Troubleshoot policies and configuration profiles in Microsoft Intune - Intune (2024)

Table of Contents
In this article Use the built-in Troubleshoot pane Check tenant status Confirm a configuration profile is correctly applied Saving of Access Rules to Exchange has Failed Can't change security policies for enrolled devices FAQs
  • Article

This article provides troubleshooting guidance for common issues related to policies and configuration profiles in Microsoft Intune. including instructions on how to use the built-in Intune troubleshooting feature.

Use the built-in Troubleshoot pane

You can use the built-in troubleshooting feature to review different compliance and configuration statuses.

  1. In the Microsoft Intune admin center, select Troubleshooting + support > Troubleshoot.

    Troubleshoot policies and configuration profiles in Microsoft Intune - Intune (1)

  2. Choose Select user > select the user having an issue > Select.

  3. Confirm that Intune license shows the green check:

    Troubleshoot policies and configuration profiles in Microsoft Intune - Intune (2)

    Helpful links:

    See Also
    How to wipe only corporate data from apps - Microsoft IntuneGoogle Play Store Isn’t Auto-Updating Apps? Try These FixesShared iPad devices - Microsoft IntuneAdd iOS store apps to Microsoft Intune

    • Assign licenses so users can enroll devices
    • Add users to Intune

  4. Under Devices, find the device having an issue. Review the different columns:

    • Managed: For a device to receive compliance or configuration policies, this property must show MDM or EAS/MDM.

      • If Managed isn't set to MDM or EAS/MDM, then the device isn't enrolled. It doesn't receive compliance or configuration policies until it's enrolled.

      • App protection policies (mobile application management) don't require devices to be enrolled. For more information, see create and assign app protection policies.

    • Microsoft Entra join Type: Should be set to Workplace or AzureAD.

      • If this column is Not Registered, there may be an issue with enrollment. Typically, unenrolling and re-enrolling the device resolves this state.

    • Intune compliant: Should be Yes. If No is shown, there may be an issue with compliance policies, or the device isn't connecting to the Intune service. For example, the device may be turned off, or may not have a network connection. Eventually, the device becomes non-compliant, possibly after 30 days.

      For more information, see get started with device compliance policies.

    • Microsoft Entra compliant: Should be Yes. If No is shown, there may be an issue with compliance policies, or the device isn't connecting to the Intune service. For example, the device may be turned off, or may not have a network connection. Eventually, the device becomes non-compliant, possibly after 30 days.

      For more information, see get started with device compliance policies.

    • Last check in: Should be a recent time and date. By default, Intune devices check in every 8 hours and the Last check-in value also updates every 8 hours in the Intune portal.

      See Also
      How to Update iPhone without WiFi to iOS 15.4

      • If Last check in is more than 24 hours, there may be an issue with the device. A device that can't check in can't receive your policies from Intune.

      • To force check-in:

        • On the Android device, open the Company Portal app > Devices > Choose the device from list > Check Device Settings.
        • On the iOS/iPadOS device, open the Company portal app > Devices > Choose the device from list > Check Settings.
        • On a Windows device, open Settings > Accounts > Access Work or School > Select the account or MDM enrollment > Info > Sync.

    • Select the device to see policy-specific information.

      Device Compliance shows the states of compliance policies assigned to the device.

      Device Configuration shows the states of configuration policies assigned to the device.

      If the expected policies aren't shown under Device Compliance or Device Configuration, then the policies aren't targeted correctly. Open the policy, and assign the policy to this user or device.

      Policy states:

      • Not Applicable: This policy isn't supported on this platform. For example, iOS/iPadOS policies don't work on Android. Samsung KNOX policies don't work on Windows devices.
      • Conflict: There's an existing setting on the device that Intune can't override. Or, you deployed two policies with the same setting using different values.
      • Pending: The device hasn't checked into Intune to get the policy. Or, the device received the policy but hasn't reported the status to Intune.
      • Errors: Look up errors and possible resolutions at Troubleshoot company resource access problems.

Check tenant status

Check the Tenant Status and confirm the subscription is Active. You can also view details for active incidents and advisories that may impact your policy or profile deployment.

Confirm a configuration profile is correctly applied

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > All devices > select the device > Device configuration.

    Every device lists its profiles. Each profile has a Status. The status applies when all of the assigned profiles, including hardware and OS restrictions and requirements, are considered together. Possible statuses include:

    • Conforms: The device received the profile and reports to Intune that it conforms to the setting.

    • Not applicable: The profile setting isn't applicable. For example, email settings for iOS/iPadOS devices don't apply to an Android device.

    • Pending: The profile is sent to the device, but hasn't reported the status to Intune. For example, encryption on Android requires the user to enable encryption, and might show as pending.

For more information, see Monitor device profiles in Microsoft Intune

Saving of Access Rules to Exchange has Failed

Issue: You receive the alert Saving of Access Rules to Exchange has Failed in the admin console.

If you create policies in the Exchange On-Premises Policy workspace (Admin console), but are using Microsoft 365, then the configured policy settings aren't enforced by Intune. In the alert, note the policy source. Under the Exchange On-premises Policy workspace, delete the legacy rules. The legacy rules are Global Exchange rules within Intune for on-premises Exchange, and aren't relevant to Microsoft 365. Then, create new policy for Microsoft 365.

Troubleshoot the Intune on-premises Exchange connector may be a good resource.

Can't change security policies for enrolled devices

Windows 10 devices may not remove security policies when you unassign the policy (stop deployment). You may need to leave the policy assigned, and then change the security settings back to the default values.

Depending on the device platform, if you want to change the policy to a less secure value, you may need to reset the security policies.

For example, in Windows 8.1, on the desktop, swipe in from right to open the Charms bar. Choose Settings > Control Panel > User Accounts. On the left, select Reset Security Policies link, and choose Reset Policies.

Other platforms, such as Android, and iOS/iPadOS may need to be retired and re-enrolled to apply a less restrictive policy.

Troubleshoot policies and configuration profiles in Microsoft Intune - Intune (2024)

FAQs

How to troubleshoot Intune policies? ›

Use the built-in Troubleshoot pane
  1. In the Microsoft Intune admin center, select Troubleshooting + support > Troubleshoot.
  2. Choose Select user > select the user having an issue > Select.
  3. Confirm that Intune license shows the green check: Helpful links: ...
  4. Under Devices, find the device having an issue.
Dec 5, 2023

Discover More Details
How do I check my Intune configuration profile? ›

In Intune, select Devices > All Devices > select an existing device in the list. An end user can get the device name from their Company Portal app. Select Device configuration. All configuration policies that apply to the device are listed.

Read The Full Story
How do I troubleshoot devices in Intune? ›

Sign in to Microsoft Intune admin center. Select Troubleshooting + support > Troubleshoot. Find and select a User by entering a display name or email. If the user has multiple devices, filter by Device.

Discover More Details
How do I check my Intune policy? ›

View existing policies
  1. Sign in to the Microsoft Intune admin center.
  2. Select Devices > Configuration > Policies tab.

Continue Reading
How often do Intune configuration profiles run? ›

New or modified Configuration Profiles apply relatively quickly to Intune managed Windows devices. Unchanged Configuration Profiles, however, are only reapplied/checked once every 8 hours.

View Details
What are configuration profiles in Intune? ›

Intune configuration profiles are the way to transition these security controls to the cloud. To give you an idea of the kind of configuration profiles you can create, see Apply features and settings on your devices using device profiles in Microsoft Intune.

Find Out More
How to assign configuration profile in Intune? ›

Assign a policy to users or groups
  1. Sign in to the Microsoft Intune admin center.
  2. Select Devices > Configuration. ...
  3. Select the profile you want to assign > Properties > Assignments > Edit: ...
  4. Under Included groups or Excluded groups, choose Add groups to select one or more Microsoft Entra groups. ...
  5. Select Review + Save.
Mar 20, 2024

Read On
What is configuration profile in MDM? ›

Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually.

Explore More
What are configuration profiles? ›

Configuration profiles are intended for managing the settings or configurations of different device features in a remote and centralized way. Each configuration profile defines a range of settings concerning a specific feature. Each device can have multiple configuration profiles assigned to it.

Keep Reading
How do I use Intune device diagnostics? ›

To use the Collect diagnostics action:
  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > Windows > select a supported device.
  3. On the device's Overview page, select … > ...
  4. To see the status of the action, select Device diagnostics monitor.
Apr 22, 2024

Read On

How do I reset my Intune settings? ›

To reset a device to its original, out-of-box settings:
  1. Open the Company Portal app on any enrolled device and sign in with your work or school account.
  2. Select DEVICES.
  3. Select the device you want to reset.
  4. Next to Rename, select the ellipses button > Factory reset.
  5. Select Reset to start wiping the device.
Nov 22, 2023

Discover More
What are the challenges of Intune? ›

One of the primary challenges with Intune deployment is compatibility issues. This can include compatibility with the hardware, operating system, or software used by the organization. Organizations may not have the required expertise or resources to manage the deployment and configuration of Intune.

See More
Where can I manage Intune policies? ›

In order to configure policies and profiles on devices, you need to assign policies and profiles to security groups and then manage Intune devices through security groups. To include or exclude groups to an assigned policy or profile: Navigate to Endpoints > Policy Management.

See Details
Where to find Intune policies in registry? ›

If Intune successfully deploys the Windows Update ring policies to the target device, those settings appear in the Registry Editor under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update .

Continue Reading
How does Intune policy work? ›

Intune, on the other hand does policy computation in the cloud before a device check's in. It pulls together all the Policy objects, and Policy settings within them along with group targeting configuration to build a device's Effective policy — a document of all the stuff that needs to apply at the next check-in time.

Tell Me More
How do I refresh Intune policies? ›

Sync Intune Policies from Company Portal App

Click Start and launch the Company Portal app. Click on Settings and select Sync to synchronize your device with the latest updates from MS Intune. The Company Portal app initiates the sync. It takes a while to synchronize the latest Intune policies.

View More
How will you resolve the issue related to Intune company portal? ›

Company Portal Temporarily Unavailable

Cause: The Company Portal app on the device is out of date or corrupted. Solution: Remove the Intune Company Portal app from the device. On the device, open the browser, browse to https://portal.manage.microsoft.com, and try a user login.

Get More Info
Where are the Intune error logs? ›

Intune log file location is C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

Discover More
Top Articles
The 10 Hardest GCSE Subjects (Ranked for 2022) - Think Student
Baby Shower Ideas (Indian Godh Bharai Celebration Ideas)
Emma Watson reflects on turning 33 with rare social media share
Crossword Puzzles Online - Play for Free at Arkadium
Latest Posts
Alternatives to Plex: an overview of the best available media centers
Contrat d'illustrateur
Article information

Author: Aron Pacocha

Last Updated:

Views: 6225

Rating: 4.8 / 5 (68 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.