Intune Win32 App Issues Troubleshooting Client-Side Process Flow

Let’s learn about Intune Win32 App Issues Troubleshooting Client-Side Process flow from this blog post. You can look at the Level 3 deep dive troubleshooting Intune Management Extension (IME) Level 3 Troubleshooting Guide.

In my previous post, part 1, we created the Intune Win32 app and deployed it as “available” for users. In this post, we will dive deep into intune client-side events. Intune Win32 app troubleshooting details are explained in this post.

How to deploy. EXE applications via Intune? The same Intune Win32 app packaging and installation method can be used for installation. EXE applications via Intune.

Do you see any similarities between the Intune Win32 app and SCCM troubleshooting? If so, that is not coincident 🙂 Intune Win32 app code is very similar to the SCCM application model. Hence in many scenarios, you will see many similarities.

Patch My PC

[Related TopicIntune Win32 App Deployment using Modern Management]

Flow Behind Processing Win32 App

The processing of a Win32 app from Intune to the device can be listed in a sequence of steps. Here is the lifecycle of a Win32 app at the client end. You can Understand the flow behind deployment, delivery, and processing of a Win32 application through Intune.

Intune Win32 App Issues Troubleshooting Client-Side Process Flow 1
Flow Behind Processing Win32 App Credit – Microsoft

Intune Win32 Application – Client-Side Events

I tried to explain to you the Intune Win32 app deployment process flow. You need to understand the process flow to perform Intune Win32 app troubleshooting.

User Requested legacy apps.

We initiated the application installation from the company portal. Once initiated, the application will start downloading and installing.

Adaptiva

As Anoop explained, Intune Win32 App Troubleshooting starts with the deployments checks or Intune troubleshooting.

Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 1

Intune Management Extension

The Intune management extension is the client-side component to manage the MDM Intune Win 32 application deployment.

Below are the 3 Intune Management Extension Agent working folders. We will go through the purpose of these folders in detail.

Location of logs C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

[Related TopicIntune Win32 App Deployment using Modern Management]

  • Incoming
  • Staging
  • Staged
Intune Win32 App Troubleshooting Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 2

Logs – Intune Win32 App Troubleshooting

For troubleshooting Intune client-side events, you can refer below 3 logs

  • IntuneManagementExtension.log : Tracks the Intune Management extension component events
  • AgentExecuter : Track any PowerShell execution events
  • ClientHealth.log:  Track client-health related events
Intune Win32 App Troubleshooting Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 3

Detection Rules Evaluation – Intune Win32 App Troubleshooting

Detection rules are again used in SCCM application model deployments, and Intune win32 uses similar detection rules 🙂

  • Detection rules processed
  • WMI query is used to detect the application installation status.

[Win32App] ProcessDetectionRules starts query: select * from Win32_Product where IdentifyingNumber='{AC76BA86-7AD7-1033-7B44-AC0F074E4100}’ or IdentifyingNumber=’AC76BA86-7AD7-1033-7B44-AC0F074E4100′ [Win32App] Checked ProductCode {AC76BA86-7AD7-1033-7B44-AC0F074E4100}, Cannot find, applicationDetected: False [Win32App] Completed detectionManager SideCarProductCodeDetectionManager, applicationDetectedByCurrentRule: False

Intune Win32 App Troubleshooting
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 4

Check Applicability – Intune Win32 App Troubleshooting

Once the app “Detection rule” evaluation is completed, the next step is “Check Applicability.” Checks were performed against the rules we configured before.

  • [Win32App] applicationRequirementMetadata RequiredOSArchitecture: 2, client Is64BitOperatingSystem: True, applicability: Applicable.
  • [Win32App] applicationRequirementMetadata expected version: 10.0.14393, client version: 10.0.17763, applicability: Applicable.
  • [Win32App] applicationRequirementMetadata RequiredFreespace: 250.00, availableFreeSpaceInMB: 10,925.00 on Drive C:\, applicability: Applicable
  • [Win32App] applicationRequirementMetadata RequiredTotalPhysicalMemory: 250.00, totalPhysicalMemoryInMB: 1,024.00, applicability: Applicable.
Intune Win32 App Troubleshooting
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 5

After “Check applicability” completes, the next stage is to process Content Download.

Content Download – Intune Win32 App Troubleshooting

Package Content is missing in the cache hence content started to download.

[Related TopicIntune Win32 App Deployment using Modern Management]

Content cache miss for app id 86995d21-f2ed-4e2c-a88e-1ef5f65d02e3,start downloading…

Intune Win32 App Issues Troubleshooting Client-Side Process Flow 2
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 6

The Intune CDN URL is used to download the file if you suspect any download issue due to network proxy. You can copy the URL and paste the download into your browser to troubleshoot.

https://swdc01.manage.microsoft.com/5d3c257f-df2e-4885-b9b3-01dd9713d655/ 081e6fbd-2594-44f6-9f5b-f3532d7652da/ad87f066-4d0e-4d05-b495-73ad17490b12.intunewin.bin

Content is downloaded initially to the folder “Incoming.”

The encrypted file downloads first to the folder “Incoming.” This is a temporary download folder for further processing. The extension of the file will be in bin format.

Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 7

“Incoming” folder to “Staging folder.”

The download file moves from the “Incoming” folder to the “Staging folder.” In Staging Folder, the downloaded file will be in Zip format.

C:\Program Files (x86)\Microsoft Intune Management Extension\Content\ Staging\86995d21-f2ed-4e2c-a88e-1ef5f65_1\86995d21-f2ed-4e2c-a88e-1ef5f65_1.zip

Hash verification and Decryption

Hash value checked to ensure downloaded content is consistent. Decryption starts after hash verification.

  • [Win32App] Starts verifying the encrypted hash
  • [Win32App] hmac validation is passed.
  • [Win32App] file hash validation pass, starts decrypting
  • [Win32App] Decryption is done successfully.
  • [Win32App] CDN mode, content is decrypted.
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 3
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 8

Unzipping Stage

In this stage downloaded package in zip format gets uncompressed. Content gets extracted from the “Staging” folder to the “Staged” folder.

Unzipping file on session 2 from C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1 \86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1.zip to C:\Program Files (x86)\ Microsoft Intune Management Extension\Content\Staged\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1

Intune Win32 App Issues Troubleshooting Client-Side Process Flow 4
Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 9

Clean up Staging content

Once unzip completes, then temporary content in the staging folder is removed.

Cleaning up staging content C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1

Intune Win32 App Issues Troubleshooting Client-Side Process Flow 5
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 10

Started application installation

This stage is the installation stage. So you can jump to this stage if you have no issues with content download etc. Intune Win32 App Troubleshooting.

  • The installation directory is set.
  • We launched the Intune application installation in a machine context.
  • While troubleshooting, you can note the process id to track.
  • The installation process is completed.
  • [Win32App] SetCurrentDirectory: C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staged\86995d21-f2ed-4e2c-a88e-1ef5f65d02e3_1
  • [Win32App] Launch Win32AppInstaller in machine session
  • [Win32App] lastWin32Error 0 after CreateProcess
  • [Win32App] Create installer process successfully.
  • [Win32App] process id = 6256
  • [Win32App] Installer process timeout milliseconds: 3600000.
  • [Win32App] Installation is done, collecting result
Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 11

Detection Rules after Application Installation

Post application installation, Intune client evaluates application detection rules in the computer. In our example, detection Logic is MSI product code. WMI query is used to detect the MSI product code.

[Related TopicIntune Win32 App Deployment using Modern Management]

query: select * from Win32_Product where IdentifyingNumber='{AC76BA86-7AD7-1033-7B44-AC0F074E4100}’ or IdentifyingNumber=’AC76BA86-7AD7-1033-7B44-AC0F074E4100′ [Win32App] Checked ProductCode {AC76BA86-7AD7-1033-7B44-AC0F074E4100}, Found it. sideCarProductCodeDetectionMetadata.ProductVersionOperator is 0 applicationDetected: True [Win32App] detectionManager SideCarProductCodeDetectionManager got applicationDetectedByCurrentRule: True as system

Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Troubleshooting Client-Side Process Flow 12

Compliance State Message -Intune Win32 App Issues Troubleshooting Client-Side Process Flow

State messages are processed as shown below. These state messages are being delivered to Intune as part of Intune Win32 App Troubleshooting.

Intune Win32 App Troubleshooting
Intune Win32 App Troubleshooting Client-Side Process Flow 13

The compliance information was sent from Windows 10 client to Intune cloud. As seen below, you can see state message results posted by the client to Intune cloud service.

After this, you can see the application installation status from Intune console.

Successfully get the token Add Token with length 1654 into WebRequest Add MdmDeviceCertificate F70D046494CEF0F625365320CDC47DE8E635865B into WebRequest SendWebRequest, client-request-id: d98c8975-3c54-4d0c-ad79-582cecb2f927, Method: PUT Current proxy is https://fef.msuc01.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/SideCarGatewaySessions(’04d64f55-0c99-4cb8-bd09-d7e71dfdefcf’)%3Fapi-version=1.1 Sending network request… [Win32App] Results are successfully sent. [Win32App] Got result with session id 04d64f55-0c99-4cb8-bd09-d7e71dfdefcf. RequestContentType: Acknowledge

Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Issues Troubleshooting Client-Side Process Flow 14

After successful application installation, the Toast message is displayed to the user.

Intune Win32 App Issues Troubleshooting Client-Side Process Flow
Intune Win32 App Troubleshooting Client-Side Process Flow 15

End-User Experience of Intune Win32 App Deployment

Microsoft Intune Software Distribution is completed.

Intune Win32 App Troubleshooting
Intune Win32 App Troubleshooting Client-Side Process Flow 16

Resource:

Author

Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.

44 thoughts on “Intune Win32 App Issues Troubleshooting Client-Side Process Flow”

  1. This is a great article. A lot of stuff I could have used the first time around!

    What log viewer is that?? It’s so hard to read the logs in notepad.

    Reply
  2. Hi,

    I am new to Intune and having used SCCM prior. I don’t see these folders on my Windows 10 desktops. The systems are enrolled and have policies pushed to it as well as having the iSpring MSI package I created to test that.

    Is your client configuration different?

    Reply
  3. The only traces that I can see that Intune is apparently working is the msinstaller in Event Viewer showing the directory c:\windows\system32\config\systemprofile\appdata\local\mdm\ but it is empty after the software installs.

    I tried typing that directory in just in case, it’s really hidden but it is not there.

    Under the specific system from the console, I can see for the Win32 apps say Waiting for Install status and it shows it’s online from the current check-in. Nothing from Event Viewer to indicate this downloaded to even run on the system.

    I was able to deploy Office 365 and so far the other msi I created for testing just having issues with Win32.

    Reply
    • I think there should be a Intune Win32 agent service running on your machine. And the following folder is created ? C:\Program Files(x86)\Microsoft Intune Management Extension
      What are the OS requirements you have given when you create Intune Win32 package from Intune portal? Have you given the correct Windows version?

      Reply
      • I am rebuilding the package, the minimum version is 1607 and the systems are on Pro 1803 or higher. The OS architecture is 64 bit, before it was 32 and 64 selected? To have both selected is to pick one or the other?

        We’ll see how it goes this time.

  4. easy to trouble shoot when nothing goes wrong 🙂

    I get this in the log, trying to move a 4gb package, so i can upgrade windows to 1809 with intune app.
    Its the mediacreation tool iso file repackaged.
    I even removed some file from the package because i couldnt unzip by hand. Im still thinking its something like that, but it unzips neatly manually.

    Reply
      • WTF ?
        It left out all my error details ?
        I hate troubleshooting 😉 No thats not true, I hate troubleshoot when the errors makes no sense..

        When intune is trying to do the final unpack the 3rd in the deploy process I get this error

        },”ErrorDetails”:”System.UnauthorizedAccessException: Access to the path \u0027C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\Staging\\0a056f5d-237c-44f9-af64-3fe847bbf67d_1\\0a056f5d-237c-44f9-af64-3fe847bbf67d_1.zip\u0027 is denied.\r\n at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\

        I can unzip the package fine by hand, to the same folder even. So it shouldnt be a deep path issue.
        When the portal does give an error its say “Error unzipping the downloaded content, 0x87d30067, which in the only other post i can find, it looks like a path to deep issue.

  5. And the fun goes on.
    I have an app, around 1.1 GB in size.
    It downloads fine to the content incoming folder.
    In the final extraction to the c:\windows\imecache folder, only one folder and around 15mb of data is present. and naturally the installation fails.
    I have tried to download and decrypt the package using this
    https://www.scconfigmgr.com/2019/01/18/how-to-decode-intune-win32-app-packages/
    And all files are present, with the correct folders and all.

    The intune logs dont indicate that the final extraction failed.

    I have excluded the C:\windows\imecache from windows defender.

    Anybody have any idea whats going on here ??

    Reply
      • Yes i did. Nothing
        from The intunemanagementextention.log
        Decryption is done successfully.]LOG]!>
        content is decrypted and verified successfully.]LOG]!>
        Downloaded file size 1,140,824,299.00]LOG]!>
        Downloaded file time 0.00]LOG]!>
        Start unzipping.]LOG]!>
        Unzipping file on session 0 from C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging\217258ac-1eca-4175-a774-d60baa8ee4cd_2\217258ac-1eca-4175-a774-d60baa8ee4cd_2.zip to C:\WINDOWS\IMECache\217258ac-1eca-4175-a774-d60baa8ee4cd_2]LOG]!>

        ===Step=== ExecuteWithRetry]LOG]!>
        ExecuteWithRetry Parsing InstallEx…]LOG]!>
        ===Step=== Execute retry 0]LOG]!>

        SetCurrentDirectory: C:\WINDOWS\IMECache\217258ac-1eca-4175-a774-d60baa8ee4cd_2]LOG]!>
        Launch Win32AppInstaller in machine session]LOG]!>

        And when i look in the C:\WINDOWS\IMECache\217258ac-1eca-4175-a774-d60baa8ee4cd_2
        only a handfull of files and 30 mb data

    • Hi Kenneth – Please share more details about the error you are seeing? Did application started installation and later failed ?
      What error are you seeing in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

      Reply
      • Only error in the intune log was of a failed installation.
        Which makes sense, since the setup.exe I was trying to run didn’t exist in the c:\windows\imecache folder.

        The Application should have been 1+ GB ,but it only extracted around 20mb of data.

  6. I worked around my issue.
    I wrapped the files in a zip archive, and create an install.cmd which calls a ps script to unzip the archive and run the install. and that looks likes its working.

    Seems like intune, sometimes, dont like alot of files / big packages

    Reply
      • I had the same issue (hence why landing here via google). In my case, one of the app filenames had an apostrophe in the filename (‘). It wouldn’t zip via the GUI either. The intunewinapputil packaged it up without complaint, but it seems unzipping client side is handled dirfferently.

        Fortunately my target devices had 7-zip so did something similar to Kenneth. 7-zipd the content, then created and install.bat file which un-7-zipped the wrapped it up with the intunewinapputil

        “C:\Program Files\7-Zip\7z.exe” x Flop1.7z -oUnZ -aoa
        Cd UnZ
        Installapp.exe
        cd ..
        rd /S /Q UnZ

      • I think even if you don’t have 7zip files present in the machine, can’t you use the following method ?
        Create a INSTALL.CMD
        MD C:\RegFile
        Copy “%~dp0*.exe” C:\RegFile /Y
        Copy “%~dp0*.msi” C:\RegFile /Y
        PUSHD C:\RegFile
        Region.msi
        @echo 2.0>C:\RegFile\RegVer2.0.txt
        Del C:\RegFile\*.exe
        Del C:\RegFile\*.msi

  7. Hi Anoop,

    We have a similar issue to Kenneth, We have been deploying an app using Win32 packager, this was working since last November. Now it is not working anymore.
    I can see the in the log it is executing the install.cmd and changing to c:\windows\imecache\.. but the folder is empty.
    This started at the beginning of March.

    Reply
  8. Hi Anoop,

    thanks for the great post.
    In our case, the deployment does not go over the detection phase since it will always run into an timeout and won’t start downloading.
    Did you saw something like that before?

    Looks like:
    query: select * from Win32_Product where IdentifyingNumber='{B850B42F-249D-4C94-8536-B08205EB5C77}’ or IdentifyingNumber=’B850B42F-249D-4C94-8536-B08205EB5C77′

    [Win32App] Exception occurs when ProcessDetectionRules [{“DetectionType”:1,”DetectionText”:”{\”ProductCode\”:\”{B850B42F-249D-4C94-8536-B08205EB5C77}\”,\”ProductVersion\”:null,\”ProductVersionOperator\”:0}”}], the Exception is System.Management.ManagementException: Zeitüberschreitung (german for timeout)
    bei System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
    bei System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
    bei Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.WMIHelper.CheckProductCodeExistsFromWMI(String productCode)
    bei Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.SideCarProductCodeDetectionManager.Detect(SideCarDetectionRuleMetadata sideCarDetectionRuleMetadata)
    bei Microsoft.Management.Clients.IntuneManagementExtension.Win32AppPlugIn.DetectionHelper.ProcessDetectionRules(SideCarApplicationClientPolicy appPolicy, Int32 sessionId)

    I really cnnot get behind this WMI query timeout since the same detection mehtod is working on SCCM.
    Any idea would me much appreaciated.

    Greetings

    Reply
      • Thanks for your help. Seems like it is a WMI-related problem indeed. I tried getting values from Win32_Product with the WMI Explorer and monitored the eventlog WMI-Activity and there I got Error 0x80041003 which translates into Access Denied. So I tried other users e.g. the local administrator with the same result. I could dive into setting up a whitelist for remote WMI queries but in this case I do not even know what to whitelist. Is it possible that some of the newer Defender features like Exploit guard etc are the reason for that?

      • Edit: It just took ages to read the Win32_Product.. around 1 hour? I will try to get around thoose insane query time and report back if I found something. No wonder the Intune-detection phase is canceling the query every time.

  9. Hi Anoop,

    First i push win32 intune apps to a group compose of user account and it works fine but if I push the same package to a device group it does not work. I check the client apps>package>overview monitor> device and user status are empty. I check the manageapps for the specific device member of the said group the apps is not even listed in it. Does Intune support deployment of win32 intune apps to a device group?

    Reply
  10. Hi Anoop,

    I tried to push win32 intune apps to a group compose of user account and it works fine but if I push the same package to a device group it does not work. I check the client apps>package>overview monitor> device and user status are empty. I check the manageapps for the specific device member of the said group the apps is not even listed in it. Does Intune support deployment of win32 intune apps to a device group?

    Reply
  11. Hi Anoop,

    Please ignore my comments. I realized there are multiple record of the same device in AAD due to i have reverted the VM several times. I cleaned up some and retain only the latest one then i rea-dd it in device group then it works.

    Reply
  12. Another great post but I’m hitting a wall troubleshooting. I have an app that requires a “response” file. Basically it’s a text file that records your selection during the GUI install so the app can be installed silently. I have everything I need but I’m having a hard time understanding how I tell Intune to access the response.txt in the Install command. Is it:

    setup.exe -f C:\temp\folder\response.txt -i silent (This is the absolute path from the packaging machine)(I doubt this would work)

    setup.exe -f folder\response.txt -i silent (This would be the relative path)

    setup -f %~dp0response.txt -i silent (A find from our friend Peter V)

    Or do I place the response.txt on the local machine using another script and then call it.

    I’ve tried them all and not sure what would be correct but in any even I get an error during the create installer process. Any ideas what Error code = 2 is?

    Reply
    • Example of the command i normally use in batch file if i have multiple folders: msiexec /i “%~dp0XXXXXX\yyyyyy\zzzz.msi” TRANSFORMS=”%~dp0aaaaaaa.Mst” /l*v “%Windir%\Logs\bbbbbbbbbbb.log” /qn

      However Looks like you are trying to read the response file and install the application..I would suggest
      1, Keep the response file in the current folder where setup.exe is present.
      2, add a command in the batch file to copy response file locally ( example system 32 path)
      3, next command in the batch file is to trigger installation referring the response file in system 32 path

      Reply
  13. Hi I have install Line-Of Business application “BoxDrive” using MSI,
    the application is installed successfully in client however it’s showing error in Intune portal.

    App installation failed
    10/6/2019 8:38:53 AM
    Hide details
    Error code: 0x87D1041C
    The application was not detected after installation completed successfully
    it seem related to Return success code is not exist, however i can’t find anywhere to add that return code.
    any idea how to fix this?
    Thanks
    Dimand

    Reply
  14. Hello Guys,
    I’m getting an 0x80070001 error on some, not all, devices.

    Background.
    The Client App workload was switched for the target devices post targeting the devices from Intune with the Win32 App deployment.

    On the devices that fail, Microsoft Intune Management Extension has installed and can be seen in C:\Program Files (x86). However the C:\ProgramData\Microsoft\IntuneManagementExtensions doesn’t exist!?

    Any thoughts most welcome…KR, Graham

    Reply
    • Hello Neeraj – This works for me. Check the following commands are part of INSTALL.CM
      MD C:\RegFile
      Copy “%~dp0*.reg” C:\RegFile /Y
      Copy “%~dp0*.ps1” C:\RegFile /Y
      PUSHD C:\RegFile
      PowerShell -NoProfile -ExecutionPolicy Bypass -File C:\RegFile\Region.ps1
      @echo 2.0>C:\RegFile\RegVer2.0.txt
      Del C:\RegFile\*.reg
      Del C:\RegFile\*.ps1

      Reply
  15. Do you know how often Intune does “Check applicability” for Required apps? If a user uninstalls a Required Win32 App, how long before Intune checks and redeploys the application?

    Reply
  16. Quick Question.
    Scenario:
    * Intune Autopilot
    * ESP set to install one app
    * Deployment Profile sets user as “Standard”
    * Microsoft Company Portal and few other apps get installed during provisioning

    Question:
    How does Intune allow a non-admin “Standard” user to install apps. Even though they don’t have admin rights they can bypass UAC and are able to install apps. I would love articles or detailed instructions.

    Much appreciated

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.