AMA: Troubleshoot device issues with Intune

I thought of another ask for Autopilot troubleshooting...actually Intune in general. When diagnostic logs are gathered (manually OR automatically in response to an Autopilot failure), allow us to configure additional locations for gathering log files, reg keys, etc. We log EVERYTHING as we've learned how valuable information is when something breaks. We log all our app installs, config scripts, etc to a common location and it would be nice to capture those items in addition to what the native process gathers.

Can you help with deploying files to AAD joined PC using Intune? I'm able to use PS script and Win32 app to deploy files to directory like C:\, but it fails to deploy to C:\Windows. Not sure if it's write permission related?

I have a device that is ad joined (intune) but not autopiloted. we used to be able to manage it but now we can't manage (greyed out) no MDM anymore but shows recent activity. does this log of activity get reported where in ms-graph and does it capture the IP address (real world) and then how we can get the IP/location of this device that shows activity?

Thanks for joining us for this AMA of today’s Tech Community Live: Microsoft Intune edition! Up next: AMA - Powerful Apple device management with Intune.

In addition to the questions posted on this page, we also answer questions posted in reply to the event on LinkedIn and Twitter. Here are the questions we answered today:

• From LinkedIn -- Why can't we deploy MSI packages for particular devices instead of user IDs? - answered at 07:05
• From LinkedIn -- Is there any way to get detailed information about MAM protection Unmanaged BYOD devices? Currently only sign in logs and app protection reports are there, which is not detailed. - answered at 17:55
• From LinkedIn -- We have integrated ServiceNow with Intune using Out of box. How do I perform a selective wipe of MAM unmanaged devices from ServiceNow or graph API? - answered at 23:10
• From LinkedIn -- Some of the configuration profiles provide zero feedback in terms of errors. Failed SCEP provisioning is one section, regardless of platform. Ideas on how to troubleshoot?- answered at 43:55

An ask I would have for Autopilot failures is a simple and concise message stating that "Autopilot failed while attempting to do THIS". Coming from the ConfigMan world of TS imaging, we got spoiled by those specific error messages. Most of our failures are due to one of our applications failing for one reason or another. With remote users, this makes troubleshooting difficult and time consuming. We can talk the user through digging into the UI which usually leads to an ambiguous error OR we have to wait for the diagnostic files to upload and then dig through them. Couple that with our strict security requirements and our ESP policy preventing users from getting to the desktop without specific apps, and I'm left with a completely unproductive user. Aside from anomalies, if an app is bad, all of our Autopilot deployments will fail. We also use some automation to update apps, so we're not always aware that an app changes which adds to our troubleshooting time. The next level above this would be to send Intune admins an email that an Autopilot run failed while attempting to do/install X.

I'm a newbie to Intune and have a device enrollment question. When enrolling devices, specifically desktops and laptops, via Settings> Accounts>Access work or school, I receive either of the following messages: 1. Your device is already connected to your organization. 2. “We couldn’t sign you in. If this error persists, contact your system administrator and provide error code CAA60007.” Correlation ID: da887d7a-6929-4803-a686-ad182114e61f. 3. And recently, Your account has reached the maximum device limit for connecting to your work or school (0x80180013). 4. When successfully enrolling the device, it will either connect to the Microsoft Work or school account, or “Connected to University MDM” account. I assume enrolling in the University MDM is correct. However, it doesn't give me the option to choose one or the other. How do I select the correct enrollment? Am I enrolling devices correctly? Or is there another method to enroll a group of devices?

It feels as though Intune is lacking real-time troubleshooting tools. Diagnostics logs Intune can gather are mostly Windows/Intune oriented and sometimes (we are an education organisation) we will need to scan a room full of devices to see what is wrong and sometimes take an action on them (eg an incorrect reg key, drop a file on a device) in a matter of minutes in order that a class or an exam can run...for example. The Windows Defender firewall domain profile doesn't quite fit around the AAD device on-premise scenario, and unattended remote access to shared devices seems to be lacking in the current toolset.

What is the best way to troubleshoot during the ESP stage for AutoPilot? We are finding some of the logs are not clear as to what has failed.

We are using Autopilot combined with Enterprise Status Page to prevent users accessing their desktop prior to completion. We have a number of apps that we need to deploy and have found that ESP does not pick up a lot of them. The apps are all Win32 apps. The logs do not show any entries like failed/errored etc for the apps not picked up. They are all packaged the same. We have had to revert to only deploying only a couple of specific apps that work through ESP, and then creating a set of dependency apps to install the rest when the user gets to their desktop. Is there a way of identifying why ESP is not picking up apps and deploying them?

We are finding machine records in Intune disappear. We dont use device cleanup rules and it doesn't seem to matter windows or mac. When this happens the machine gets conditional access blocked for compliance. We need to delete azure record and enroll in Intune again. I believe this is happening due to the defender for endpoint integration and trying to reenroll devices? Intune logs do not show any person delete the record. Where can I find logs to help troubleshoot?