troubleshoot.md

title	description	ms.date	ms.topic	appliesto
Troubleshoot app deployment issues in Windows SE	Troubleshoot common issues when deploying apps to Windows SE devices.	04/10/2024	tutorial	✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

Troubleshoot app deployment issues in Windows SE

The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:

Problem	Potential solution
App hasn't installed	Check the type of app: Win32 apps should be able to install with no problem UWP LOB apps apps aren't supported It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app Check the Intune Management Extension logs to see if there was an attempt to install your app
App has problems when running	It's possible the app is trying to execute a blocked binary Check the AppLocker and CodeIntegrity logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app.
My supplemental policy hasn't deployed	Your XML policy is malformed. Double-check to see if all markup is tagged correctly Check that your policy is correctly applied

AppLocker policy validation

To query AppLocker policies and validate that they're configured correctly, follow these steps:

1. Open the Local Security Policy mmc console (secpol.msc)
2. Select Security Settings > Application Control Policies
3. Right-click AppLocker and select Export Policy… :::image type="content" source="images/applocker-export-policy.png" alt-text="Screenshot of the export of the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false":::
4. For the policy that sets the Intune Management Extension as a Managed installer, MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE should be nested under a RuleCollection section of Type ManagedInstaller :::image type="content" source="images/applocker-policy-validation.png" alt-text="Screenshot of the xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
5. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type ManagedInstaller

AppLocker service

To verify that the AppLocker service is running, follow these steps:

1. Open the Services mmc console (services.msc)
2. Verify that the service Application Identity has a status of Running

AppLocker event log validation

1. Open the Event Viewer on a target device
2. Expand Applications and Services > Microsoft > Windows > AppLocker > MSI and Script
3. Check for error events with code 8040, and reference Understanding Application Control event IDs

Intune Management Extension

• Collect diagnostics from a Windows device
• Logs can be collected from %programdata%\Microsoft\IntuneManagementExtension\Logs