Understand the troubleshooting workflow in Microsoft Intune

  • 8 minutes

When you manage a fleet of devices across platforms, you'll hit cases where a policy fails to apply, an app won't install, or a device falls out of compliance. Without a structured approach, diagnosing these issues in Microsoft Intune wastes time.

A systematic troubleshooting workflow helps you isolate the root cause, determine whether the issue is service-side or client-side, and apply the correct remediation.

Here is the recommended phase-by-phase workflow for investigating device and policy issues in Microsoft Intune.

Phase 1: Information gathering and scoping

Before changing any policies or asking the user to reset their device, you must define the exact scope of the problem.

  1. Identify the user and device: Get the exact User Principal Name (UPN) and the specific device name or hardware ID. Users often have multiple enrolled devices. You need to know exactly which one is failing.
  2. Define the expected vs. actual behavior: What should be happening (e.g., "The VPN profile should install silently") versus what is actually happening (e.g., "The VPN profile says 'Error' in the console and the user cannot connect").
  3. Determine the scope: Is this affecting a single user, a specific department, a specific hardware model, or the entire organization?

Tip

If it affects everyone, it is likely a backend service issue or a globally assigned policy error. If it affects one person, it is likely a local device state or specific group membership issue.

Copilot device comparison

If Copilot is active in your tenant, use a device comparison prompt to compare a working device with the failing device.

The prompt looks like: "Compare this device to Desktop01"

The result shows the devices' similarities and differences. A possible result looks like this:

Root Cause:

The key difference is TPM status. DESKTOP-FINANCE05 has TPM enabled, allowing BitLocker to activate. DESKTOP-FINANCE12's TPM is disabled, preventing BitLocker encryption.

Recommendation:

Enable TPM on DESKTOP-FINANCE12's firmware (BIOS/UEFI) to match DESKTOP-FINANCE05's configuration.

Phase 2: Check Intune service health

Never spend hours troubleshooting a local device if the cloud service itself is experiencing an outage.

  1. Navigate to Tenant administration > Tenant status in the Intune admin center.
  2. Check for any active Service Incidents or Advisories that match the symptoms you are investigating (e.g., delays in policy delivery or enrollment failures).
  3. If there is an active incident, halt local troubleshooting and wait for Microsoft to resolve the cloud infrastructure issue.

Phase 3: Use the Intune Troubleshooting portal

If the service is healthy, use Intune's built-in, user-centric diagnostic hub.

  1. In the admin center, go to Troubleshooting + support > Troubleshoot.
  2. Click Select user and enter the affected user's UPN.
  3. Analyze the dashboard:
    • Account status: Verify their Intune license is active.
    • Group memberships: Ensure they are actually a member of the Microsoft Entra ID group targeted by your failing policy.
    • Device status: Check if the device is marked as active, compliant, or if it hasn't synced in 30 days.
    • Enrollment failures: Look for recent blocks caused by enrollment restrictions.

Phase 4: Investigate policy and app deployment status

If the user account and device look healthy in the Troubleshooting portal, drill down into the specific payload that is failing.

  1. Navigate to Devices > All devices and select the affected endpoint.
  2. Select Device configuration or Managed apps from the left menu.
  3. Locate the specific policy or app that is failing.
  4. Click on the item to view the exact Error Code or status.
    • Look for Conflicts: A "Conflict" state means you deployed two profiles with contradictory settings to the same device. Intune applies neither setting until you resolve the overlap.

Phase 5: Client-side log analysis

If the Intune console shows the policy was sent successfully, but the device is still not behaving correctly, the issue is on the local endpoint. The client might be failing to process the command.

  • For Windows: Instruct the user to manually sync the device (Settings > Accounts > Access work or school > Info > Sync). If it still fails, use the Collect diagnostics remote action or pull the local Event Viewer logs (DeviceManagement-Enterprise-Diagnostics-Provider).
  • For iOS/Android: Ask the user to open the Intune Company Portal app and use the Send logs feature to generate a diagnostic report.

Phase 6: Remediation or escalation

Based on the evidence you gathered in the previous phases, take action:

  • Remediate: Fix the conflicting policy, adjust the Microsoft Entra ID group membership, or remove the stale device record.
  • Escalate: If client logs indicate a severe OS-level failure, or if you suspect a bug in the Intune service, use the Help and support node to open a formal ticket with Microsoft Support. Include the exact UPN, Device ID, and error codes you gathered in Phase 1 and Phase 4.

Copilot scenarios for the help desk

If Copilot is active in your tenant, your help desk can resolve common troubleshooting scenarios faster.

User Issue Investigation Prompt What Copilot Reveals Resolution
"I can't access company email" "Why is this device noncompliant?" Device blocked by Conditional Access due to password policy violation Guide user to reset password to meet 12-character requirement
"My apps won't install" "Why didn't [App Name] install?" Insufficient disk space (4 GB required, 1.2 GB available) Run Disk Cleanup script, move files to OneDrive, retry installation
"Device shows as noncompliant" "Compare this device to [working device]" TPM disabled in firmware while working device has TPM enabled Enable TPM in BIOS/UEFI settings
"Can't find devices needing updates" "Show me devices that haven't checked in to Intune in 30 days" List of stale devices with last check-in dates Contact users to reconnect devices to network

Beyond natural-language prompts, Intune also includes Security Copilot agents that automate specific operational tasks. You can access them in the Microsoft Intune admin center under Agents, and using them requires a Security Copilot license.

Intune agents:

  • Change Review Agent: Evaluates Multi Admin Approval requests for PowerShell scripts and recommends actions (for example, approve or reject).
  • Device Offboarding Agent: Identifies stale or misaligned devices across Intune and Microsoft Entra ID and provides actionable offboarding recommendations.
  • Policy Configuration Agent: Converts plain-language requirements and benchmarks into recommended Intune settings, and can help create policies.
  • Vulnerability Remediation Agent: Uses Microsoft Defender vulnerability signals to help prioritize remediation work.

Best practices for using Copilot in Intune

  • Start with Copilot for initial triage. Get a device summary before you dig into detailed logs and reports. This step saves 15-20 minutes per troubleshooting session.
  • Ask for remediation steps. Don't just ask "What's wrong?" Ask "How do I fix this?" to get actionable guidance with specific commands or configuration changes.
  • Use device comparison for isolation problems. When one device fails while similar devices work, compare configurations to identify the difference causing the issue.