Support tip: A guide for MEM admin center in-console support and tips for opening support tickets
Published Apr 15 2020 02:59 PM 8,550 Views

By Mihai Lucian Androne | Support Escalation Engineer & Rob Lane | Sr. Service Engineer - Microsoft Endpoint Manager

Help us help you! Whenever you are contacting Microsoft support, either through the initial query in console or as a follow-up support ticket, it’s important to add in a few key details of your request. The information you share can often immediately surface content or diagnostics to help you. Or, by adding in additional data, we will be able to offer you the best support experience from the first moment you reach us. This post shares best practices.


Initial Query

Where do you start? Login to Microsoft Endpoint Manager, head to the Troubleshooting + support blade, then select Help and support. When you land on the Help and support blade, you will be prompted to select a management type with three choices. Pick the correct one as that helps us route any case you create to the appropriate support team. For this article we’ve focused on Intune management.




Once you’ve made your choice you’ll be presented with the Need help? dialog, and an empty text box. We are looking for a brief description of your issue – just a few words – based on which we try to provide you some instant guidance. Within this field, be as specific as possible and mention only the key words for your issue like the platform and the unexpected behavior. Also include any explicit error code or error messages as relevant.




Based on this initial query string you type, we will share articles, documentation, relevant Message Center and Service Health Dashboard posts, and troubleshooters (if available) for the topic you are contacting us about. Do look at the content – it may well be relevant to your issue.


We may also trigger a diagnostic to run against your tenant. Some diagnostics require no input while others may prompt you for the UPN of an affected user. These user diagnostics are great at picking up common issues, so they are worth the extra few moments it takes to run them!


“Need Help” Query Examples


Let's see some other examples on how we could describe possible issues to surface the most relevant content:


Query: Android LOB application installation fails 0xC7D24FBA

Query: On-Demand VPN for iOS not working

Query: Windows not compliant due to BitLocker


Contact Support Tips

If the articles that we shared as a result of initial query in the step above did not help you resolve the issue, move forward and select Contact support. You will be able to add a more detailed description of the issue and as needed add attachments.


Below are some examples of the more detailed descriptions which might be associated with the initial query you typed in. We use the initial query as the title.


Title: Android LOB application installation fails 0xC7D24FBA

Description: For our Galaxy S8 devices running Android 9, users are unable to install our LOB application. Users are trying to install the app manually via Company Portal; however, they see a "failed" error after pressing install while in the portal “0xC7D24FBA”is presented. Devices are enrolled as Android Enterprise with Work Profile. When the application was sideloaded by our developers and it was installed fine, thus I am expecting it to work via Intune as well.

Title: On-Demand VPN for iOS not working

Description: We have deployed an on-demand VPN configuration profile called “ACOD VPN” to our iPad’s. However, the IPSEC vpn connection is not triggered when the end user tries to access one of our domains (

Title: Windows not compliant due to BitLocker

Description:  Windows 10 1903 device are reporting Not Compliant due to due to BitLocker not being enabled. I checked locally on the device and BitLocker has been enabled, however device is still Not Compliant. This is affecting multiple users including a test user




This description data is very useful for our support team as it represents the starting point for us in troubleshooting the issue that you are facing. Be sure to provide a valid phone number and email so we can contact you back. 


Let me add couple tips on how to make the most out of the Contact support blade:

  • If the problem is with a specific device type, start by adding the information about your device - #deviceModel & #operatingSystemVersion - where you encounter the issue. Then explain the behavior you are encountering versus the behavior you were expecting to happen.
  • Attach a screenshot that will illustrate the issue or even better, can you record the behavior?
  • If the issue you are facing is part of a more complex scenario, it would be very useful if you can describe the context of you issue. If we understand what your end goal is, what you are trying to achieve, we can advise you and share best practices for your implementation.

Additional Data Requests

Even with a solid description, sometimes we may need additional information to resolve the issue. Below you’ll find additional details about the most commonly requested data and where you can find it and attach it to your support incident. These common elements include:

  • TimeStamp
  • DeviceId
  • UserPrincipalname
  • Device OS and Version
  • TenantID or DomainName
  • PolicyID or PolicyName
  • DeviceLogs


This data is crucial for troubleshooting. Knowing the exact timestamp of the issue will help us review a smaller set of data, thus it will considerably reduce the overall troubleshooting time.


Tip 1: Note the time zone for your issue TimeStamp. We do our best to ensure the support agent that works with you has comparable business hours, but sometimes there may be a few hours difference.


Tip 2: Contact us as soon as possible after the issue occurred. We retain data for 30 days so, if the issue happened more than 30 days ago, we may not have the backend trace data.


If at all possible, please include the day and approximate time (hour & minute) at which the issue occurred. If you are able to reproduce the issue at will, note down the specific time. Also let us know what timezone the user of affected device was working in. These are all useful data points.



  • IntuneDeviceId - unique identifier for any device that enrolled into Intune. It is the most useful piece of data when you are troubleshooting an enrolled device.
  • AzureADDeviceId - unique identifier for a device that registered (WPJ) with Azure AD. From the Intune point of view, this data is not mandatory as you have the IntuneDeviceId, but there are times when having both is useful. There are scenarios when IntuneDeviceId = AzureAdDeviceId.

How to find the Intune/AzureAdDeviceId? Navigate to Intune -> Devices -> All Devices blade and choose your impacted device. Then, under Hardware Tab -> here you will find both Intune & AzureAD deviceId.

The UPN is used by Azure AD to allow users to sign-in thus, in order to enroll a device to Intune on behalf of a user, you will need to use the UPN. The UserPrincipalName attribute value is the Azure AD username for the user accounts.

How do you find UPN? Navigate to Intune -> Users -> All Users -> *search for the user* -> User Name column = UPN

There are thousands of device models out there. Each model has different hardware thus different features will be enabled within the OS. Knowing the model of the affected device will help us narrow down the issue and see if the behavior happens only on some specific models. Also, we can try to do a repro if we own such device – our agents have access to many of the more popular models.

How do you find the device model? Depending on the operating system, this information can be placed in different location:


  • Android - Navigate to device settings -> access "About phone" menu. The information about device model should be presented to you along with device serial number and IMEI.
  • iOS - Navigate to device settings -> General -> access "About" menu. The information about device model should be presented to you along with device serial number and IMEI.
  • Windows - For Windows devices, the model is not as relevant, as usually the most important hardware related information is the TMP which is used for scenarios like BitLocker, Autopilot, etc.
  • macOS - Click on the Apple icon in the top left corner -> Choose "About this Mac". You'll see an overview of your Mac, including its model.


Each operating system has its own particularities in terms of features and MDM capabilities. Furthermore, as technology develops each OS will get new features as new versions ship.

How do you find the OS Version? Depending on OS version and device model, this information can be found in different places. However, I will mention below where this information is generally available for each platform:


  • Android - Navigate to device settings -> access "About phone" menu -> access "Software information" menu. Here you will find the "Android version" and other software related information like build number which is also useful for deeper investigation.
  • Windows 10 - Navigate to device settings -> access "System" menu -> access "About" menu. Here you will find the Version, Build and Edition details. All these details are needed for troubleshooting Windows OS issues.
  • iOS - Navigate to device settings -> General -> access "About" menu. Here you will find the "Software version" and build number if you tap on the "Software version".
  • macOS - Click on the Apple icon in the top left corner -> Choose "About this Mac". You'll see an overview of your Mac, including its operating system version.


A serial number is a unique identifier assigned to your device by the vendor. Once a device is enrolled, serial number is pulled along with the hardware inventory and we are able to uniquely identify your device. At the same time, serial numbers are used for specific corporate enrollment scenarios like DEP or Autopilot or used to record your corporate devices.

How do you find the Serial Number? Well, each vendor has its own way of doing it, so I won't be able to cover all scenarios. However, from the OS side, you should be able to find it here:

  • iOS - Navigate to Settings -> General -> access "About" menu. Serial Number should be reported there.
  • Android - Navigate to Settings -> Navigate to device settings -> access "About phone" menu. Serial Number should be reported there.
  • Windows 10 - Open CMD and run the following command "wmic bios get serialnumber."
    Also, if the device is imported to your autopilot device list, you can find the serial number in the admin center.
  • macOS - Click on the Apple icon in the top left corner -> Choose "About this Mac". You'll see an overview of your Mac, including its serial number.


Represents the unique identifier for your tenant. How do you find the TenantId? Navigate to the Azure Active Directory blade -> Properties -> Directory ID.

Unique identifier for any policy that was created within Intune: Configuration, Compliance, Applications, App Protection Policy, etc. Knowing the name of the policy is good but not as accurate as the id. Policies can be renamed and at the same time, the policy name can be duplicated while the id will be always unique.

Where do you find the PolicyId? For the following policy types, the unique identifier can be found within the URL of the page, once you opened that specific policy/application. After selecting the blade that contains the policy type that you are interested in, choose the policy/app. Once opened, the URL of the portal will hold the unique id:

  • Security Baselines - URL will contain an intentId, the unique identifier for these policies
  • Applications - URL will contain an appId, the unique identifier for these policies
  • App protection policies - URL will contain an id, the unique identifier for these policies
  • App configuration policies - URL will contain an appConfigPolicyId, the unique identifier for these policies
  • Roles - URL will contain a roleId, the unique identifier for these policies
  • Software updates - URL will contain a configurationId, the unique identifier for these policies
  • Autopilot profile - URL will contain an apProfileId, the unique identifier for these policies
  • DEP Profile - URL will contain a depProfileId, the unique identifier for these policies

For Device configurations & Device compliance policies, finding the unique identifier is not always completely straight forward. Share the policy name with us and we can find the correct unique identifier.

Depending on each platform, there are different methods to gather the MDM logs generated by your device. These logs are very useful when we need to track down issues that are not very obvious and required deeper investigation.

  • iOS
    • For Company portal logs, follow this article:
    • Edge logs are used to diagnose issues with Intune App Protection Policies. They can also be used to check the settings that were applied on your apps. To gather logs, install Edge and enter "about:intunehelp" in the navigation bar and Get Started to upload logs.

For more information – see How to create an Intune MAM diagnostic report on iOS devices


  • Windows 10
    • MDM Diagnostics - these are complex logs and they contain a lot of information from different Windows components that are being used in MDM scenarios.
      • If you enroll your device via OOBE/Autopilot scenario, I recommend this tutorial to gather the MDM Diagnostics.
      • Note 1: "MDMDiagnosticsTool.exe -area Autopilot -cab c:\" - This gathers logs related to Windows Autopilot, OOBE, ESP, MDM, Azure AD, etc. On top of that the hardware details, like the hash you uploaded in the Intune portal, will be gathered.  If you need additional TPM diagnostics, you can add the TPM area to you command. Usually White Glove or Self deployment are the scenarios when you need them.
      • Note 2: "MDMDiagnosticsTool.exe -area Autopilot;TPM -cab c:\" - If you passed the OOBE and ESP phase and you reached your desktop, you can still run the above commands to gather same logs. Be sure you run the command as Administrator to gather all information.
      • Note 3: Another more UI friendly way to export the MDM Diagnostics is by going to -  Settings -> Accounts -> Access work or school - Here you will see a couple related settings. One of them is called "Export your management log files". Click on that option, then on the window that pops up, click export. If feedback hub application appears, just close it. Logs will be located in: "C:\Users\Public\Documents\MDMDiagnostics"
    • Intune Management Extension logs - these logs are gathered when you run the MDM Diagnostics logs. However, if you want to check them manually, you can find them in the following location: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
    • Company Portal - To gather the logs, open the app, navigate to Help & support menu then click on "Get help" button. Logs will be uploaded to Microsoft and a window containing the incident ID will be opened. You can share the ID with the Microsoft support in order to collect the logs.


We’ve shared a lot of data in this article and hope you’ve found it useful! Let us know if you have any additional questions regarding support tickets.



Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: