Troubleshooting Intune Issues on Windows 10 / Windows 11

This post will brief you about the options available to validate policy deployment from Intune and collect the logs for diagnostics.

How to Validate Intune Policies Status

The “Access to work or school” page in Windows 10 settings contains useful information about Intune policies. This can be the first place to quickly check if required policies have been applied to the device. As you can see in the below screenshot, the Policies section lists all policies currently managed by an organization. Similarly, the Application section lists all applications that are currently managed by an organization.

If you do not see the expected policies/applications applied then you can check the Sync status on the same page. You can force sync as well from here.

You can also generate a diagnostics report in HTML format using the “Create report” button (see the above screenshot). Here are the complete steps.

• Go to Settings > Access Work and School
• Select Tenant <Tenant>’s Azure AD > and click on Info
• Scroll down to the bottom and click on Create report

The report will be saved to:

C:\Users\Public\Public Documents\MDMDiagnostics\MDMDiagReport.html

Generate detailed diagnostics report

The detailed MDM diagnostics report can also generated from the “Access work or school” page. You can find the Export your management log files link under “Related settings”. If the window is maximized then you can find this option at the top right side of the screen.

The report will be generated to a cab file (MDMDiagReport.cab) in C:\Users\Public\Documents\MDMDiagnostics folder.

Collect diagnostics log from Intune Admin Center

The diagnostics logs can be collected from the Endpoint Manager Admin Center by the below steps. These logs include MDM, MECM Client, Autopilot, Registry keys, Event viewers logs, networking, and other important logs useful for troubleshooting.

• Go to Devices and select Device
• From the Overview menu select “Collect diagnostics”.
• Click Yes on the confirmation prompt

The log collection process will take some time. You can monitor the status from Devices | <Device Name> | Device diagnostics (preview). Once the log collection process is completed, you will see an option to download the logs.

The log files will be organized in different folders named as numbers (1,2,3….) which contain the details mentioned above.

The “result.xml” file in the root folder will have details of the information collected by the diagnostics tool. Please check Microsoft documentation to know more about the data collected by the diagnostics tool.

Intune Management Extension

The Intune management extension supplements the in-box Windows 10 MDM features. It allows Microsoft Intune to run the PowerShell scripts on Windows 10 devices.

The IME runs as a service called “Microsoft Intune Management Extension”. The service name is IntuneManagementExtension.

IME logs are located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder. You can use CMTrace.exe to view these logs.

• AgentExecutor
• ClientHealth
• IntuneManagementExtension

The full content of the script is logged in the IntuneManagementExtension log which can be useful in troubleshooting.

Related Posts

• Win32 App Deployment failed with error code 0x80070643
• Win32 App Deployment Failed with Error 0x87D1041C
• Win32 App Deployment failed with error 0x87D300C9
• Win32 App failed with error code 0x80070653
• That account info didn’t work – error when disconnecting Windows 10 / 11 Work or School account
• Intune – Windows 10 MDM- Basic troubleshooting
• Deploying Microsoft 365 Apps Stuck in Downloading in Company Portal
• Windows 10 / 11 Operating System Build Versions
• MDM Enroll: Device Credential, Failed (Unknown Win32 Error code : 0xcaa9001f
• Microsoft Endpoint Manager: Error Code Reference
• Intune Bulk Enrollment with Provisional Package failed Error 0xCAA2000C
• How to Fix Intune Win32 App Deployment Error 0x87D30006