Manage app deployment failures using logs and troubleshooting tools
When an app shows a Failed status in your deployment reports, the next step is to find out why. A status indicator tells you something is wrong, but it doesn't tell you what. To resolve failures efficiently, you need to dig deeper using Intune's built-in troubleshooting tools, client-side logs, and diagnostic features.
This unit walks you through the tools available to diagnose app deployment failures and the steps to take when you need to resolve them.
Use the Troubleshoot + support pane
The Troubleshoot + support pane in the Microsoft Intune admin center is your starting point when a user reports that an app hasn't installed. It lets you investigate app status for a specific user and device without searching through broad deployment reports.
To access troubleshooting details for a specific user:
- Sign in to the Microsoft Intune admin center.
- Select Troubleshoot + support.
- Search for the user by name or email address and select the user.
- Search for the exact device to narrow the results down to that device.
- In the Summary select the failed number in the Applications section.
This overview gives you a first hint which applications failed to install on this device. When you select the device you will be redirected to the device details page. By selecting the application you will be redirected to the User install status view from the application.
Tip
You can access the Troubleshoot + support pane directly at https://aka.ms/intunetroubleshooting to speed up help desk workflows.
If the app failed on a required assignment, you can trigger a manual sync from the device details pane to retry installation immediately, rather than waiting for the device's next scheduled check-in.
Collect and review Win32 app logs
For Win32 apps, the most detailed failure information lives in log files on the managed Windows device itself. The Intune Management Extension (IME) generates these logs as it processes app installations and they contain step-by-step records of what the agent attempted and where it failed.
Log files are stored at the following path on the client device:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
The key log files you'll use for app troubleshooting are:
| Log file | What it records |
|---|---|
IntuneManagementExtension.log |
Agent check-ins, policy requests, processing, and reporting |
AppWorkload.log |
App check-ins, installations, applicability checks, and detection results |
AppActionProcessor.log |
Detection and applicability rule evaluation details |
AgentExecutor.log |
PowerShell script execution during app install |
The most useful file for diagnosing installation failures is AppWorkload.log. It records every step of the installation process, including the exit code returned by the installer. When an installation fails, this log shows you exactly where the process stopped.
Use a log viewer to read log files
Log files from the IME are easier to analyze with a dedicated log viewer. You can use CMTrace or Support Center Log Viewer, also called OneTrace, to read IME log files. CMTrace remains useful for highlighting errors and warnings in timestamped logs. OneTrace is part of the Support Center toolset and adds a tabbed view, which helps when you compare AppWorkload.log with IntuneManagementExtension.log during complex app deployment troubleshooting.
Use the Configuration Manager tools documentation to find the available log viewers, including CMTrace and Support Center Log Viewer. After you open the relevant log file, search for the app name or the string "failed" to locate the relevant entries.
Important
If your antimalware solution is configured to scan all file system activity, exclude the following directories to prevent it from interfering with app installation:
C:\Program Files (x86)\Microsoft Intune Management Extension\Content(x64 devices)C:\windows\IMECache(all devices)
Active scanning of these locations can cause installations to fail unpredictably.
Collect logs through the Intune admin center
For Win32 apps, you can also collect logs directly from the admin center without accessing the device locally. In the Device details pane you can select Collect diagnostics. Intune sends a request to the IME on the device, which packages the relevant logs and uploads them to the admin center where you can download and review them.
This approach is useful when the device is remote or when you're working with a help desk team that doesn't have direct device access.
Run self-help diagnostics
The Microsoft 365 admin center includes automated diagnostic tools that can identify common configuration issues causing app deployment failures. These diagnostics are especially useful when a deployment that should work isn't and you're not sure whether the issue is with the device, the user, or the Intune configuration.
Interpret error codes
When an app installation fails, Intune records an error code in the deployment report and the Troubleshoot pane. Understanding the most common error codes helps you resolve failures faster.
Some frequently encountered error codes include:
| Error code | Meaning | Common resolution |
|---|---|---|
0x87D1041C |
App installed successfully but is no longer detected | The user may have uninstalled the app. Required apps reinstall automatically on the next sync. |
0x8000FFFF |
Unexpected error during installation | Review client logs for more detail; the root cause varies. |
0x80073CFF |
Sideloading not enabled on the device | Verify the device is domain-joined or has the AllowAllTrustedApps policy enabled. |
0xC7D14FB5 (Android) |
App failed to install; root cause undetermined | Check whether the APK is valid and that Google Play Protect isn't blocking the installation. |
0x87D13B64 (iOS) |
App installation failed | Collect iOS console logs for detailed error information. |
For a complete reference of error codes across platforms, see the Intune app installation error reference.
Resolve common failure scenarios
After identifying the cause of a failure, the resolution path depends on the specific issue:
App not reaching the device at all: Verify the user is in the assignment group, the assignment isn't filtered out by an assignment filter, and the device has checked in with Intune recently. For Windows BYOD devices, confirm the user has added a work account to the device.
Installation exits with a non-zero code: Review
AppWorkload.logfor the exit code returned by the installer. Cross-reference the exit code with the application vendor's documentation, because exit codes are application-specific. You may need to adjust installation command-line arguments.Detection rule not matching after install: The app may have installed, but the detection rule doesn't match. Review the detection rule configuration and test it against a device where the app is installed. A common mistake is referencing the wrong registry key or file path in the detection rule.
App pending indefinitely: The device may be offline or the IME may not be installed. For Win32 apps, the IME installs automatically when the first Win32 app or PowerShell script is assigned to the device. Verify the device has connected to Intune at least once after the assignment was created.
A consistent troubleshooting approach, starting with the admin center, moving to client logs when needed, and using diagnostics to catch configuration issues, helps you resolve app failures systematically. The combination of error codes, log files, and Intune's built-in tools gives you most of what you need to get apps installing reliably across your managed device fleet.