There is a special kind of ticket that haunts anyone who manages devices.

It looks harmless:

“My phone says it is not compliant but nothing changed.”
“Company Portal keeps failing the check.”
“I did what it told me to do and it still says I am out of compliance.”

You fix it once, then again, then again, and at some point you start to feel like you are chasing a ghost.

Underneath all of that is usually the same story:

• Old management profile
• Stale token
• Intune and the device disagreeing about reality

This post is about that “cursed token” pattern, how I think about it now, and how to turn the fix into something that does not eat your entire morning every time it pops up.

Step 1: What The User Sees vs What Is Actually Happening

From the user’s side, the error message is usually useless.

• “Your device is not compliant.”
• “Could not obtain the final profile.”
• “Something went wrong, try again.”

They did not change anything. They did not uninstall anything. As far as they are concerned, the device just woke up one day and decided to be difficult.

From Intune’s side, it is more like:

• “I think you are still on the old profile.”
• “The token I have for you is expired or wrong.”
• “The device did not complete the last step of enrollment correctly.”

Intune lives on trust relationships:

• There is a profile installed on the device
• There is a token or cert that proves who the device is
• There are policies that say what “healthy” looks like

If any of those get out of sync, you get “non compliant” even if the actual hardware is fine.

Once you understand that, the standard “nuke and pave” flow stops feeling like a weird superstition and starts looking like what it really is.

You are not just deleting an app. You are resetting the trust.

Step 2: The Standard “Reset The Trust” Fix

The core idea is always the same:

• Remove the broken relationship
• Reboot so the device forgets the old state
• Re enroll clean under the current policies

For example, on an iPhone:

1. Delete the Company Portal app
   • Long press the app
   • Tap “Remove App”
   • Confirm deletion
2. Remove the management profile
   • Go to Settings
   • General
   • VPN & Device Management or Profiles
   • Tap the company management profile
   • Remove or delete the profile
3. Restart the phone
   • Power off completely
   • Turn it back on
4. Reinstall Company Portal
   • Go to the App Store
   • Download Microsoft Intune Company Portal
   • Sign in with work email and password
5. Re enroll
   • Follow the prompts in Company Portal
   • Allow it to install the new management profile
   • Complete the device compliance check

On a Mac, the shapes are the same:

• Remove Company Portal
• Remove the management profile from System Settings → Privacy & Security → Profiles
• Reboot
• Reinstall Company Portal and go through enrollment again

On paper, that looks like a lot of steps for “just make the error go away.”

In reality, it is:

• Throw away the old token
• Throw away the old profile
• Ask Intune to issue a fresh identity and re evaluate

You are basically telling both sides, “forget whatever you think you know about this device, here is the current truth.”

Step 3: Write It Once So You Stop Re Explaining It

The first time you walk someone through that flow in Teams or on a call, fine.

The fifth time, you realize you are saying the same sentences over and over.

The fix is simple:

• Turn your troubleshooting steps into a reusable asset
• Make it easy to send, easy to follow, and easy to update

I like to build three versions:

1. A user facing KB article
   • Clean headings
   • Screenshots if possible
   • Separate sections for iPhone, iPad, Mac, Windows
   • Language like “this will not wipe your personal data, it just resets the work profile”
2. A canned response for tickets
   • “Hey, this is a common issue with the Company Portal holding on to an old token. Here is the sequence that usually clears it up…”
   • Paste the short version of the steps
   • Link to the full KB for visuals
3. A one page internal runbook
   • Root cause in one paragraph
   • Steps in order
   • Any edge cases or “if this does not work, try this” notes

Now instead of rewriting the same instructions, you are clicking one macro or dropping one link.

You look like you magically know what to do, even though you just wrote it down once and reused it.

Step 4: Treat It As A Pattern, Not A Random Error

After you fix enough of these, you start to see patterns.

Questions worth asking yourself:

• Does this happen mostly on new devices, or ones that have been around for years?
• Do you see it more after big policy changes, or randomly?
• Is it tied to a specific platform version (iOS, macOS, Windows build)?

That tells you where the real problem lives:

• Maybe your profile or conditional access changes are bumping into old devices that were never re enrolled
• Maybe you are rolling out new compliance rules without enough communication
• Maybe your environment is carrying a lot of stale records for devices that are actually gone

The fix on the single device is helpful.
The fix on the system is what makes your life quiet down.

Examples of system level improvements:

• Clean up old devices in Intune that have not checked in for months
• Standardize enrollment instructions so users are less likely to half complete the process
• Set a policy that major changes to compliance rules include a “here is how to re enroll if needed” note
• Build a small reporting view for “devices that are enrolled but non compliant” and review it regularly

The goal is not “never see this error again,” because that is not real. The goal is “when this happens, we know exactly what to do and why.”

Step 5: Make Device Management Feel Less Like Punishment

The other side of this is user experience.

If every interaction with Company Portal feels like:

• Surprise error
• Confusing instructions
• Threats about access being revoked

People will do the bare minimum to make it go away.

You can’t fix Microsoft’s copy, but you can wrap the experience in something that feels less hostile.

A few simple things that help:

• When you send instructions, explain what is happening in human terms
  • “Right now your phone and our management system are out of sync. These steps reset that relationship so it can check in cleanly.”
• Reassure them about what is not happening
  • “This does not wipe your personal photos or apps. It only affects the work profile and settings.”
• Give a clear finish line
  • “When you are done, open Company Portal, tap ‘Check status,’ and you should see a green check that says Compliant.”
• Offer a safety net
  • “If anything looks off or you see a different error, screenshot it and ping me. We can hop on a quick call if needed.”

You are still enforcing security. You are just doing it in a way that does not make people feel like they broke something by existing.

Step 6: Use AI To Help You Explain It Better, Not Just Faster

Same trick as the other blogs: after you have seen this issue a couple of times, you can have AI help you sharpen your explanation.

Example prompt:

I manage devices with Intune and see this recurring pattern:

• User’s iPhone shows as non compliant in Company Portal
• Error mentions not being able to obtain the final profile or similar
• Fix is always: delete Company Portal, remove management profile, reboot, reinstall, re enroll

Explain to me:

• What is happening at the token / profile / trust level
• How I should describe this to a non technical user in 2 to 3 sentences
• Any long term design improvements that could reduce how often this happens

You already know the fix. What you are stealing from AI is better language and clearer mental models.

Use that to:

• Improve your KB articles
• Tighten your canned ticket responses
• Sound five years more senior when you explain it to leadership

Closing This Out

The “cursed token” kind of ticket is never going to disappear.

Devices will always drift. Profiles will always get out of sync. People will always skip one step in a wizard and then forget about it.

But you get to choose how it lives in your world.

It can be:

• A random, frustrating error you dread seeing
• Or a well understood pattern with a known fix, a clean KB article, and a 30 second macro

The first version keeps you in permanent fire drill mode.
The second version makes you look like the calm person who has already solved this problem.

Same error. Same systems. Same devices.

The difference is whether you treat it like a curse, or like just another pattern you have learned how to handle.

‍