Troubleshooting in an Intune environment can be challenging, as it is often unclear where to find the right logs and information. In this blog post, I will guide you through a troubleshooting process, providing useful tips for each component. While not a deep dive, these handy tips and tricks will help set you on the right path.
Service health and message Center.
Let’s start from the beginning. If one day, enrollment suddenly stops working without any apparent changes, it’s always wise to check the Service health and message Center.
- Open https://intune.microsoft.com
- Go to Tenant Administration and open Service health and message Center
Autopilot Enrollment
When the Autopilot installation fails, you’ll encounter a prominent error on the screen. In many cases, you can identify the step in the ESP (Enrollment Status Page) where the installation failed, but not always the specific reason. From experience, most issues arise during the installation of applications and the execution of PowerShell scripts. Applications usually prompt an error message on the screen, although it may not provide details about which application failed and the reason behind the failure. While PowerShell scripts are executed in the ESP, there is no visible feedback.
The easiest step to take in the event of a failed installation is to run the ‘Get-AutopilotDiagnostics‘ script. Follow these steps:
- Open the command prompt during OOBE by pressing Shift + F10 on the relevant workstation
- Launch PowerShell with the command ‘powershell.exe‘
- Execute the following commands and login with sufficient privileges, such as a global administrator
Set-executionpolicy bypass
Install-script Get-AutopilotDiagnosticsGet-AutopilotDiagnostics -Online
You will now receive a comprehensive overview of everything that occurred during the Autopilot installation, including a timeline. In this display, you can see in more detail what went wrong. However, PowerShell scripts are not visible in this interface.
As I mentioned earlier, issues often arise in practice with applications or Powershell-scripts. The application may fail to install or be detected. It is crucial to test application packages before adding them to Intune. On my downloads page, you will find a link IntuneWinApp Run in Sandbox to a helpful GitHub repository. With that script, it is possible to test a packaged application directly in a Windows Sandbox.
When a PowerShell script fails during installation, it’s not easily apparent, as this information is not readily visible in the Autopilot diagnostics logging. Delving into the logs is necessary to identify the issue. In the Client-Side Logging section, I will explain which logs are particularly useful for troubleshooting.
Application Logging
While the application itself doesn’t generate logs, and Intune provides feedback only on the success or failure of the installation, there are various logs available to monitor background downloads and installations. However, the behavior and installation errors of each application differ. I recommend enabling advanced logging for each application in its installation parameters. Now, the question arises: what would be a convenient location to store these logs?
We can simplify this. It’s possible to collect log files through the Intune portal (more details to follow). The workstation then creates a zip file from the $env:ProgramData\Microsoft\IntuneManagementExtension\Logs\ folder. Therefore, it is advisable to route all logging to this location. This way, remote access becomes straightforward, eliminating the need to take control of the workstation (remotely).
Clientside Logging
The logging on the workstation is located in various places. You can find some information in the registry, the Event Viewer, or files on the local disk. The easiest option is to run MDMDiagnosticsTool.exe on a workstation. This tool gathers all information, making it an easy and effective way to collect data.
Multiple areas can be requested. Check the tool documentation to identify them. In this example, I’m retrieving data for all available areas. Let’s run the tool on a workstation and see what happens.
MDMDiagnosticsTool.exe -area Autopilot;DeviceEnrollment;DeviceProvisioning;Tpm -cab c:\temp\Logs.cab
By filling in all available areas, we’ve generated a large number of logs. To manage this, you can use the ‘-area’ parameter for more specific results. By the way, here’s a fun fact: I have a script that installs fonts, and its logging is saved in the $env:ProgramData\Microsoft\IntuneManagementExtension\Logs\ folder. As you can see, this logging is now also being collected with the MDMDiagnosticstools (fonts-install.log).
The log files that I use the most are;
| IntuneManagementExtension.log | Is the primary log, encompassing all agent check-ins, requests, and policy processing details |
| AgentExecutor.log | Provides details about task execution, status updates and error messages |
| Microsoft-Windows-ModernDeployment-Diagnostics-Provider.evtx | EventLog provides information about the deployment process |
| Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider.evtx | EventLog provides information about the Autopilot deployment process |
The log files can be challenging to read in a simple text editor. Personally, I always use CMTrace for log file analysis. I’ve kept this tool from my SCCM days. You can find a link to CMTrace on my downloads page.
Intune Logging
Within Intune, there are various options for troubleshooting, like the report section where you can generate a report for a specific component.
But you can also search for the respective device and Collect diagnostics
The log files can be downloaded within a few minutes under Device diagnostics
In the download, you will find all log files
In the folder ‘(64) FoldersFiles ProgramData_Microsoft_IntuneManagementExtension_Logs‘, you will find the logs I mentioned above.
I hope you can make further progress with these helpful tips and tricks.
Thank you for taking the time to read my blog. Kindly share it with others if you find it helpful!