So I heard from colleagues and customers when running Windows 10 and Microsoft Intune it is hard to know when things apply, and if it is possible to push the limits during testing phase. Basic troubleshooting steps
I will with this post guide you thru some simple steps to make you, as an impatient IT Pro, run your tests with Intune and Windows 10 start faster, and some simple troubleshooting steps.
First Microsoft Intune and Windows 10 have to parts that you need to know about here. The first part is the Windows 10 built-in MDM functionality and the other part is the Intune Management Extension.
Windows 10 built-in MDM
This handles all policies (CSPs) and app installations, such as Microsoft Store and MSI installations.
Synchronizations/Check-in intervals are
- When a policy or app is deployed, Intune will try to notify the Windows 10 device to check-in within 5 minutes, if the first try fails it will try additional 3 times
- After enrollment: Every 3 minutes for 30 minutes, and then every 8 hours
- Every 8 hours the device will check in to make sure it is up to date
- You can also trigger the sync from Settings or Company Portal
Find the Sync button in Company Portal or in Settings > Accounts > Access work or school, hit your enrolled work or school, hit Info and then the Sync button
Logs can be found in various places
- Misc Event Logs for Intune and Azure AD
- \Microsoft\Windows\Workplace Join
- \Microsoft\Windows\AAD
- \Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider
- \Microsoft\Windows\SettingsSync | SettingsSync-Azure | SettingsSync-OneDrive
- \Microsoft\Windows\EnterpriseMgmt
- Diagnostic logs
- In Settings > Accounts > Access work or school, press “Export your management log files”
- Company Portal
- MDM log files
- %WinDir%\System32\Config\SystemProfile\AppData\Local\mdm
- MSI Deployments, assigned to Devices
- HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-00000000000-00000000000-0000000000-00\MSI\
- If MSI logging is enabled: %WinDir%\temp\<MSIProductID>.msi.log
- HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-00000000000-00000000000-0000000000-00\MSI\
- MSI Deployments, assigned to Users
- HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\<User SID>\MSI\
- If MSI logging is enabled: %Temp%\<MSIProductID>.msi.log
- HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\<User SID>\MSI\
You can use this PowerShell command to see what the application
Get-WmiObject -Class Win32_Product -Filter “IdentifyingNumber ='{0C453F4B-C388-49D5-B4CC-8926713B9EEB}’”
Regarding application deployments, look at Status and LastError in the registry and use the conversion table below
| 70 | Successfully installed/uninstalled |
| 10 | Initialized |
| 20 | DownloadInProgress |
| 25 | PendingDownloadRetry |
| 30 | DownloadFailed |
| 40 | DownloadCompleted |
| 48 | PendingUserSession |
| 50 | EnforcementInProgress |
| 55 | PendingEnforcementRetry |
| 60 | EnforcementFailed |
| 70 | EnforcementCompleted |
Intune Management Extension
In contrary with the built-in MDM feature above this is an Intune feature that cannot be utilized by 3rd party MDM providers. When the computer is joined into Azure AD and enrolled into Intune the Intune Management Extension will automatically be installed by an MSI. Therefore this is handled a bit different.
The Extension will synchronize with Intune once every hour, and if you need to start your PowerShell script immediately you can either wait an hour or restart the Microsoft Intune Extension Service either from
- the MMC console, Services
- PowerShell
- Restart-Service IntuneManagementExtension
- Command Prompt
- Net Stop IntuneManagementExtension && Net Start IntuneManagementExtension
When a new script is deployed this is the sequence
- Script will be downloaded to the folder %ProgramFiles(x86)%\Microsoft Intune Extension\Policies\Scripts
- The script will run and store the results in %ProgramFiles(x86)%\Microsoft Intune Extension\Policies\Results
- When the script has run the above files will be cleaned up, so you will not find the scripts in a cache when run. You will find the whole content of the script in the log file described below
- For each user it will store information in the registry, if you need to rerun a script for a user, remove the registry item for the script ID
- HKLM\Software\Microsoft\IntuneManagementExtension\<User AAD ID>\<Script ID>
- HKLM\Software\Microsoft\IntuneManagementExtension\<User AAD ID>\<Script ID>
Please note the requirements for executing PowerShell script:
- Size must be equal or smaller than 10 Kb (ASCII) or 5 Kb (Unicode)
- Can be assigned to users or groups where users are a member of (not devices)
- Will execute either within the user context or System (SID: S-1-5-18) context
Every one and a while the Intune Management Extension will do a self healing process, this is managed by a Scheduled Task
Log files can be found in %ProgramData%\Microsoft\IntuneManagementExtension\logs
- AgentExecutor.log
- Information about the script execution
- ClientHealth.log
- Client health
- IntuneManagementExtension.log
- Information about check-in, downloading scripts etc.
Don’t forget the Azure Portal monitoring functionality
- In the Azure Portal enter Intune blade
- Choose Device configuration, choose Manage and PowerShell scripts
- On the PowerShell blade, select the script, choose Monitor, and one of the following reports: Device status or User Status
References
Manage Settings and features on your devices with Microsoft Intune policies (Check-in intervals)
DeployWindows 
Leave a comment