Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

Troubleshooting Windows Intune Policy

Updated: December 17, 2012

Applies To: Windows Intune

As a first step when troubleshooting problems with Windows Intune Policy, review Policy Status section, which is found in the Policy workspace on the Policy Overview page in the Windows Intune administrator console.

The following are possible causes and solutions to the Unable to apply policies error in Windows Intune.

Possible causes

  • Transient conditions

  • Corrupted Windows Management Instrumentation (WMI)

  • Missing or corrupted WMI classes

  • Corrupted Microsoft Online Management Policy Agent or provider installation

To resolve this issue

  1. Wait for several enactment cycles to finish, and then determine whether the problem persists. If the problem occurred because of transient conditions, it is resolved, and no additional action is required.

  2. If the problem persists, contact Microsoft Support.

The following are possible causes and solutions to the Unable to report results of policy processing error in Windows Intune.

noteNote
You may also have Unable to update policies alerts from the same computer.

Possible causes

  • High volume of conflicting policies for the same settings

  • Windows Update Agent is not working

  • Transient conditions

To resolve this issue

  1. Investigate whether you have seven or more conflicting policies configured to manage the same setting for the same computer. If you do, reduce the number of conflicting policies, and wait for the next enactment cycle to finish.

  2. If the problem persists, check whether the Windows Update Agent is functioning. If it is not functioning, resolve the issue with the agent, and then wait for several enactment cycles to finish. If the problem is resolved, no additional action is required.

  3. If the problem persists, contact Microsoft Support.

The following are possible causes and solutions for the Unable to update policies error in Windows Intune.

noteNote
You may also have Unable to report results of policy processing alerts from the same computer.

Possible causes

  • Windows Update Agent is not working

  • Transient conditions

To resolve this issue

  1. Check whether the Windows Update agent is receiving updates. If it is not receiving updates, resolve the issue with the agent, and then wait for several enactment cycles to finish. If the problem is resolved, no additional action is required.

  2. If the problem persists, contact Microsoft Support.

The following are possible causes and solutions to the Unable to apply one or more policy settings error in Windows Intune.

Possible causes

  • Transient conditions

  • Corrupted Microsoft Online Management Policy Agent or provider installation

  • Missing or corrupted Windows Management Instrumentation (WMI) classes

  • Corrupted WMI

To resolve this issue

  1. Wait for several enactment cycles to finish, and then determine whether the problem persists. If the problem was because of transient conditions, it is resolved, and no additional action is required.

  2. If the problem persists, contact Microsoft Support.

Following are possible causes and solutions to the Policy setting error in Windows Intune.

Possible causes

  • Transient conditions

  • Corrupted Policy Agent or provider installation

  • Missing or corrupted Windows Management Instrumentation (WMI) classes

  • Corrupted WMI

To resolve this issue

  1. Wait for several enactment cycles to finish, and then determine whether the problem persists. If the problem was because of transient conditions, it is resolved, and no additional action is required.

  2. If the problem persists, contact Microsoft Support.

The following are possible causes and solutions to the A policy is not being enacted or refreshed by some computers error in Windows Intune.

  • Cause: The policy is not deployed to computers.

    Solution: For each policy, in the Windows Intune administrator console, click Manage Deployment, and then select groups of computers to which you will deploy the policy.

  • Cause: Some computers to which the policy should be deployed are not part of any group to which the policy is deployed.

    Solution: Determine which groups the computers are in and either deploy the policy to groups that include those computers or add those computers to a group to which the policy is deployed.

    • If you are unsure which computers are in a particular group, in the Groups workspace in the Windows Intune administrator console, click the name of the group, and then click Devices. View the list of computers in the group.

    • If you are unsure which groups include a particular computer, in the Groups workspace, click All Devices, and then select a computer. In the details pane, view the Group Membership information.

    • To add a computer to a group, in the Groups workspace, click All Devices, select the computer, and then click Add to Group.

    • To change the groups to which a policy is deployed, in the Policy workspace, select the policy, and then click Manage Deployment.

  • Cause: Transient conditions are affecting some computers.

    Solution: In the Windows Intune administrator console, review the Policy category in the Alerts workspace. If transient conditions are causing policy to fail, there are alerts that indicate policy failures. Policy will be automatically enacted and refreshed during the next policy enactment cycle, correcting policy failures that are due to transient conditions. If the alerts are repeated for more than two consecutive days, transient conditions are not the cause of the policy failures.

  • Cause: Policy is not being downloaded to the computer because of a problem with Windows Update or the Windows Intune Update Agent.

    Solution: Determine whether updates are reaching computers. In the Windows Intune administrator console, review the Alerts workspace for alerts in the Updates and Policy alert categories, and then view the information about each alert.

  • Cause: The Block all incoming connections policy setting for Windows Firewall is enabled and the computer is running Windows Vista® with no service packs installed.

    Solution: Either install the update associated with article 971800 in the Microsoft Knowledge Base, or, in the Windows Intune administrator console, disable the Block all incoming connections setting.

  • Cause: A mismatch between a policy template in the Windows Intune administrator console and the infrastructure on the computer is causing the policy to fail. This might occur if WMI class definitions are changed, corrupted, or missing.

    Solution: Contact Windows Intune Support.

  • Cause: The policy is not deployed to computers.

    Solution: For each policy, in the Windows Intune administrator console, click Manage Deployment, and then select groups of computers to which you will deploy the policy.

  • Cause: Some computers to which the policy should be deployed are not part of any group to which the policy is deployed.

    Solution: Determine which groups the computers are in and either deploy the policy to groups that include those computers or add those computers to a group to which the policy is deployed.

    • If you are unsure which computers are in a particular group, in the Groups workspace in the Windows Intune administrator console, click the name of the group, and then click Devices. View the list of computers in the group.

    • If you are unsure which groups include a particular computer, in the Groups workspace, click All Devices, and then select a computer. In the details pane, view the Group Membership information.

    • To add a computer to a group, in the Groups workspace, click All Devices, select the computer, and then click Add to Group.

    • To change the groups to which a policy is deployed, in the Policy workspace, select the policy, and then click Manage Deployment.

  • Cause: Transient conditions are affecting some computers.

    Solution: In the Windows Intune administrator console, review the Policy category in the Alerts workspace. If transient conditions are causing policy to fail, there are alerts that indicate policy failures. Policy will be automatically enacted and refreshed during the next policy enactment cycle, correcting policy failures that are due to transient conditions. If the alerts are repeated for more than two consecutive days, transient conditions are not the cause of the policy failures.

  • Cause: Policy is not being downloaded to the computer because of a problem with Windows Update or the Windows Intune Update Agent.

    Solution: Determine whether updates are reaching computers. In the Windows Intune administrator console, review the Alerts workspace for alerts in the Updates and Policy alert categories, and then view the information about each alert.

  • Cause: The Block all incoming connections policy setting for Windows Firewall is enabled in the Windows Intune administrator console and the computer is running Windows Vista® with no service packs installed.

    Solution: Either install the update associated with article 971800 in the Microsoft Knowledge Base, or, in the Windows Intune administrator console, disable the Block all incoming connections setting.

  • Cause: A mismatch between a policy template in the Windows Intune administrator console and the infrastructure on the computer is causing the policy to fail. This may occur if WMI class definitions are changed, corrupted, or missing.

    Solution: Visit the Get Support website.

The following are possible causes and solutions to the A policy did not configure a setting as expected error in Windows Intune.

  • Cause: More than one policy is configured to manage the same setting on a computer.

    Solution: When a setting is configured in two policies that are both deployed to the same computer, only the value from the winning policy is applied.

    • If a computer is a member of two groups, and one policy is deployed to one group, while the other policy is deployed to another group, the policy associated with the deepest group in the group tree structure wins. You can view the group tree structure in the Groups workspace.

    • If both policies are deployed to the same group, or if both groups are at the same depth in the group tree structure, the setting from the policy with the most recent Last Modified Time wins.

  • Cause: Group Policy settings are overriding Windows Intune policy settings.

    Solution: If Windows Intune and Group Policy are configured to manage the same setting on the same computer, the Group Policy setting overrides the Windows Intune policy setting. We recommend that you configure a particular setting by using only Windows Intune or only Group Policy. For more information about how to use Windows Intune and Group Policy in the same environment, see Planning Around Group Policy When Using Windows Intune.

  • Other causes and solutions: See A Policy is Not Being Enacted or Refreshed by Some Computers

If the solutions that are described in this topic do not resolve the issue, visit the website Get Support.

  • Cause: When more than one mobile device security policy is configured to manage the same setting on a mobile device, Windows Intune will display a policy conflict alert.

    Solution:

    • View additional information regarding the policy conflict, click the policy conflict alert and then expand the setting to display the policies that are conflicting, policy names, and target groups the policies are deployed to.

    • To resolve policy conflicts modify the conflicting setting in one of the policies, or modify the groups to which the policies are deployed.

For information about how mobile device security policies are applied, see How Windows Intune Policies are Applied.

For information about how to edit a policy, see Editing a Windows Intune Policy

After you enable mobile device management through Exchange ActiveSync for a user, the user’s mobile device security policy settings should only be configured in the Windows Intune administrator console. Windows Intune will save mobile device security policy to the Exchange server and apply it to the user’s mailbox. If an Exchange administrator modifies the user’s mailbox policy, a policy processing error alert will be generated.

Solution: Redeploy the Windows Intune mobile device security policy that was deployed to the user. When a policy is redeployed, Windows Intune will recalculate and save the mobile device security policy to Exchange and apply it to the user’s mailbox. Complete the following steps to redeploy Windows Intune mobile device security policies.

  • Edit the mobile device security policy that was deployed to the user in question.

  • Select the policy setting that you want to change and note the value of the policy setting.

  • Change the value of the applicable policy setting without saving the policy. Then, change the policy setting to its previous value and click Save Policy.

For more information about how Windows Intune mobile device security policies are applied, see How Windows Intune Policies are Applied.

For information about how to edit a policy, see Editing a Windows Intune Policy.

The following table lists the Windows Intune mobile device security policy error codes, possible causes, and suggested resolutions.

 

Error Code Possible Problem Suggested Resolution

0xA2CE0101

Exchange ActiveSync policy or mailbox was expected and was not found on the Exchange server.

Redeploy your Windows Intune mobile device security policies.

0xA2CE0102

Potential issue with Exchange server.

Ensure that your Exchange server is properly functioning.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.