Share via

Troubleshoot app deployment issues in Windows SE

Important

Support for Windows 11 SE will end in October 2026

Microsoft will not release a feature update after Windows 11 SE, version 24H2. Support for Windows 11 SE—including software updates, technical assistance, and security fixes—will end in October 2026. While your device will continue to work, we recommend transitioning to a device that supports another edition of Windows 11 to ensure continued support and security.

The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:

Problem Potential solution
App hasn't installed
  • Check the type of app:
    • Win32 apps should be able to install with no problem
    • UWP LOB apps apps aren't supported
  • It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app
  • Check the Intune Management Extension logs to see if there was an attempt to install your app
    		•
    App has problems when running It's possible the app is trying to execute a blocked binary
    Check the AppLocker and CodeIntegrity logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app.
    My supplemental policy hasn't deployed
  • Your XML policy is malformed. Double-check to see if all markup is tagged correctly
  • Check that your policy is correctly applied
    		•

    AppLocker policy validation

    To query AppLocker policies and validate that they're configured correctly, follow these steps:

    1. Open the Local Security Policy mmc console (secpol.msc)
    2. Select Security Settings > Application Control Policies
    3. Right-click AppLocker and select Export Policy… Screenshot of the export of the AppLocker policies from the Local Security Policy mmc console.
    4. For the policy that sets the Intune Management Extension as a Managed installer, MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE should be nested under a RuleCollection section of Type ManagedInstaller Screenshot of the xml file generated by the get-applockerpolicy PowerShell cmdlet.
    5. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type ManagedInstaller

    AppLocker service

    To verify that the AppLocker service is running, follow these steps:

    1. Open the Services mmc console (services.msc)
    2. Verify that the service Application Identity has a status of Running

    AppLocker event log validation

    1. Open the Event Viewer on a target device
    2. Expand Applications and Services > Microsoft > Windows > AppLocker > MSI and Script
    3. Check for error events with code 8040, and reference Understanding Application Control event IDs

    Intune Management Extension