Microsoft Intune administrators are hitting a frustrating wall: a "Remediation failed" status accompanied by the opaque error code 0x87d1fde8. This single code signals that a configuration profile or compliance policy didn’t fully apply—but the root cause could be anything from a simple edition mismatch to a malformed OMA-URI. Taming it demands more than random restarts; it requires a structured, evidence-driven approach that zeroes in on the real culprit. This guide distills Microsoft documentation, community war stories, and proven diagnostic techniques into a repeatable workflow, so you can move from bewildered to fixed.
The error at a glance
In the Intune admin center, the error appears as State: Error, with State details: -2016281112 (Remediation failed) and the hexadecimal code 0x87d1fde8. It strikes across all profile types—Wi‑Fi, Managed Browser, device restrictions, compliance policies, even custom OMA‑URI profiles. Often the settings seem to land on the device, yet the portal still waves a red flag. That discrepancy is a crucial clue: sometimes the error is purely cosmetic, a reporting ghost that vanishes after the next check‑in. Other times it’s a genuine application failure that leaves the device partially or wholly unmanaged.
Why 0x87d1fde8 happens: the five usual suspects
A generic error like this can’t be solved with a one‑line fix because it’s a catch‑all for several distinct failure modes. Pinpointing which one is at play is the first step toward resolution.
1. Windows edition or build incompatibility
Many CSPs (Configuration Service Providers) and policy settings demand Windows Pro, Enterprise, or Education, or a minimum build number. A policy that references a CSP absent on a Windows Home device—or an older build—will never remediate. Community troubleshooting logs repeatedly show edition/build mismatches as the top cause, especially when administrators push enterprise‑grade policies to accidentally enrolled consumer devices.
2. CSP or OMA‑URI path errors
Custom OMA‑URI entries are picky about syntax. A single wrong character in the path, an outdated property name from a platform update, or a payload that doesn’t match the expected data type provokes a failure. Microsoft’s own documentation has documented cases where changing a CSP path in a newer release caused older profiles to start throwing 0x87d1fde8, even if the underlying functionality remained intact for a while.
3. Conflicting profiles and assignment chaos
Two profiles that fight over the same setting—one enabling a feature, another disabling it—create a tug‑of‑war that ends in remediation failure. Misassignment is equally dangerous: a policy scoped to the wrong user group, a mistyped device group, or scope tags that restrict visibility can make Intune believe a deployment failed simply because the profile never reached its intended target.
4. Licensing limits and feature gates
Some features, notably Endpoint Analytics and proactive remediations, require Enterprise SKUs or specific add‑on licenses. When Intune automatically creates data collection policies for these services, non‑Enterprise devices (like Windows Pro) may receive them and immediately report 0x87d1fde8. Admins have discovered this the hard way after a pilot rollout of Endpoint Analytics suddenly flooded their console with errors.
5. Transient service bugs and UI lag
Microsoft acknowledges that for Managed Browser policies the 0x87d1fde8 can be a console‑side mirage: the policy works, but the portal takes an extra sync cycle to reflect success. These known issues often disappear on their own, but they erode trust in the reporting dashboard until recognized.
The pre‑flight checklist: start here before you dig
Before opening Event Viewer or running diagnostic tools, run through three quick validation steps. They resolve a surprising number of cases and save hours of log‑diving.
- Confirm Windows edition and build. On the target device, open Settings > System > About. Cross‑reference with Microsoft’s CSP documentation. If the device runs Home but the profile demands Enterprise‑only CSPs, exclude it from the assignment or upgrade the edition.
- Audit assignments and scope tags. In the Endpoint Manager admin center, check whether the profile is assigned to the correct user or device group. Toggle the assignment if needed—sometimes simply removing and re‑adding the group clears stale backend caches.
- Spot‑check the device manually. Open the setting (e.g., a Wi‑Fi network in Control Panel) and verify it exists. If it’s there but Intune still barks, you’re likely dealing with a reporting mismatch, not a configuration gap. That distinction guides your next step.
The step‑by‑step remediation workflow
When the quick checks don’t suffice, follow this ordered sequence, escalating from light‑touch fixes to forensic deep dives.
Step 1: Verify OS compatibility
This is the 80/20 fix. Use PowerShell on the device (Get-ComputerInfo | Select WindowsEditionId, WindowsVersion) or the System app to grab the exact edition and build. If the profile includes CSPs like PolicyManager or WindowsAI that require Enterprise, either recreate the profile to exclude those nodes or deploy it only to eligible devices. For Windows Home fleets that accidentally ended up in Intune, consider a provisioning package to upgrade them before applying complex policies.
Step 2: Simplify the profile
Navigate to Devices > Configuration profiles in Intune, open the offending profile, and strip it down:
- Remove any settings that are not critical.
- Delete custom OMA‑URI entries and rebuild them via the Settings Catalog if possible—the Catalog automatically handles CSP mapping and reduces syntax errors.
- Look for duplicate settings from another profile; even if the values are the same, overlapping profiles sometimes confuse the MDM stack.
Reducing the profile to its essentials often isolates the problematic node. Once it succeeds, add settings back one at a time and sync between each addition to identify the culprit.
Step 3: Reassign and retarget
Temporarily create a test group containing a single known‑good device. Assign the profile exclusively to that group, then force a sync. If the error clears, the original assignment was faulty. Common pitfalls include:
- Using a user group when the CSP requires device‑based targeting (or vice versa).
- Scope tags that hide the device from the admin’s view even though the backend still tries to process the policy.
- Nested group memberships that Intune doesn’t fully resolve in time for the first application.
Step 4: Force a full device sync
On the Windows device, go to Settings > Accounts > Access work or school, click the connected account, then Info > Sync. This initiates a fresh MDM session. Immediately after the sync completes, restart the device. After reboot, wait 5‑10 minutes and refresh the Intune portal. If the error vanishes, you’re dealing with either a transient reporting lag or a check‑in timing issue—Microsoft explicitly documents this for Managed Browser profiles.
Step 5: Collect and interpret the diagnostic bundle
When the error persists, it’s log‑time. Gather the Intune diagnostic package using one of these methods:
- Run mdmdiagnosticstool.exe from an elevated command prompt. Add parameters like -area DeviceEnrollment;DeviceProvisioning;DeviceManagement -zip C:\IntuneDiag.zip to capture all relevant areas.
- Use the built‑in Settings > Accounts > Access work or school > Export your management log files (available on Windows 10 20H2 and later).
- Or launch the Intune remote diagnostics from the admin center if the device is online.
Unzip the output and focus on MDMDiagReport.html. This single file provides a timeline of every MDM session, CSP application attempt, and the resulting error codes. Simultaneously, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement‑Enterprise‑Diagnostics‑Provider > Admin. Here, DMClient logs spell out exactly why a CSP was rejected.
Step 6: Decode log patterns
With the logs in hand, look for these telltale signatures:
- CSP not found / Not supported: An entry like The policy CSP path ./Device/Vendor/MSFT/SomeCSP is not supported on this SKU confirms an edition or build mismatch.
- Policy conflict: Two entries targeting the same OMA‑URI node with different EnforcementMode or payload values indicate a conflict. The conflicting profile GUID will be logged; search for it in the admin center to find the other profile.
- OMA‑URI parse error: Messages containing "invalid character" or "unexpected string" point to a formatting mistake—often a missing hex prefix for Wi‑Fi passwords or an XML encoding slip in a SyncML payload.
Match the log timestamps with the sync times in the MDMDiagReport to correlate errors with specific policy deliveries.
Step 7: Recreate or repackage the profile
If logs confirm a CSP path error or a syntax glitch, don’t just tweak the existing profile—rebuild it:
- For settings available in the Settings Catalog, use that UI. It insulates you from CSP path changes and automatically validates payloads.
- For custom OMA‑URI entries, cross‑reference the latest CSP documentation from Microsoft. Pay special attention to any notes about deprecated nodes or new data type requirements.
- When recreating Wi‑Fi profiles, ensure the SSID and password are correctly encoded: hex prefixes, proper nesting of <WLANProfile> XML, and correct namespace declarations. Community guides often share validated payloads for common scenarios.
After recreation, deploy to a test device before rolling out broadly.
Step 8: Untangle licensing knots
If the error correlates with an Endpoint Analytics or proactive remediation policy, check the device’s licensing status. Windows Pro devices without the necessary add‑on licenses will refuse these policies. Solutions:
- Exclude non‑Enterprise devices from the policy assignment.
- Upgrade the device’s Windows edition or assign an appropriate Intune license.
- Disable the automatic creation of Endpoint Analytics data collection policies if you’re not using the service—some tenants find these policies propagate by default.
Advanced tools and techniques
When the standard workflow hits a wall, these deeper probes often break through.
dsregcmd /status for identity health
A device that isn’t properly joined to Microsoft Entra (formerly Azure AD) can’t reliably receive policies. Run dsregcmd /status from an elevated command prompt and verify:
- AzureAdJoined : YES
- DeviceCertificateValidity : VALID
- DeviceId and Thumbprint fields populated.
If the join state is NO or the certificate has expired, fix the device registration before troubleshooting Intune errors. Sometimes a dsregcmd /leave followed by a fresh join clears identity‑related MDM blocks.
MDMDiagReport.html deep dive
The generated HTML report breaks down every provisioning step. Look for the section “Configuration Sources”—it lists all applied policies and their state. A status of 0x8600001B (NotApplicable) might be expected for edition‑restricted CSPs, but 0x87d1fde8 always signals an error. Click through to the detailed section to see the exact CSP URI and the server response. This often surfaces backend errors that the admin console doesn’t expose, such as an internal service timeout or a throttling response.
When settings stick but Intune disagrees
If the device clearly has the policy applied (you can see the setting in the UI) but Intune still reports 0x87d1fde8, the root cause is almost always a reporting discrepancy. Check:
- The DMClient log for entries right after the last sync—look for EnforcementMode differences. Another policy may have silently overridden the setting after the initial success.
- Microsoft’s known issues list for Managed Browser and Edge policies. In some documented cases, the error disappears on the next natural sync and never returns.
In such cases, document the finding and monitor. Avoid the temptation to rip out a functioning policy; instead, flag it for review during the next configuration audit.
Preventive hygiene: stop 0x87d1fde8 before it starts
Stable Intune environments share a few habits that dramatically lower the odds of remediation failures.
- Prefer the Settings Catalog. It abstracts away CSP paths and updates automatically when Microsoft refreshes backend configurations. If a setting isn’t in the Catalog, double‑check the CSP documentation before venturing into custom OMA‑URI.
- Maintain an OS edition/feature map. Keep a simple spreadsheet that lists which CSPs and settings require Enterprise, which minimum build they need, and which are safe for Pro. Gate policy assignments with Azure AD dynamic groups (e.g.,
device.deviceOSType -eq "Windows" -and device.deviceOSVersion -startsWith "10.0.1904"). - Test with a canary group. Before broad deployment, push every profile to a small set of devices that mirror your production mix—different editions, builds, and join types. Let them simmer for 24 hours and check the portal for any remediation errors.
- Monitor CSP deprecations. Subscribe to Microsoft’s “What’s new in Microsoft Intune” blog and the CSP release notes. When a CSP node is marked as deprecated, recreate affected profiles before the change breaks them.
Real‑world case studies
Nothing brings the guidance together like seeing it in action.
The Managed Browser mirage
A mid‑size organization deployed a Managed Browser allowlist that included microsoft.com. Immediately, dozens of devices lit up with 0x87d1fde8. The IT team began rebuilding the profile, but after a device reboot, the errors vanished on their own. Microsoft later confirmed this was a known console glitch—the policy had been working all along. Lesson: always verify device functionality before treating a portal error as a real failure.
The Endpoint Analytics licensing surprise
An admin enabled Endpoint Analytics for a tenant with mostly Windows 10 Pro devices. Within hours, the dashboard was flooded with 0x87d1fde8 for an automatically created “Data Collection” policy. Digging into the CSP requirements revealed that several collection nodes required Enterprise. The fix was to create an exclusion group for Pro devices, instantly silencing the storm. This case highlights how feature activation can silently generate policies that exceed device capabilities.
Wi‑Fi OMA‑URI encoding headache
A school district pushed a custom Wi‑Fi profile via OMA‑URI. Many devices showed the network, but the Intune portal stubbornly reported remediation failed. The DMClient logs revealed a payload parsing error on the SSID field. The SSID contained a space, and the payload was missing the required hex encoding prefix. Once the admin wrapped the SSID in hex and adjusted the payload, all devices transitioned to successful status. Precision in payload formatting is non‑negotiable.
Escalation and when to call Microsoft
Not every 0x87d1fde8 can be solved in‑house. Escalate to Microsoft Support when:
- The MDMDiagReport shows a backend service error (e.g., HTTP 500 from the Intune service) that persists across profile recreations.
- You’ve ruled out all five root causes and the error follows the device across re‑enrollments.
- Microsoft’s known issues list confirms a service bug with no workaround.
When opening a case, attach the zipped diagnostic bundle, the date/time of failed syncs, and the affected device IDs. This arms the support engineer with everything they need to bypass tier‑1 scripts.
The bottom line
Error 0x87d1fde8 is a shapeshifter, but it always leaves fingerprints. Device edition, CSP syntax, profile conflict, licensing, or a transient bug—the cause is buried in the symptoms. A methodical scan of compatibility, assignments, and logs, followed by targeted profile hygiene, resolves the overwhelming majority of cases. By embedding the preventive practices above into your operational routine, you can cut remediation failures down to a trickle and spend less time staring at error codes, more time driving value from your modern management investment.