy assignment.
  2. Collected provisioning diagnostics from Windows 365 admin center.
  3. Correlated enrollment failures with Intune device configuration and compliance assignments.
  4. Compared policy target groups and identified assignment overlap in dynamic user groups.
  5. Excluded pilot users from the legacy compliance baseline and retested provisioning.

Final Policy Redesign

  • Created a dedicated Windows 365 enrollment group with explicit include assignments.
  • Moved legacy baseline policies to a separate scope with explicit exclusions for Cloud PC users.
  • Consolidated duplicate configuration settings into one approved Cloud PC baseline profile.
  • Documented assignment ownership and added change control for Intune policy updates.

Result

  • Provisioning success rate improved from 42% to 100% for the affected group.
  • No enrollment-stage failures observed in the next two deployment cycles.
  • Reprovisioning was no longer required for policy-related enrollment issues.

Key Takeaway

In Windows 365 environments, policy assignment design is as important as policy content. Separating Cloud PC enrollment scopes from legacy endpoint baselines prevents conflicting controls and stabilizes provisioning.