Let’s see Intune user policy troubleshooting tips. The troubleshooting tips help you to resolve issues related to Intune User Based security policy deployments. I have already shared tips to fix Intune policy conflict issues and device-based policy troubleshooting tips.
I have deployed Intune settings catalog Administrative template policy (ADMX) called Prevent changing theme (User). This setting catalog policy is applicable only for the user profiles and not applicable to devices. Hence the troubleshooting of this type of policy is a bit different than the device-based policy troubleshooting.
You can perform the basic Intune user policy deployment troubleshooting from the MEM admin center portal. One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client-side.
The following blog posts help you to understand the troubleshooting for device-based security policy deployments using Intune.
- Intune Security Baseline Microsoft Defender Policy Troubleshooting Tips
- Troubleshoot Microsoft Edge Security Policy Deployment Issues
Prevent Changing Theme (User)
Prevent Changing Theme (user) policy is already deployed to the Cloud PC. The setting that I have selected from Intune Settings Catalog policy is given below. This user-based policy setting deployed using Intune disables the theme gallery in the Personalization Control Panel.
I have taken this policy to simulate and try to fix Intune User Policy Troubleshooting issues. You can this Intune troubleshooting process to any other policies as well.
- If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
- If you disable or do not configure this setting, there is no effect.
Note: If you enable this setting but do not specify a theme using the “load a specific theme” setting, the theme defaults to whatever the user previously set or the system default.
- Administrative Templates – Control Panel > Personalization
- Enable the policy called Prevent Changing Theme (User)
You can check the following registry key path to understand where the Intune user-based security policy deployments will get registered. This registry path is different from the device-based Intune policy deployment.
- Device-Based Intune Policy Registry details -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
But as mentioned above, you will need to check a different registry path to confirm whether user policies are got deployed or not. So, the troubleshooting user policy deployment using Intune is a bit different than that of device-based.
- User Based Intune Policy Registry Details -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanelDisplay
- CPL_Personalization_DisableThemeChange_ProviderSet = 1 -> You can see the registry key value is set to 1 when the Prevent Changing Theme (User) is enabled.
Once the Prevent Changing Theme (User) policy is enabled, you can see the warning on the Theme page of Settings apps. The warning says – Some of these settings are hidden or managed by your organization.
How to Troubleshoot Intune User Policies
To troubleshoot or simulate the troubleshooting experience of Intune user policies, I have changed the user policy setting (Prevent Changing Theme (User)) to DISABLED from enabled. You can refer to the following post if you want to know how to resolve the Intune policy conflict issues.
- Fix Intune Policy Conflict in Intune (at the bottom side of the post)
The Intune default policy sync period is 8 hours. To test the scenario immediately, I have initiated an Intune policy sync manually from Company Portal. Right-click on the company portal taskbar icon – Sync this device -> Sync this device to get access to corporate resources faster.
Intune User Policy Troubleshooting with Event Logs
After the above policy change and manual sync from the client PC, it’s time to look at Event logs to understand whether the policy is reached the end-user device or not. Most of the time, you notice the following event log to confirm the policy assignment from the client side.
Event Log path for Intune logs –> Applications and Services -> Microsoft->Windows->DeviceManagement-Enterprise-Diagnostics-Provider->Admin
Event ID 208
Intune or MDM core component troubleshooting for Windows devices is mainly based on event logs. Intune logs are helpful when you troubleshoot Intune Win32 application deployment issues. The event ID 208 means the Windows client is contacting Intune Service to check whether there is any new policy or not.
EVENT ID 208 – MDM Session: OMA-DM session started for EnrollmentID (D0892524-8DFC-D50E7CA19DBF) with server: (MS DM Server), Server version: (4.0), Client Version: (1.2), PushRouterOrigin: (0xB), UserAgentOrigin: (0x8), Initiator: (0x0), Mode: (0x2), SessionID: (0x87), Authentication Type: (0x1).
Event ID 814
The Event ID 814 means receiving a new Intune security policy (with string value) from the server-side related to prevent theme change (user). The event IDs are the same for both user and device policy deployments.
EVENT ID 814 – MDM PolicyManager: Set policy string, Policy: (CPL_Personalization_DisableThemeChange), Area: (ADMX_ControlPanelDisplay), EnrollmentID requesting merge: (D0892524-8DFC-D50E7CA19DBF), Current User: (S-1-5-21-2901188661-3025291148-348095268-1124), String: (), Enrollment Type: (0x6), Scope: (0x1).
Intune User Policy Troubleshooting using Registry
From the event ID 814, I got the indication that the policy changes are reached the Cloud PC. It’s now time to check whether the registry values are changed or not. It’s a bit tricky to find out registry value details for user-based security policy deployment using Intune and Windows MDM.
The User sid value is essential to find out the related registry values for a specific user-based policy. You will need to note the user sid value from the event ID 814. I have copied the SID -> S-1-5-21-2901188661-3025291148-348095268-1124 and searched for the user sid in the registry.
Most of the Intune User Policy settings are stored in the following registry path. The only difference will be the user SID folder. You need to replace the registry path with a specific user SID.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\Replace this with USER SID Value\ADMX_ControlPanelDisplay
- Sample Registry path from my lab -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanelDisplay
- The registry value “CPL_Personalization_DisableThemeChange_ProviderSet” is changed from 1 to 2.
NOTE! – Another registry path with string value- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanelDisplay
The above registry value changes confirm that the user policy change is already applied on the Cloud PC (Windows 10 and Windows 11). However, I was not able to see any changes on the Themes page in the settings app.
A restart/log-off was required to get these changes to appear on the Themes page, as you can see in the below screenshot. The warning that is noted in the above section got removed.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…