Troubleshoot app deployment issues in Windows SE
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
Problem | Potential solution |
---|---|
App hasn't installed |
|
App has problems when running | It's possible the app is trying to execute a blocked binary Check the AppLocker and CodeIntegrity logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
My supplemental policy hasn't deployed |
AppLocker policy validation
To query AppLocker policies and validate that they're configured correctly, follow these steps:
- Open the Local Security Policy mmc console (
secpol.msc
) - Select Security Settings > Application Control Policies
- Right-click AppLocker and select Export Policy…
- For the policy that sets the Intune Management Extension as a Managed installer, MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE should be nested under a RuleCollection section of Type ManagedInstaller
- For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type ManagedInstaller
AppLocker service
To verify that the AppLocker service is running, follow these steps:
- Open the Services mmc console (
services.msc
) - Verify that the service Application Identity has a status of Running
AppLocker event log validation
- Open the Event Viewer on a target device
- Expand Applications and Services > Microsoft > Windows > AppLocker > MSI and Script
- Check for error events with code 8040, and reference Understanding Application Control event IDs
Intune Management Extension
- Collect diagnostics from a Windows device
- Logs can be collected from
%programdata%\Microsoft\IntuneManagementExtension\Logs