Want to master troubleshooting with Intune and Windows 10?

Posted by

So I heard from colleagues and customers when running Windows 10 and Microsoft Intune it is hard to know when things apply, and if it is possible to push the limits during testing phase. Basic troubleshooting steps

I will with this post guide you thru some simple steps to make you, as an impatient IT Pro, run your tests with Intune and Windows 10 start faster, and some simple troubleshooting steps.

First Microsoft Intune and Windows 10 have to parts that you need to know about here. The first part is the Windows 10 built-in MDM functionality and the other part is the Intune Management Extension.

Windows 10 built-in MDM

This handles all policies (CSPs) and app installations, such as Microsoft Store and MSI installations.

Synchronizations/Check-in intervals are

  • When a policy or app is deployed, Intune will try to notify the Windows 10 device to check-in within 5 minutes, if the first try fails it will try additional 3 times
  • After enrollment: Every 3 minutes for 30 minutes, and then every 8 hours
  • Every 8 hours the device will check in to make sure it is up to date
  • You can also trigger the sync from Settings or Company Portal

Find the Sync button in Company Portal or in Settings > Accounts > Access work or school, hit your enrolled work or school, hit Info and then the Sync button

Intune-Info-Button Intune-Sync-Button

Logs can be found in various places

  • Misc Event Logs for Intune and Azure AD
    • \Microsoft\Windows\Workplace Join
    • \Microsoft\Windows\AAD
    • \Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider
    • \Microsoft\Windows\SettingsSync | SettingsSync-Azure | SettingsSync-OneDrive
    • \Microsoft\Windows\EnterpriseMgmt
  • Diagnostic logs
    • In Settings > Accounts > Access work or school, press “Export your management log files”
  • Company Portal
  • MDM log files
    • %WinDir%\System32\Config\SystemProfile\AppData\Local\mdm
  • MSI Deployments, assigned to Devices
    • HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-00000000000-00000000000-0000000000-00\MSI\
      Registry device assigned app
    • If MSI logging is enabled: %WinDir%\temp\<MSIProductID>.msi.log
  • MSI Deployments, assigned to Users
    • HKLM\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\<User SID>\MSI\
      2018-01-11 110505
    • If MSI logging is enabled: %Temp%\<MSIProductID>.msi.log

You can use this PowerShell command to see what the application

Get-WmiObject -Class Win32_Product -Filter “IdentifyingNumber ='{0C453F4B-C388-49D5-B4CC-8926713B9EEB}'”
2018-01-11 113939.png

Regarding application deployments, look at Status and LastError in the registry and use the conversion table below

70 Successfully installed/uninstalled
10 Initialized
20 DownloadInProgress
25 PendingDownloadRetry
30 DownloadFailed
40 DownloadCompleted
48 PendingUserSession
50 EnforcementInProgress
55 PendingEnforcementRetry
60 EnforcementFailed
70 EnforcementCompleted


Intune Management Extension

In contrary with the built-in MDM feature above this is an Intune feature that cannot be utilized by 3rd party MDM providers. When the computer is joined into Azure AD and enrolled into Intune the Intune Management Extension will automatically be installed by an MSI. Therefore this is handled a bit different.

The Extension will synchronize with Intune once every hour, and if you need to start your PowerShell script immediately you can either wait an hour or restart the Microsoft Intune Extension Service either from

  • the MMC console, Services
    2018-01-11 111010
  • PowerShell
    • Restart-Service IntuneManagementExtension
  • Command Prompt
    • Net Stop IntuneManagementExtension && Net Start IntuneManagementExtension

When a new script is deployed this is the sequence

  • Script will be downloaded to the folder %ProgramFiles(x86)%\Microsoft Intune Extension\Policies\Scripts
  • The script will run and store the results in %ProgramFiles(x86)%\Microsoft Intune Extension\Policies\Results
  • When the script has run the above files will be cleaned up, so you will not find the scripts in a cache when run. You will find the whole content of the script in the log file described below
  • For each user it will store information in the registry, if you need to rerun a script for a user, remove the registry item for the script ID
    • HKLM\Software\Microsoft\IntuneManagementExtension\<User AAD ID>\<Script ID>
      2018-01-11 112828

Please note the requirements for executing PowerShell script:

  • Size must be equal or smaller than 10 Kb (ASCII) or 5 Kb (Unicode)
  • Can be assigned to users or groups where users are a member of (not devices)
  • Will execute either within the user context or System (SID: S-1-5-18) context

Every one and a while the Intune Management Extension will do a self healing process, this is managed by a Scheduled Task

2018-01-11 114242

Log files can be found in %ProgramData%\Microsoft\IntuneManagementExtension\logs

  • AgentExecutor.log
    • Information about the script execution
  • ClientHealth.log
    • Client health
  • IntuneManagementExtension.log
    • Information about check-in, downloading scripts etc.

Don’t forget the Azure Portal monitoring functionality

  1. In the Azure Portal enter Intune blade
  2. Choose Device configuration, choose Manage and PowerShell scripts
  3. On the PowerShell blade, select the script, choose Monitor, and one of the following reports: Device status or User Status



Manage Settings and features on your devices with Microsoft Intune policies (Check-in intervals)


One comment

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.