Windows 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you are using Intune or SCCM + Intune hybrid to manage Windows 10 machines then all the management policies are deployed through MDM channel. Will these MDM management policies replace group policies? Well, that is another discussion all together. For example, an Intune policy is deployed to a Windows 10 machine but it’s not getting applied on Windows machine then how do we start troubleshooting? First of all we need to understand Windows 10 management architecture. Following is the high-level architecture diagram for Windows 10 management. Windows 10 MDM issues troubleshooting will be easy if we understand this high-level architecture.
There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I’m going to share the 3 easy ways to start the MDM troubleshooting. Yes, it’s different from SCCM/ConfigMgr client way of troubleshooting as there is no log files for MDM client. MDM client is in build with Windows 10 operating system and events logs are the best place to start the troubleshooting of Windows 10 MDM issues. The 3rd way mentioned in this post is the very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips as you can see above.
Event Logs :- Microsoft->Windows->DeviceManagement-> Enterprise-Diagnostics-Provider/Admin
Event logs in Window 10 machines are the best place to start troubleshooting for MDM related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined then all the events related to Intune/SCCM policies are recorded in “this” event log section. AAD event logs are also very useful in this windows 10 MDM issues and you can checkout the following location for AAD related event logs “Microsoft-Windows-AAD/ Operational“. The event logs are the best place to start the Windows 10 MDM issues troubleshooting. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether the deployed policies are reached and applied on that machine or not. There is also way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to work or school page.
WMI Explorer way of checking whether the policy settings are applied or not :-
WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on windows 10 system or not. As you can see in the following screen capture, this is the way to check whether MDM policy are correctly applied to a Windows 10 machine. I have deployed Windows Defender policy from Intune to this Windows 10 machine, you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting the best place to start with is event logs. We can also check this via WBEMTEST but we may need to start WBEMTEST from system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) has been applied to a machine.
Registry way of checking Windows 10 MDM Policy settings :-
The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is registry key. Following is the registry location where you can find MDM policy settings which you want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers In this below screen capture, you can see the Windows Defender settings which I applied to Windows 10 machines through Intune policies. Only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi
All credits to Janani Vasudevan for Architecture diagram here
Download WMI Explorer here
Windows 10 MDM and the MDM Bridge WMI Provider by Peter van der Woude here
Diagnose MDM failures in Windows 10 here, Getting Resultant Settings (aka GPResult for MDM) here and How to start troubleshooting for Intune and MDM here