Common issues and troubleshooting

Some of the common issues and resolutions that you may encounter with policies and profiles with Intune relate to profile conflicts and Azure AD enrollment.

When two profile settings are applied to the same device, the most restrictive value will be applied. Any settings that are the same in each policy are applied as configured.

If a policy is deployed to a device and is active when a second policy is deployed, then the first policy takes precedence, and it will stay applied. Any conflicting settings are set to the most restrictive values.

You may also consider how different types of policy interact with each other:

• Compliance policy settings have precedence over configuration profile settings.
• If a compliance policy includes the same setting found in another compliance policy, then the most restrictive compliance policy setting will be applied.
• If a configuration policy setting conflicts with a setting in another configuration policy, the conflict will be displayed in Intune. You will need to manually resolve the conflict.

If you configure custom policies, you should know that Intune doesn’t evaluate the payload of a custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy. Intune will deliver the policy without reference to other policies, and this can cause potential conflicts.

You should confirm that the configured settings within a custom policy don’t conflict with compliance, configuration, or other custom policies. For example, if iOS custom policy settings conflict, then the settings are applied randomly.

If Intune policies are not being applied to a specific device, or PowerShell scripts deployed by Intune are not being run, you may need to troubleshoot the client. You should first perform a full reboot of the device by holding down the Shift key and then selecting Shutdown from Start. After powering on the device, the Intune client built into Windows 10 should check whether any changes or new policies are available.

You should allow devices time after rebooting to sync to Intune and receive any changes. Sometimes, the sync can take several minutes to complete, so you may need to be patient. The refresh cycle for device configuration policies can be found in Table 2-8.

Devices won’t receive the policy if the device is not auto-enrolled in Azure AD. To confirm that a device is auto-enrolled, follow these steps:

1. On the client device, open the Settings app.
2. Click Accounts.
3. Under Accounts, click Access work or school.
4. Select the joined account and click Info.
5. Under Advanced Diagnostic Report, select Create report.
6. The MDMDiagReport will be exported to the following location: C:\Users\Public\Documents\MDMdiagnostics.
7. Open the MDMDiagReport in a web browser and locate the Enrolled configuration sources and target resources section.
8. If you cannot find the MDMDeviceWithAAD property, then the device is not auto-enrolled and will need to be enrolled to receive policies.

You can also use the troubleshooting portal of the Microsoft Endpoint Manager admin center to help users at your company to view user information and user enrollment issues, as shown in Figure 2-9.

Figure 2-9 Troubleshoot Intune user issues

Intune can report the following data:

• User status
• Assignments
• Compliance issues
• Device not responding
• Device not getting VPN or WiFi settings
• App installation failure

To access the portal to allow you to troubleshoot user issues in Intune, follow these steps:

9. Sign into the troubleshooting and support area for your tenant at https://aka.ms/intunetroubleshooting as a help desk operator.
10. Review the user information shown in the Troubleshooting + support pane, as described in Table 2-9.

TABLE 2-9 Troubleshoot user enrollment