Featured Intune Windows Enterprise Mobility

Troubleshooting Intune policies and apps

by Niklas Tinner 4 min read

Introduction

This post aims to explain a standard procedure when investigating for unexpected behavior or errors between Intune and an endpoint. This means, when the IT admin configures anything in the Intune admin portal and the device should apply the setting, but encounters issues. Things could go wrong with these contents:

  • Device configuration and compliance profiles
  • Endpoint security profiles
  • Scripts and Proactive remediation packages
  • Apps

(Additionally: Device join and enrollment, not covered here)

In the past I did already write a post about Autopilot Troubleshooting. This post differentiates from it, since it only focuses on synchronization errors when the device is already enrolled in Intune. However some contents may be applicable vice versa.

Analyzing issues

Prerequisites

  • Intune role that has at least read access to profiles and devices (Learn more)
  • Access to the device (optional because you can also request a log upload from the Intune portal)

Top sources

  • Intune portal - see applied profiles and apps to devices & users
  • Diagnostics and MDMDiagnostics - see all diagnostics data from the MDM channel
  • IntuneManagementExtension log files - IME is the component that is responsible for PowerShell scripts, apps and compliance state from Intune on the end device
  • Event viewer - most of the relevant events are displayed here, especially if you don't know where to look in particular
  • Registry - is always the last point to verify settings

Troubleshooting flow

For any conventional issues between Intune (admin perspective) and the Windows device (user perspective), I would proceed like this:
troubleshooting-process-1

Intune portal

The Intune portal is key for an IT admin to check and understand states on your end device. There are three main ways for analyzation:

  • From the content side (from a profile, app and so on), from here you can:
    • Device assignment status
    • User assignment status
    • Per settings status
      Example

status-1

settings-catalog-report

ℹ️
Here I recommend to check the last check-in time, to see if the newest changes of a content arrived on the device.

  • From the device perspective, here you can see all contents which were applied to the device
    Example
    device-status

  • Troubleshooting + support section, where you can search by a user to see all of his devices and their content status
    Example
    troubleshooting-1

Diagnostics and MDMDiagnostics

Generally if you are looking for any particular setting, which may not be applied or doesn't work as expected, I would recommend this method.

Open a cmd and type:

MDMDiagnosticsTool.exe -out c:\temp

mdmdiag

Contents:

  • Export from the most relevant event viewer locations
  • MDMDiagReport (can also be generated from Windows Settings app>Access work or school, Info>Create report)
  • Verbose .xml file that contains all sync data

Usually I always go for the MDMDiagReport html file for troubleshooting.

Diagnostics

From the Intune portal you can select any device and Collect diagnostics. After a few minutes the diagnostics will be uploaded on the left side under Device diagnostics, where you can then download the package. The package contains most relevant data: (see all from the official docs)

  • Registry
  • Commands and outputs
  • Event viewer
  • Files

diagnostics

IntuneManagementExtension log

The Intune Management Extension is a place to mainly find app install events, but also Powershell (also management scripts) and Proactive Remediation (also health script). The amount of entries can be quite overwhelming, but focus on the yellow and red marked events and investigate the past and future entries of them.

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
ℹ️
I recommend using CMTrace to open and view the log file.

Event viewer

The event viewer is always a good spot to search for any data and events that occured on the system. The one from Intune shows device issues or verbose information between management from Intune/Azure AD and Windows.

Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider

eventviewer

ℹ️
Filter the log for Critical, Error and Warning level to find relevant events faster.

Registry

I asked ChatGPT for the registry paths that Intune has a relation to. It returned:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

More information / field notes

  • Windows endpoints sync every 3 minutes for 15 minutes, then every 15 minutes for 2 hours (after enrollment), and then around every 8 hours, More information - this is approached with a scheduled task:

sync-schedule

  • Every device must have an Intune MDM device certificate - Read more
  • Speedup / troubleshoot Proactive Remediation
  • If you are looking for Edge settings, open Edge and type edge://policy in the adress bar to see the applied policies
  • At the log location of IntuneManagementExtension you can also find:
    • AgentExecutor - PowerShell or Proactive Remediation logs
    • ClientHealth - client and IME health evaluation
    • Retired IME logs - there are more log files that include the date in the name, these are retired
    • Sensor
Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
OceanleafNiklas Tinner
Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.