Troubleshoot device configuration and policy application issues

  • 7 minutes

When you deploy device configuration profiles and compliance policies across your organization, you expect them to apply automatically to managed devices. Yet sometimes policies don't apply as expected. A device might show a conflicting setting, remain in a pending state, or fail outright. Without a systematic troubleshooting approach, diagnosing these issues becomes time-consuming and frustrating.

To troubleshoot policy application, you first need visibility into how your policies are performing across your devices. Intune displays policy status at multiple levels: deployment overview, per-device status, and per-setting details.

Start by checking the overall deployment status of a configuration or compliance policy. In the Intune admin center, navigate to Devices > Configuration profiles or Devices > Compliance policies, then select the policy you want to investigate. The policy details page shows:

  • Success: The policy applied to the device without issues
  • Error: The policy encountered a problem during application
  • Pending: The device hasn't yet communicated with Intune to receive the policy
  • Not applicable: The policy targets a different platform (for example, an iOS policy on a Windows device)
  • Conflict: The device received conflicting settings from multiple policies

Understanding these status values is critical. A device in "pending" status might simply need more time to sync, while "error" status indicates a problem requiring investigation.

Identify specific device and policy problems

Once you find a policy with failures or errors, drill down to the per-device level. Select the policy, then choose Device status or User status (depending on whether you assigned the policy to devices or users). This view shows which specific devices or users are affected and their individual status.

For greater detail, select a specific device to see per-setting status. This tells you exactly which configuration settings within the policy failed to apply. Perhaps the encryption setting applied successfully but the password requirement failed. This level of granularity helps you narrow your investigation.

You can also check from the device perspective. In the Intune admin center, go to Devices > All devices, select a device, then view Configuration and Compliance to see all policies assigned to that device and their application status. This view helps you spot conflicts where the same setting is configured differently in multiple policies.

Use Intune's built-in troubleshooting tools

Intune includes dedicated troubleshooting tools in the Troubleshooting + Support blade. This feature helps you diagnose configuration and enrollment issues without manually reviewing logs.

The Troubleshooting + Support tool allows you to:

  • Look up a specific user or device
  • View sign-in events and device compliance status
  • Check enrollment status and device join type
  • Inspect policy assignments and identify why a policy didn't assign to a device
  • Review recent sync and compliance check history

This tool consolidates information that would otherwise require checking multiple pages, making diagnosis faster and more reliable.

Understand common causes of policy failures

Most policy application failures stem from a handful of common root causes. Knowing these helps you investigate systematically:

Incorrect group assignment: The policy is targeted to a user or device group, but the device's user or the device itself doesn't belong to that group. Verify group membership and check whether dynamic group rules are evaluating the device correctly.

Filter logic issues: If you used assignment filters to refine policy scope, a filter rule might be excluding your device. Review the filter conditions and ensure they match the device's attributes.

Device not enrolled or not compliant: Some policies, particularly compliance policies, require the device to meet base enrollment and compliance requirements first. A device that hasn't checked in recently or remains non-compliant might not be eligible to receive certain policies.

Licensing issues: Some advanced policies or features require specific Intune or Microsoft 365 licensing. Verify that the user's or device's subscription includes the necessary license.

Device connectivity or sync delays: A device that's offline or hasn't synced with Intune recently won't receive policy updates immediately. Pending status often resolves after the next sync cycle.

Conflicting policy settings: When multiple policies assign conflicting values for the same setting, Intune doesn't know which to apply. Identify and remove the conflict by editing one of the policies or reassigning them to different groups.

Apply a troubleshooting workflow

When a policy isn't applying as expected, follow this systematic workflow:

  1. Verify assignment: Check that the policy is assigned to the correct group. View the policy's assignment settings and confirm the user or device belongs to that group. If you used filters, review the filter conditions.

  2. Check device eligibility: Go to the device's details page and verify it's enrolled, compliant (if required), and holds the necessary license. Ensure the device platform matches the policy's target platform.

  3. Review status reports: Check the policy's per-device and per-setting status reports. Look for error messages or specific setting failures that reveal the problem.

  4. Run device sync: Request a manual sync on the device. The device might have pending status simply because it hasn't checked in recently. A sync often resolves the issue.

  5. Use the Troubleshooting tool: If the issue persists, use the Troubleshooting + Support blade to get a detailed view of the device's enrollment, compliance, and policy assignment status. Look for error codes or messages.

  6. Check for conflicts: If the policy is assigned but specific settings didn't apply, review other policies assigned to the same device. Identify any settings that conflict or overlap.

  7. Resolve the root cause: Based on your findings, take action: adjust the group assignment, refine filters, remove conflicting policies, or update the device's compliance status.

Tip

When troubleshooting intermittent issues, check the device's last sync time. Devices in low-connectivity environments might have stale policy status. Requesting a manual sync often resolves pending or error states that are simply waiting for the next communication cycle.

By combining these monitoring, diagnostic, and troubleshooting techniques, you can quickly identify and resolve policy application issues, keeping your device fleet properly configured and compliant.