Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App

0

Hi I’m Joymalya Basu Roy, currently associated with a reputed MNC in the position of UEM Consultant. I’m an ex-MSFT and my primary technical domain relates to the cloud MDM and MAM solution from Microsoft – Microsoft Intune.

Subscribe to this Blog via eMail?

Join 15,879 other subscribers

In my first post, I’m going to do a deep dive for Intune Management Extension (IME – aka sidecar agent) & try to relate the errors that we mostly encounter with our win32 deployments (Intune application model) to the app processing phases within IME.

Introduction

When we deploy a Win32 app, most likely it comes up with one or another error, even though it reports success for majority of the deployment group. This post, I will be talking about the errors that I have encountered with Intune win32 app deployments.

Also, you will learn how to relate those errors to the phase of the IME app process cycle with the help of the IME log –IntuneManagementExtension.log available at ProgramData\ Microsoft\IntuneManagementExtension\Logs.

  • (0x80070004)
  • (0x8007026B)
  • Access is denied.(0x80070005)
  • Error downloading content.(0x87D30067)
  • Error unzipping downloaded content.(0x87D30065)
  • Failed to retrieve content information.(0x87D30065)
  • The Application was not detected after installation completed successfully(0x87D1041C)
  • The content Delivery network used for downloading application content times out(0x87D33006A)
  • The system coannot find the file specified(0x80070002)
  • The unmonitored process is in progress, however it may timeout(0x87D300C9)
  • The user logged off while the app policy was being processed(0x87D300CD)
  • Unknown(0x87D30000)

However, the above error list is not exhaustive and there is a good chance that you can have a different error. The aim is to help you relate to error source and determine the cause.

Intune Management Extension win32 app Processing Phases

Intune Management Extension Win32 App Processing Phases are explained in the following list and diagram.

  • Polling Phase Start
  • Retrieve Content Metadata
  • Pre-Install Detection
  • Applicability
  • Extended Requirements
  • Download
  • Integrity Check and Unzip
  • Installation
  • Post-Install Detection
  • Set Compliance
  • Report Status
  • Polling Phase
Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 1

Intune Management Extension(IME) aka SideCar Agent handles a Win32 app deployment in the above shown phases which is cyclic in nature.

A Win32 app deployment is considered Success if IME completes the entire cycle of phases for that app processing.

There is already an excellent blog post by Vimal Das explaining tracing the IME log as part of troubleshooting and I would encourage to see that first if are not acquainted with the same.

Pre-knowledge: Behind .intunewin app package

Let’s find out how to convert MSI packages to IntuneWin packages. More details available “How To Make IntuneWin Package Conversion Easy?.”

InutneWin Package Creation - Intune Management Extension (IME)
InutneWin Package Creation – Intune Management Extension (IME)
  • You need to have your executable file, the installer and uninstaller scripts in a folder which is provided to the tool as Source Folder
  • You next specify the executable file
  • You then specify the Output path

What the IntuneWinAppUtil Tool Does is?

  • Creates a folder named IntuneWinPackage in the Output folder as specified.
  • Compresses the contents of Source folder as specified to create a .intunewin file and encrypts it using SHA256 algorithm.
  • Creates a subfolder named Contents under the IntuneWinPackage folder to store the compressed and encrypted file (.intunewin)
  • Stores the encryption info to Detection.xml file which is created in another subfolder of the IntuneWinPackage folder, named Metadata
  • Compresses the IntuneWinPackage folder as a whole to create the final outcome as a .intunewin package
 InutneWin Package - Intune Management Extension (IME)
InutneWin Package – Intune Management Extension (IME)

NOTE – Do you want to learn more about Intune Application package model? How to create Intune Application Model? More details – Intune Application Model Deployment Guide.

Intune Win32 App Deployment Background

As we create the application in Intune, what happens in background? You can see the high-level steps below:

  • The .intunewin app package gets uploaded to the Azure Storage account of the tenant
  • Intune decompresses the package to retrieve the Detection.xml from the Metadata folder of the IntuneWinPackage as obtained
  • The actual app content which is present as an encrypted .intunewin within the Contents folder is submitted to the CDN
  • The decryption info (as retrieved from Detection.xml) is tagged to the app

When a request for the app comes in case of Available deployment, or if it is deployed as Required, the download URL to the encrypted .intunewin is delivered to the end device. Intune also sends down the decryption info to the IME for the client to decrypt and unzip the contents

GET CONTENT INFO FROM SERVICE,RET = 
{
"DOWNLOADURL\": "LINK TO CDN"
"DECRYPTINFO\":
}

If you would want to retrieve the source contents from a win32 app package uploaded to Intune, you can check a great blog on the same here by Oliver Kieselbach.

IME SideCar Client Side Background Process

Let’s get started. The working flow of IME in a nutshell overview is given below.

  • SideCar agent initializes.
  • Discovers Intune endpoint  https://fef.msuc##.manage.microsoft.com/SideCar/StatelessSideCarGatewayService
  • Fetch AAD token via impersonation logged in user account.
  • Starts application polled to query available/required Win32 app.
  • SideCar agent gets application policy (detection/applicability/extendedrequirement check details).
  • SideCar checks if the application as queried has any dependencies declared.
  • Post dependency check, if app is standalone, SideCar will start running the Detection Logic
    • For MSI code based detection, SideCar will run a WMI query against the MSI code defined.
    • For Path based detection, SideCar will traverse the PATH as defined to check the presence.
    • For Regsitry based detection, SideCar will check the specified reg_path for the presence of the reg_key and its value.
    • For a custom script based detection, SideCar ExecManager will trigger the script and based on the exit status of the script will determine the result.
  • Only if initial detection is determined as False, SideCar will check the applicability and extended requirements.
  • If all parameters are satisfied, SideCar will proceed with the download of the package. A corresponding BITS job will be created in Download Manager for the same.
  • Once the download job is complete, it will check the package integrity and decrypt the package using the encryption info as provided in the content response.
  • IME (sidecar) ExecManager creates installer process in Machine/User session based on app deployement context.
  • Post execution of installer process, IME runs the Detection rules once more to confirm installation.
  • Based on the post install detection result, IME sets the compliance state and creates app report to be sent to service.
  • Report is sent and locally saved to cache stopping the app polling phase.

Detection Method – Win32 App (SideCar agent)

For each detected Win32 app by the SideCar (IME) agent, it relies on EnterpriseDesktop AppManagement CSP for delivery of the app package and execution on the end device.

As such some useful information can be tracked from the following registry HKLM\ SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\<SID>\<MSI-ProductCode>

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 2
InutneWin Package Registry – Intune Management Extension (IME)

Status Codes Intune Win32 SideCar AgentIntune Management Extension (IME)

Important information as provided here are

EnforcementRetryCount: The number of times the download and installation operation will be retried before the installation will be marked as failed.

EnforcementRetryIndex: The current number of retry.

Value = Status

  • 10 = Initialized
  • 20 = Download In Progress
  • 25 = Pending Download Retry
  • 30 = Download Failed
  • 40 = Download Completed
  • 48 = Pending User Session
  • 50 = Enforcement In Progress
  • 55= Pending Enforcement Retry
  • 60 = Enforcement Failed
  • 70 = Enforcement Completed

As can be seen, the SideCar agent has a pre-defined max retry attempt of 3 times as such if the app install fails due to download error, timeout or any other issues in the 1st attempt, it will re-attempt the same for 2 more times after which the Status will be set to 60 – Enforcement Failed.

Once it is marked as failed, GRS (Global Re-evaluation Scheme) will kick in and will wait for 24 hours before resetting the retry index counter. Thus if a Required app fails in all the 3 attempts, IME waits till GRS resets ths retry counter to process the app again.

If the application is successfully installed, a registry entry gets created under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\{SID}\{App GUID}

 Intune Management Extension (IME)  - Win32Apps SID
Intune Management Extension (IME) – Win32Apps SID

With the above overview, now lets have a look inside each phase in which IME handles the win32 application

IME Win32 SideCar Agent Polling Phase Start

In order for IME to work, it needs to get the token. It fetches the same by querying the current logged on user profile.

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 3

With the AAD token, IME then proceeds to the next phase where it reaches out to the service to get the application policies as made available to the user/device

As you can understand, the most common error that can occur in this phase is due to IME unable to get the token. In such case, you can expect to see a log entry like below

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 4

Or, if you have AAD joined post OOBE setup from Settings, unless you switch user and log-in with your AAD account, you would expect to get this

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 5

Retrieve App Metadata

Once IME has got the token, it checks the current proxy and sends a network request to the service to fetch the Win32 apps (policies)

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 6

The result as received is used by IME to get the detection methods, applicability checks and requirements checks as configured for this app.

Error that can occur in this phase is due to network connectivity resulting Failed to retrieve content information(0x87D30065)

Pre-Install Detection Check

Detection can be based on Registry path, Product code or File Path as configured while creating the app in Intune portal

Intune Management Extension (IME) - Detection Rule
Intune Management Extension (IME) – Detection Rule

It can be a custom script as well where the IME will trigger the script and the detection result will be based on the exit status of the script.

Intune Management Extension (IME) - Detection Rules
Intune Management Extension (IME) – Detection Rules

Error that can occur in this phase is caused due to improper detection logic which will cause IME to skip further processing the app. Sample error in log show like this

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 7

Applicability Check

Intune Management Extension (IME) - Applicability Check
Intune Management Extension (IME) – Applicability Check

This is when IME processes the settings as specified in the app policy to check if the system meets the requirements.

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 8

Error that can occur is when IME fails to query the requirements which can be due to generic system issues

Intune Management Extension (IME) - Exception Timed out
Intune Management Extension (IME) – Exception Timed out

In such cases, it will might report back with error Unknown (0x87D30000). The other common errors you can get are

  • Device architecture (e.g. x86/amd64) is not applicable for the application.
  • OS version on the target device is less than the configured minimum.

Extended Requirements Check

Intune Management Extension (IME) - Requirements Check
Intune Management Extension (IME) – Requirements Check

If any additional requirements has been specified in app, IME checks if the system satisfies the same.

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 9

Error in this phase depends if the IME encounters any System Exception while querying the specified rules or if a custom script is used for the purpose, then the exit code of the script. 

Intune Management Extension Level 3 Troubleshooting Guide Intune win32 App 10

Most common error in this phase would be RegistryRequirementNotMet. In both Applicability check and Extended Requirement check, if the specified requirement is not met, you can expect a log entry like this

Intune Management Extension (IME) - Win32
Intune Management Extension (IME)Win32

Download Phase

This is the phase where IME downloads the app package (.intunewin) from the Intune CDN to the device.  The download is done to path C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming

 Intune Management Extension (IME) - Content info from Intune
Intune Management Extension (IME) – Content info from Intune

Error that can occur in this phase is usually due to network and dependency on the BITS service which handles the download job as created, resulting in errors not limited to

  • Unknown (0x87D30000) – the error which is reported when the last step is defined as success but the current step has no defined output
  • Incorrect function (0x80070001) – generally related to invalid tasks
  • The unmonitored process is in progress, however it may timeout. (0x87D300C9)
  • Error downloading content. (0x87D30068)
  • The content delivery network used for downloading application content timed out. (0x87D3006A)
  • The physical resources of this disk have been exhausted (0x8007013A)

Integrity Check and Unzip the package

Post download the file is moved to the path  C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\ where the IME checks the integrity of application package as downloaded.

Intune Management Extension (IME) - Integrity Check
Intune Management Extension (IME) – Integrity Check

At this point, you can encounter the error The system cannot find the file specified. (0x80070002) which happens due to AV. It is recommended to exclude the locations as used by IME to be monitored by an AV as it may interfere in the process.

Post successful integrity check and decryption, the file (this is the .intunewin file as present within the Contents subfolder of the IntuneWinPackage folder) is unzipped to location C:\Windows\IMECache\

Error that can occur during this phase are

  • Error unzipping downloaded content. (0x87D30067)
  • The physical resources of this disk have been exhausted (0x8007013A)
  • Incorrect function (0x80070001)
  • Unknown (0x87D30000)

Installation Phase

IME starts the execution and sets the retry count (there is a total of 3 retry with 5 minutes interval).

Flow for app in User Context

It creates the installer process by fetching an elevated token for the current user if the app is in User Context. Not very common, but if IME fails to get an elevated token for the user, can result in Access is denied. (0x80070005)

 Intune Management Extension (IME) - Access is Denied
Intune Management Extension (IME) – Access is Denied

Before IME could create the installer process, if a change in session is detected like log-off, it will cause an error like below resulting The user logged off while the app policy was being processed. (0x87D300CD)

Intune Management Extension (IME) - Error code 2
Intune Management Extension (IME) – Error code 2

Flow for app in Device Context

Intune Management Extension (IME) - Unable to get error code
Intune Management Extension (IME) – Unable to get error code

You can safely ignore that StatusService warning.

The installer process as created by IME has a predefined timeout of 60 mins. If the process fails to install the application during this time, which may be due to system activity (high CPU utilization), in such case results

  • Unknown (0x87D30000)
  • The unmonitored process is in progress, however it may timeout. (0x87D300C9)

In general, the errors that can occur in this phase are directly related to the application and is usually thrown by the IPExitCode or lastHResult. For example if the installation is triggered via a script, then the IPExitCode will define Success or Error.

Intune Management Extension (IME) - IPExitCode
Intune Management Extension (IME) – IPExitCode

This is where you will mostly see the undefined errors as thrown by LastHResult like this

  • (0x80070004)
  • (0x8007EA61)
  • (0x8007EA68)

If the installer process fails, IME has a retry check of 3 – it tries 3 times to get the app installed if it encounters any failure during an processing cycle. The retry interval is 5 mins from the last failure. However, for each retry, IME will start from the beginning of the app processing phase, as such the detection, applicability, extended requirements will again be checked. When it comes to the download phase, it will not again initiate a download, but will find the app package from Cache itself. This is because contents of the  C:\Windows\IMECache\ folder is cleaned up post successful install only. At this point, you are most likely to encounter the error The system cannot find the file specified. (0x80070002) which happens due to AV.

Post-Install Detection Phase

This is the phase where IME triggers the detection manager to execute the detection rules once more to confirm the app install status. Even if the installation is actually done but the detection rule is not capable of checking the right place, will result in IME report the same as a failure.

Intune Management Extension (IME) - Post Install Detection
Intune Management Extension (IME) – Post Install Detection

Error in this phase is caused again due to improper detection logic

Intune Management Extension (IME) - Improper Detection Logic
Intune Management Extension (IME) – Improper Detection Logic

A change in session at this stage will cause IME to report back as The application was not detected after installation completed successfully (0x87D1041C).

Set Compliance State

This is the phase where IME sets the compliance for the app policy as based on the outcome of Installation phase and Post-Install Detection phase results, cleans the contents from IMECache folder and creates the app report.

Intune Management Extension (IME) - Set Compliance State
Intune Management Extension (IME) – Set Compliance State

Same as above, if a change in session is detected, will result The application was not detected after installation completed successfully (0x87D1041C). If the install is success but the post install detection result is false, it will still report as an error as below.

Intune Management Extension (IME) - Application was not detected
Intune Management Extension (IME) – Application was not detected

Report Status to Service

The last phase of app processing where IME sends the result to the service and saves the results locally.

Intune Management Extension (IME) - Report Status to Service
Intune Management Extension (IME) – Report Status to Service

IME can fail to send the report and save it for below reasons

  • Network connectivity issue
  • User logs off before IME can send the final app results or any Session change detected
  • System goes to sleep due to inactivity

which all points to the same error The application was not detected after installation completed successfully (0x87D1041C)

In case where the IME client itself faces some error, it might cause the Client error occurred (0x87D300CA)

Intune Management Extension (IME) - Client Error
Intune Management Extension (IME) – Client Error

and requires evaluation of the ClientHealth.log from C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

The Client Health evaluation is performed every 8 hours.

Since in Available app flow, the application is not enforced by Intune but depends on the user, hence IME does not re-evaluates the app status again if it fails in the 1st instance. In case of Required app flow, IME will continue to re-evaluate each app result in each cycle.

As such even if the application was installed but due to any issues as mentioned reported as “The application was not detected after installation completed successfully (0x87D1041C), IME won’t re-evaluate to correct it in the subsequent sync cycles.

But for a required application, even if it reported as an error (unless an error which is related to the package itself), there is a good chance that it will be corrected in the subsequent sync cycles.

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.