About an year ago, Microsoft announced Windows (Win32) app deployment using Intune, since then it has been improving with new additions/features.
Intune standalone allows greater Win32 app management capabilities. While it is possible for cloud-connected customers to use Configuration Manager for Win32 app management, Intune-only customers will have greater management capabilities for their Win32 line-of-business (LOB) apps.
For more information about Win32 App management, please read https://docs.microsoft.com/en-us/intune/apps/apps-win32-app-management
A few days ago, I was troubleshooting an issue on the autopilot device for win32 apps and some of the apps will not install for various reasons.
On windows, if app install is not working, it is always challenging and we always tend to look at the logs or event viewer or registry, to start troubleshooting.
For win32 app troubleshooting, there are logs or registry that will help you to provide more information about the issue.
In this blog post, we will see the logs, event viewer and status values for application state, Compliance State Message and Enforcement State Message in the Intune Management Extension registry.
Win32 apps log location:
Win32 Agent logs on the client machine are located at “C:\ProgramData\Microsoft\IntuneManagementExtension\Logs”.
IntuneManagementExtension.log—>This is the main client log file, it contains all the agent check-in, compliance status, enforcement status, policy request, policy processing, and reporting activities.
_IntuneManagementExtension.log—> Historical log file, it contains all the agent check-in, compliance status, enforcement status, policy request, policy processing, and reporting activities.
AgentExecutor.log—> This log file is updated to track Powershell script execution details.
ClientHealth.log—>This log file is updated to track sidecar agent-client health activities.
Content download folders:
On X64 client machines:
C:\Program Files (x86)\Microsoft Intune Management Extension\Content
On X86 client machines:
C:\Program Files\Microsoft Intune Management Extension\Content
It is recommended to exclude the above directories from anti-malware scanning.
Win32 apps Registry location:
For any win32 app that gets deployed on a device, there is a registry location that stores the information about the app with its deployment status.
The registry location for win32 apps: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\
In the registry key, you will see multiple SID’s either for device or user. For device, it will be all 0000 and rest will be user Object IDs.
These Object ID’s that you see in the registry key which do not contain 000000 are user object IDs coming from Azure Active directory.
You can use Powershell or graph API to find the user based on object ID.
Under the user or device, you can see multiple ID’s and these are the win32 apps deployed by Intune.
Each Application ID contains 2 registry keys.
ComplianceStateMessage—>This consists of Applicability, ComplianceState , DesiredState, ErrorCode
When you deploy an application, it contains several return codes and these codes are stored in registry with integer values.
If you open the IntuneManagementExtension.log, you will see the application status with applicability, compliance state, desired state error code, etc. but there is no meaningful description.
I have listed the values for application states that are stored in the Intune Management Extension registry.
This should help you to identify the status of the deployed application.
|3||Conflict (Not applicable for app deployment)|
|1003||Received command to install|
|2000||Enforcement action is in progress|
|2007||App enforcement will be attempted once all dependent apps have been installed|
|2008||App has been installed but is not usable until device has rebooted|
|2009||App has been downloaded but no installation has been attempted|
|3000||Enforcement action aborted due to requirements not being met|
|4000||Enforcement action could not be completed due to unknown reason|
|5000||Enforcement action failed due to error. Error code needs to be checked to determine detailed status|
|5003||Client was unable to download app content.|
|5999||Enforcement action failed due to error, will retry immediately.|
|6000||Enforcement action has not been attempted. No reason given.|
|6001||App install is blocked because one or more of the app's dependencies failed to install.|
|6002||App install is blocked on the machine due to a pending hard reboot.|
|6003||App install is blocked because one or more of the app's dependencies have requirements which are not met.|
|6004||App is a dependency of another application and is configured to not automatically install.|
|6005||App install is blocked because one or more of the app's dependencies are configured to not automatically install.’|
If there are any failed win32 apps and you want to reinitiate the installation, you can simply restart the win32 IME (Microsoft Intune Management Extension) service and monitor the logs.
I hope you find this information useful for troubleshooting intune win32 apps deployment.
Troubleshoot app installation issues https://docs.microsoft.com/en-us/intune/apps/troubleshoot-app-install
Troubleshooting MSI App deployments in Microsoft Intune https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Troubleshooting-MSI-App-deployments-in-Microsoft/ba-p/359125