Troubleshooting Intune policies and apps
Introduction
This post aims to explain a standard procedure when investigating for unexpected behavior or errors between Intune and an endpoint. This means, when the IT admin configures anything in the Intune admin portal and the device should apply the setting, but encounters issues. Things could go wrong with these contents:
- Device configuration and compliance profiles
- Endpoint security profiles
- Scripts and Proactive remediation packages
- Apps
(Additionally: Device join and enrollment, not covered here)
In the past I did already write a post about Autopilot Troubleshooting. This post differentiates from it, since it only focuses on synchronization errors when the device is already enrolled in Intune. However some contents may be applicable vice versa.
Analyzing issues
Prerequisites
- Intune role that has at least read access to profiles and devices (Learn more)
- Access to the device (optional because you can also request a log upload from the Intune portal)
Top sources
- Intune portal - see applied profiles and apps to devices & users
- Diagnostics and MDMDiagnostics - see all diagnostics data from the MDM channel
- IntuneManagementExtension log files - IME is the component that is responsible for PowerShell scripts, apps and compliance state from Intune on the end device
- Event viewer - most of the relevant events are displayed here, especially if you don't know where to look in particular
- Registry - is always the last point to verify settings
Troubleshooting flow
For any conventional issues between Intune (admin perspective) and the Windows device (user perspective), I would proceed like this:
Intune portal
The Intune portal is key for an IT admin to check and understand states on your end device. There are three main ways for analyzation:
- From the content side (from a profile, app and so on), from here you can:
- Device assignment status
- User assignment status
- Per settings status
Example
- From the device perspective, here you can see all contents which were applied to the device
Example
- Troubleshooting + support section, where you can search by a user to see all of his devices and their content status
Example
Diagnostics and MDMDiagnostics
Generally if you are looking for any particular setting, which may not be applied or doesn't work as expected, I would recommend this method.
Open a cmd and type:
MDMDiagnosticsTool.exe -out c:\temp
Contents:
- Export from the most relevant event viewer locations
- MDMDiagReport (can also be generated from Windows Settings app>Access work or school, Info>Create report)
- Verbose .xml file that contains all sync data
Usually I always go for the MDMDiagReport html file for troubleshooting.
Diagnostics
From the Intune portal you can select any device and Collect diagnostics. After a few minutes the diagnostics will be uploaded on the left side under Device diagnostics, where you can then download the package. The package contains most relevant data: (see all from the official docs)
- Registry
- Commands and outputs
- Event viewer
- Files
IntuneManagementExtension log
The Intune Management Extension is a place to mainly find app install events, but also Powershell (also management scripts) and Proactive Remediation (also health script). The amount of entries can be quite overwhelming, but focus on the yellow and red marked events and investigate the past and future entries of them.
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Event viewer
The event viewer is always a good spot to search for any data and events that occured on the system. The one from Intune shows device issues or verbose information between management from Intune/Azure AD and Windows.
Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider
Registry
The most relevante registry paths include:
Applications and Services Logs > Microsoft > Windows
- Devicemanagement-Enterprise-Diagnostics-Provider
- Moderndeployment-Diagnostics-Provider
- Provisioning-Diagnostics-Provider
- Aad-Operational
More information / field notes
- Windows endpoints sync every 3 minutes for 15 minutes, then every 15 minutes for 2 hours (after enrollment), and then around every 8 hours, More information - this is approached with a scheduled task:
- Every device must have an Intune MDM device certificate - Read more
- Speedup / troubleshoot Proactive Remediation
- If you are looking for Edge settings, open Edge and type edge://policy in the adress bar to see the applied policies
- At the log location of IntuneManagementExtension you can also find:
- AgentExecutor - PowerShell or Proactive Remediation logs
- ClientHealth - client and IME health evaluation
- Retired IME logs - there are more log files that include the date in the name, these are retired
- Sensor