How to Start Troubleshooting Intune Policy Deployment Issues

1

Most of us know how to start troubleshooting with Intune Silverlight console. Intune troubleshooting made easy after the migration to Azure portal. It’s recommended to start with “Microsoft Intune – Help and support” page in Azure portal whenever you face issue with Intune. In this post, we will see “Start Troubleshooting Intune Policy Deployment Issues from Intune (new Azure) portal”. More details in the Video experience here.

How to Check the status of Intune service?

When you have a major issue with Intune managed devices then, the first place is to look at the current status of the Intune and other dependent services. You can check that from the Azure portal Intune blade – Microsoft Intune – Help and support tab.

Under Help and Support tab there is a link to check the status of your Intune and other services for your tenant. Intune service status – See the current status of the service is the place where you can get the status.

Start Troubleshooting Intune Policy Deployment Issues

When everything is OK from cloud service side then, the status will show as Microsoft Intune Service is healthy. Also, from help and support tab you can check whether your Intune subscription is still active or not.

How to start troubleshooting Intune Policy Deployment?

As explained above, when you have a major impact on all Intune managed devices/users then make sure that the tenant health is OK. Once you are sure that there is no issue from Intune service side for your tenant then, it’s time to proceed with your policy assignment and other detailed troubleshooting. When the issue is NOT impacting all devices or users then, it’s better to start with the second stage of Intune troubleshooting.

Troubleshoot is the tab in Intune blade of the Azure portal. Select one of the users who is having issues with application or policy deployment. For example, when a user is not getting the application assigned to AAD Group. Another example is the user is not getting the compliance of configuration policies assigned.

Start Troubleshooting Intune Policy Deployment Issues

I selected Anoop Nair as the user. All the details of this user will be available in the troubleshooting tab. This will help Intune admin to confirm whether we have targeted all the applications and policies to correct AAD groups. You can check and confirm whether user :-

  • Does the user have a valid Intune license or not
  • Is the user part of correct AAD group or not
  • Is the Device compliant or not
  • Status of Company Data Removal/wipe from a device

Another set of details of the user you can check the troubleshoot tab of Intune blade is the Principal name of the selected user and Email ID. All the other details available in the Intune troubleshooting blade are :-

Intune license assigned to user or not
Whether Devices compliant status
Whether apps are in compliant state or not
Azure AD Group membership for the user
Mobile Apps Assignment to the user
Compliance policies deployed or assigned to users
App protection status for the devices
Configuration profile deployment status for the user
List of the devices for that user and status of devices

As you can see in the video tutorial here and in the screen shot below, there are some red icons. Those red icons could indicate potential issues with application or policy deployments. I could see problems with Android device of Anoop. App protection status is not looking good for Android device. The Intune troubleshoot blade provides a useful report that “31 apps noncompliant”.

Start Troubleshooting Intune Policy Deployment Issues

There are 3 Assignment categories in Intune Troubleshooting blade. Each category will give you the details of user assignment. If some assignments are missing then, we need to look at the targeting AAD groups of those policies.

Mobile Apps
Compliance Policies
Configuration Profiles

The above information is important to start Intune troubleshooting from Azure portal. We can directly go into details of each of the assigned policies for that user from troubleshooting tab. More detailed troubleshooting can be done via looking at the device properties and hardware information of the device.

For example, you have started a company data wipe action for a device but, the device or user can still access the corporate mail from the device. Intune admin can directly search the user from Intune troubleshooting session and get all the device details of that user. Once the device is identified then, you can check the following details of the device.

Device name, Managed by, Azure AD join type, Ownership, Intune compliant, Azure AD compliant, OS, OS version and Last check in.

Start Troubleshooting Intune Policy Deployment Issue

Last Check In details are important in this device retirement, or company data wipe troubleshooting scenario. The last check in details will tell you when is the last time the device was in touch with Intune service. You can check the status of Company Data Removal action, Factory reset details and status from the Intune troubleshooting blade.

The Intune Troubleshooting blade is one stop shop for all the troubleshooting activities related to Intune device management, compliance policies, configuration profile deployments, etc..

How to raise a free Intune support case for Intune Issues?

Microsoft provides an option to raise a support case for Intune issues from Azure Portal – Intune blade – Help and Support tab itself. Create a support request link in that tab is for raising a free support case. In most of the scenarios, you won’t get charged for raising this type of Intune support case. The charges of these type support cases are directly linked to your Intune subscription contract.

There is an option to raise an Intune support case with Microsoft premier contract. I would recommend using premier contract support for Intune issues which are of high impact and if you need immediate help.

Start Troubleshooting Intune Policy Deployment Issues.jpg

Severity options are important while raising Intune support case. Severity options should be selected as per the impact of the issue. Also, depending on the severity of the issue the response time will vary. There are three categories as you can see below:-

  • C- Minimal Impact – The issue which is impacting only a couple of users or devices etc.
  • B – Moderate Impact – The issues which can become critical in a couple of days if it didn’t get resolved ASAP.
  • A – Critical Impact – High Priority issues which are impacting whole lot of users

References:-

  • General troubleshooting tips for Microsoft Intune – here
  • How to get support for Microsoft Intune – here
  • How to Troubleshoot Windows 10 MDM Policy Deployments – here
  • Intune Support Case Severity Levels and Response time – here

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here