Let’s learn about Intune Win32 App Issues Troubleshooting Client-Side Process flow from this blog post. You can also look at the Level 3 deep-dive troubleshooting Intune Management Extension (IME) Level 3 Troubleshooting Guide.
In my previous post, part 1, we created the Intune Win32 app and deployed it as “available” for users. This post will explore Intune client-side events and explain Intune Win32 app troubleshooting details.
How to deploy. EXE applications via Intune? The same Intune Win32 app packaging and installation method can be used for installation. EXE applications via Intune.
Do you see any similarities between the Intune Win32 app and SCCM troubleshooting? If so, that is not coincident 🙂 Intune Win32 app code is very similar to the SCCM application model. Hence in many scenarios, you will see many similarities.
[Related Topic – Intune Win32 App Deployment using Modern Management]
Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Flow Behind Processing Win32 App: a sequence of steps can be listed for processing a Win32 app from Intune to the device. Here is the lifecycle of a Win32 app at the client end. You can Understand the flow behind the deployment, delivery, and processing of a Win32 application through Intune.
Intune Win32 Application – Client-Side Events
I tried to explain the Intune Win32 app deployment process flow to you. You need to understand the process flow to perform Intune Win32 app troubleshooting.
User Requested Legacy Apps.
We initiated the application installation from the company portal. Once initiated, the application will start downloading and installing. As Anoop explained, Intune Win32 App Troubleshooting starts with the deployment checks or Intune troubleshooting.
Intune Management Extension
The Intune management extension is the client-side component to manage the MDM Intune Win 32 application deployment. Below are the 3 Intune Management Extension Agent working folders. We will discuss their purpose in detail.
Location of logs C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
- Incoming
- Staging
- Staged
[Related Topic – Intune Win32 App Deployment using Modern Management]
Logs – Intune Win32 App Troubleshooting
For troubleshooting Intune client-side events, you can refer to 3 logs.
- IntuneManagementExtension.log: Tracks the Intune Management extension component events
- AgentExecuter: Track any PowerShell execution events
- ClientHealth.log: Track client-health-related events
Detection Rules Evaluation – Intune Win32 App Troubleshooting
Detection rules are again used in SCCM application model deployments, and Intune win32 uses similar detection rules 🙂
- Detection rules processed
- A WMI query is used to detect the application’s installation status.
[Win32App] ProcessDetectionRules starts query: select * from Win32_Product where IdentifyingNumber='{AC76BA86-7AD7-1033-7B44-AC0F074E4100}’ or IdentifyingNumber=’AC76BA86-7AD7-1033-7B44-AC0F074E4100′ [Win32App] Checked ProductCode {AC76BA86-7AD7-1033-7B44-AC0F074E4100}, Cannot find, applicationDetected: False [Win32App] Completed detectionManager SideCarProductCodeDetectionManager, applicationDetectedByCurrentRule: False
Check Applicability – Intune Win32 App Troubleshooting
Once the app “Detection rule” evaluation is completed, the next step is “Check Applicability.” Checks were performed against the rules we configured before.
- [Win32App] applicationRequirementMetadata RequiredOSArchitecture: 2, client Is64BitOperatingSystem: True, applicability: Applicable.
- [Win32App] applicationRequirementMetadata expected version: 10.0.14393, client version: 10.0.17763, applicability: Applicable.
- [Win32App] applicationRequirementMetadata RequiredFreespace: 250.00, availableFreeSpaceInMB: 10,925.00 on Drive C:\, applicability: Applicable
- [Win32App] applicationRequirementMetadata RequiredTotalPhysicalMemory: 250.00, totalPhysicalMemoryInMB: 1,024.00, applicability: Applicable.
Content Download – Intune Win32 App Troubleshooting
After “Check applicability” is completed, the next stage is to process Content Download. Package Content is missing in the cache; hence, content started to download.
[Related Topic – Intune Win32 App Deployment using Modern Management]
Content cache miss for app id 86995d21-f2ed-4e2c-a88e-1ef5f65d02e3, start downloading…
The Intune CDN URL is used to download the file if you suspect any download issue due to network proxy. You can copy the URL and paste the download into your browser to troubleshoot.
https://swdc01.manage.microsoft.com/5d3c257f-df2e-4885-b9b3-01dd9713d655/ 081e6fbd-2594-44f6-9f5b-f3532d7652da/ad87f066-4d0e-4d05-b495-73ad17490b12.intunewin.bin
Content is downloaded initially to the folder “Incoming.”
The encrypted file downloads first to the folder “Incoming.” This is a temporary download folder for further processing. The file’s extension is in bin format.
“Incoming” Folder to “Staging Folder.”
The download file moves from the “Incoming” folder to the “Staging folder.” In the Staging Folder, the downloaded file will be in Zip format.
C:\Program Files (x86)\Microsoft Intune Management Extension\Content\ Staging\86995d21-f2ed-4e2c-a88e-1ef5f65_1\86995d21-f2ed-4e2c-a88e-1ef5f65_1.zip
Hash verification and Decryption
Hash value was checked to ensure that downloaded content was consistent. Decryption starts after hash verification.
- [Win32App] Starts verifying the encrypted hash
- [Win32App] hmac validation is passed.
- [Win32App] file hash validation pass, starts decrypting
- [Win32App] Decryption is done successfully.
- [Win32App] CDN mode, content is decrypted.
Unzipping Stage
In this stage, the downloaded package in zip format is uncompressed. The content is extracted from the “Staging” folder to the “Staged” folder.
Unzipping file on session 2 from C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1 \86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1.zip to C:\Program Files (x86)\ Microsoft Intune Management Extension\Content\Staged\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1
Clean up Staging Content
Once unzip is complete, temporary content in the staging folder will be removed.
Cleaning up staging content C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1
Started Application Installation
This is the installation stage. If you have no issues with content download, etc., you can jump to this stage. Intune Win32 App Troubleshooting.
- The installation directory is set.
- We launched the Intune application installation in a machine context.
- While troubleshooting, you can note the process id to track.
- The installation process is completed...
- [Win32App] SetCurrentDirectory: C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staged\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1
- [Win32App] Launch Win32AppInstaller in machine session
- [Win32App] lastWin32Error 0 after CreateProcess
- [Win32App] Create installer process successfully.
- [Win32App] process id = 6256
- [Win32App] Installer process timeout milliseconds: 3600000.
- [Win32App] Installation is done, collecting result
Detection Rules After Application Installation
Post-application installation, the Intune client evaluates application detection rules on the computer. In our example, detection Logic is the MSI product code, which is detected using a WMI query.
[Related Topic – Intune Win32 App Deployment using Modern Management]
query: select * from Win32_Product where IdentifyingNumber='{AC76BA86-7AD7-1033-7B44-AC0F074E4100}’ or IdentifyingNumber=’AC76BA86-7AD7-1033-7B44-AC0F074E4100′ [Win32App] Checked ProductCode {AC76BA86-7AD7-1033-7B44-AC0F074E4100}, Found it. sideCarProductCodeDetectionMetadata.ProductVersionOperator is 0 application detected: True [Win32App] detection manager SideCarProductCodeDetectionManager got applicationDetectedByCurrentRule: True as system
Compliance State Message -Intune Win32 App Issues Troubleshooting Client-Side Process Flow
State messages are processed as shown below. They are delivered to Intune as part of Intune Win32 App Troubleshooting.
The compliance information was sent to the Intune cloud from the Windows 10 client. Below, you can see state message results posted by the client to Intune cloud service.
After this, you can see the application installation status from the Intune console.
Successfully get the token Add Token with length 1654 into WebRequest Add MdmDeviceCertificate F70D046494CEF0F625365320CDC47DE8E635865B into WebRequest SendWebRequest, client-request-id: d98c8975-3c54-4d0c-ad79-582cecb2f927, Method: PUT Current proxy is https://fef.msuc01.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/SideCarGatewaySessions(’04d64f55-0c99-4cb8-bd09-d7e71dfdefcf’)%3Fapi-version=1.1 Sending network request… [Win32App] Results are successfully sent. [Win32App] Got result with session id 04d64f55-0c99-4cb8-bd09-d7e71dfdefcf. RequestContentType: Acknowledge
After successful application installation, the Toast message is displayed to the user.
End-User Experience of Intune Win32 App Deployment
Microsoft Intune Software Distribution is completed.
Please follow us on the HTMD Community and visit our website HTMD Forum, if you like our content. Suggest improvements, if any, and we love to know which topic you want us to explore next.
Resource:
- Intune Troubleshooting – https://www.anoopcnair.com/configuration-profile-settings-view/
- How to deploy. EXE applications via Intune?
This is a great article. A lot of stuff I could have used the first time around!
What log viewer is that?? It’s so hard to read the logs in notepad.
It’s surprising that you don’t know that log viewer 🙂 Checkout the following post to get more details about log viewer https://www.anoopcnair.com/sccm-logs-files/
Thanks! I just never got deep into SCCM…intentionally so 🙂
Hi,
I am new to Intune and having used SCCM prior. I don’t see these folders on my Windows 10 desktops. The systems are enrolled and have policies pushed to it as well as having the iSpring MSI package I created to test that.
Is your client configuration different?
Hi, what type of deployment are you using in Intune? This folders are applicable only if you deploy Intune win 32 packaged apps as mentioned in the blog post https://www.anoopcnair.com/intune-win32-app-deployment/
I am trying to push out some .exes using the Win32 app I packaged. I packaged the .exe using the tool and uploaded it.
I created the assignments the same way to the MSI packages but the EXE packages doesn’t seem to deploy.
So you don’t have any logs in the following location :- C:\ProgramData\Microsoft\IntuneManagementExtension\Logs …What is it showing in Intune console https://howtomanagedevices.com/intune/239/intune-troubleshooting/
The only traces that I can see that Intune is apparently working is the msinstaller in Event Viewer showing the directory c:\windows\system32\config\systemprofile\appdata\local\mdm\ but it is empty after the software installs.
I tried typing that directory in just in case, it’s really hidden but it is not there.
Under the specific system from the console, I can see for the Win32 apps say Waiting for Install status and it shows it’s online from the current check-in. Nothing from Event Viewer to indicate this downloaded to even run on the system.
I was able to deploy Office 365 and so far the other msi I created for testing just having issues with Win32.
I think there should be a Intune Win32 agent service running on your machine. And the following folder is created ? C:\Program Files(x86)\Microsoft Intune Management Extension
What are the OS requirements you have given when you create Intune Win32 package from Intune portal? Have you given the correct Windows version?
I am rebuilding the package, the minimum version is 1607 and the systems are on Pro 1803 or higher. The OS architecture is 64 bit, before it was 32 and 64 selected? To have both selected is to pick one or the other?
We’ll see how it goes this time.
easy to trouble shoot when nothing goes wrong 🙂
I get this in the log, trying to move a 4gb package, so i can upgrade windows to 1809 with intune app.
Its the mediacreation tool iso file repackaged.
I even removed some file from the package because i couldnt unzip by hand. Im still thinking its something like that, but it unzips neatly manually.
Yes exactly and you can learn a lot from real troubleshooting
WTF ?
It left out all my error details ?
I hate troubleshooting 😉 No thats not true, I hate troubleshoot when the errors makes no sense..
When intune is trying to do the final unpack the 3rd in the deploy process I get this error
},”ErrorDetails”:”System.UnauthorizedAccessException: Access to the path \u0027C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\Staging\\0a056f5d-237c-44f9-af64-3fe847bbf67d_1\\0a056f5d-237c-44f9-af64-3fe847bbf67d_1.zip\u0027 is denied.\r\n at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\
I can unzip the package fine by hand, to the same folder even. So it shouldnt be a deep path issue.
When the portal does give an error its say “Error unzipping the downloaded content, 0x87d30067, which in the only other post i can find, it looks like a path to deep issue.
And the fun goes on.
I have an app, around 1.1 GB in size.
It downloads fine to the content incoming folder.
In the final extraction to the c:\windows\imecache folder, only one folder and around 15mb of data is present. and naturally the installation fails.
I have tried to download and decrypt the package using this
https://www.scconfigmgr.com/2019/01/18/how-to-decode-intune-win32-app-packages/
And all files are present, with the correct folders and all.
The intune logs dont indicate that the final extraction failed.
I have excluded the C:\windows\imecache from windows defender.
Anybody have any idea whats going on here ??
Did you check the following logs ? IntuneManagementExtension.log, AgentExecuter.Log,
ClientHealth.log to have more details on extraction issue?
Yes i did. Nothing
from The intunemanagementextention.log
Decryption is done successfully.]LOG]!>
content is decrypted and verified successfully.]LOG]!>
Downloaded file size 1,140,824,299.00]LOG]!>
Downloaded file time 0.00]LOG]!>
Start unzipping.]LOG]!>
Unzipping file on session 0 from C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\217258ac-1eca-4175-a774-d60baa8ee4cd_2\217258ac-1eca-4175-a774-d60baa8ee4cd_2.zip to C:\WINDOWS\IMECache\217258ac-1eca-4175-a774-d60baa8ee4cd_2]LOG]!>
===Step=== ExecuteWithRetry]LOG]!>
ExecuteWithRetry Parsing InstallEx…]LOG]!>
===Step=== Execute retry 0]LOG]!>
SetCurrentDirectory: C:\WINDOWS\IMECache\217258ac-1eca-4175-a774-d60baa8ee4cd_2]LOG]!>
Launch Win32AppInstaller in machine session]LOG]!>
And when i look in the C:\WINDOWS\IMECache\217258ac-1eca-4175-a774-d60baa8ee4cd_2
only a handfull of files and 30 mb data
Hi Kenneth – Please share more details about the error you are seeing? Did application started installation and later failed ?
What error are you seeing in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Only error in the intune log was of a failed installation.
Which makes sense, since the setup.exe I was trying to run didn’t exist in the c:\windows\imecache folder.
The Application should have been 1+ GB ,but it only extracted around 20mb of data.
I worked around my issue.
I wrapped the files in a zip archive, and create an install.cmd which calls a ps script to unzip the archive and run the install. and that looks likes its working.
Seems like intune, sometimes, dont like alot of files / big packages
I’m trying to check with fellow MVPs and Intune PG whether there is any known issue or not. I’ll keep you posted if I hear back something.
I had the same issue (hence why landing here via google). In my case, one of the app filenames had an apostrophe in the filename (‘). It wouldn’t zip via the GUI either. The intunewinapputil packaged it up without complaint, but it seems unzipping client side is handled dirfferently.
Fortunately my target devices had 7-zip so did something similar to Kenneth. 7-zipd the content, then created and install.bat file which un-7-zipped the wrapped it up with the intunewinapputil
“C:\Program Files\7-Zip\7z.exe” x Flop1.7z -oUnZ -aoa
Cd UnZ
Installapp.exe
cd ..
rd /S /Q UnZ
I think even if you don’t have 7zip files present in the machine, can’t you use the following method ?
Create a INSTALL.CMD
MD C:\RegFile
Copy “%~dp0*.exe” C:\RegFile /Y
Copy “%~dp0*.msi” C:\RegFile /Y
PUSHD C:\RegFile
Region.msi
@echo 2.0>C:\RegFile\RegVer2.0.txt
Del C:\RegFile\*.exe
Del C:\RegFile\*.msi
cool thanks 🙂 Be interesting to hear if anybody has seen similar 🙂
Hello Kenneth,
Can you please help me out.. I am facing similar issue
Hi Anoop,
We have a similar issue to Kenneth, We have been deploying an app using Win32 packager, this was working since last November. Now it is not working anymore.
I can see the in the log it is executing the install.cmd and changing to c:\windows\imecache\.. but the folder is empty.
This started at the beginning of March.
Hi Anoop,
thanks for the great post.
In our case, the deployment does not go over the detection phase since it will always run into an timeout and won’t start downloading.
Did you saw something like that before?
Looks like:
query: select * from Win32_Product where IdentifyingNumber='{B850B42F-249D-4C94-8536-B08205EB5C77}’ or IdentifyingNumber=’B850B42F-249D-4C94-8536-B08205EB5C77′
[Win32App] Exception occurs when ProcessDetectionRules [{“DetectionType”:1,”DetectionText”:”{\”ProductCode\”:\”{B850B42F-249D-4C94-8536-B08205EB5C77}\”,\”ProductVersion\”:null,\”ProductVersionOperator\”:0}”}], the Exception is System.Management.ManagementException: Zeitüberschreitung (german for timeout)
bei System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
bei System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
bei Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.WMIHelper.CheckProductCodeExistsFromWMI(String productCode)
bei Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.SideCarProductCodeDetectionManager.Detect(SideCarDetectionRuleMetadata sideCarDetectionRuleMetadata)
bei Microsoft.Management.Clients.IntuneManagementExtension.Win32AppPlugIn.DetectionHelper.ProcessDetectionRules(SideCarApplicationClientPolicy appPolicy, Int32 sessionId)
I really cnnot get behind this WMI query timeout since the same detection mehtod is working on SCCM.
Any idea would me much appreaciated.
Greetings
Hi Eric – Are you able to use WMI Explorer and find out the values Win32_Product WMI class? Any error in the event logs ..worth checking that as well?
Thanks for your help. Seems like it is a WMI-related problem indeed. I tried getting values from Win32_Product with the WMI Explorer and monitored the eventlog WMI-Activity and there I got Error 0x80041003 which translates into Access Denied. So I tried other users e.g. the local administrator with the same result. I could dive into setting up a whitelist for remote WMI queries but in this case I do not even know what to whitelist. Is it possible that some of the newer Defender features like Exploit guard etc are the reason for that?
Edit: It just took ages to read the Win32_Product.. around 1 hour? I will try to get around thoose insane query time and report back if I found something. No wonder the Intune-detection phase is canceling the query every time.
Hi Anoop,
First i push win32 intune apps to a group compose of user account and it works fine but if I push the same package to a device group it does not work. I check the client apps>package>overview monitor> device and user status are empty. I check the manageapps for the specific device member of the said group the apps is not even listed in it. Does Intune support deployment of win32 intune apps to a device group?
Hi Anoop,
I tried to push win32 intune apps to a group compose of user account and it works fine but if I push the same package to a device group it does not work. I check the client apps>package>overview monitor> device and user status are empty. I check the manageapps for the specific device member of the said group the apps is not even listed in it. Does Intune support deployment of win32 intune apps to a device group?
I tested this few months back and it worked. Are you still facing the issue ?
Hi Anoop,
Please ignore my comments. I realized there are multiple record of the same device in AAD due to i have reverted the VM several times. I cleaned up some and retain only the latest one then i rea-dd it in device group then it works.
Another great post but I’m hitting a wall troubleshooting. I have an app that requires a “response” file. Basically it’s a text file that records your selection during the GUI install so the app can be installed silently. I have everything I need but I’m having a hard time understanding how I tell Intune to access the response.txt in the Install command. Is it:
setup.exe -f C:\temp\folder\response.txt -i silent (This is the absolute path from the packaging machine)(I doubt this would work)
setup.exe -f folder\response.txt -i silent (This would be the relative path)
setup -f %~dp0response.txt -i silent (A find from our friend Peter V)
Or do I place the response.txt on the local machine using another script and then call it.
I’ve tried them all and not sure what would be correct but in any even I get an error during the create installer process. Any ideas what Error code = 2 is?
Example of the command i normally use in batch file if i have multiple folders: msiexec /i “%~dp0XXXXXX\yyyyyy\zzzz.msi” TRANSFORMS=”%~dp0aaaaaaa.Mst” /l*v “%Windir%\Logs\bbbbbbbbbbb.log” /qn
However Looks like you are trying to read the response file and install the application..I would suggest
1, Keep the response file in the current folder where setup.exe is present.
2, add a command in the batch file to copy response file locally ( example system 32 path)
3, next command in the batch file is to trigger installation referring the response file in system 32 path
Hi I have install Line-Of Business application “BoxDrive” using MSI,
the application is installed successfully in client however it’s showing error in Intune portal.
App installation failed
10/6/2019 8:38:53 AM
Hide details
Error code: 0x87D1041C
The application was not detected after installation completed successfully
it seem related to Return success code is not exist, however i can’t find anywhere to add that return code.
any idea how to fix this?
Thanks
Dimand
consider using intune Win32 app management for more control. you can customize return code based on requirement.
Hello Guys,
I’m getting an 0x80070001 error on some, not all, devices.
Background.
The Client App workload was switched for the target devices post targeting the devices from Intune with the Win32 App deployment.
On the devices that fail, Microsoft Intune Management Extension has installed and can be seen in C:\Program Files (x86). However the C:\ProgramData\Microsoft\IntuneManagementExtensions doesn’t exist!?
Any thoughts most welcome…KR, Graham
Does this help? Intune Win32 App Deployment Challenges System32 Vs Syswow64 https://www.anoopcnair.com/intune-win32-app-deploy-system32-vs-syswow64/
Hello Kenneth,
Can you please help me out.. I am facing similar issue
Hello Neeraj – This works for me. Check the following commands are part of INSTALL.CM
MD C:\RegFile
Copy “%~dp0*.reg” C:\RegFile /Y
Copy “%~dp0*.ps1” C:\RegFile /Y
PUSHD C:\RegFile
PowerShell -NoProfile -ExecutionPolicy Bypass -File C:\RegFile\Region.ps1
@echo 2.0>C:\RegFile\RegVer2.0.txt
Del C:\RegFile\*.reg
Del C:\RegFile\*.ps1
Do you know how often Intune does “Check applicability” for Required apps? If a user uninstalls a Required Win32 App, how long before Intune checks and redeploys the application?
Quick Question.
Scenario:
* Intune Autopilot
* ESP set to install one app
* Deployment Profile sets user as “Standard”
* Microsoft Company Portal and few other apps get installed during provisioning
Question:
How does Intune allow a non-admin “Standard” user to install apps. Even though they don’t have admin rights they can bypass UAC and are able to install apps. I would love articles or detailed instructions.
Much appreciated
I have only Policies folder in Program Files (x86)\Microsoft Intune Management Extension.