Today a short blog post about an issue we had with downloading and installing applications using the Company Portal app on our Windows devices. I hope that, in case you have the same problem, this post saves you some time in troubleshooting and solving the problem, as the fix turned out to be very simple.
We recently faced an issue installing applications deployed with Microsoft Intune. The application installation status in the Company Portal app was stuck with a Download pending status which never finished.
At first, we thought this was a short interruption of services on the Microsoft side. Or an issue of the particular country reporting this issue. But as it lasted some longer, we started to troubleshoot the problem.
We checked the AppWorkload.log and IntuneManagementExtension.log files to start the investigation on the local devices itself.
After some investigation of the IntuneManagementExtension.log we noticed a lot of Failed token messages;
Failed to get AAD token. len = 242 using client id fc0f3af4-6835-4174-b806-f7db311fd2f3 and resource id 26a4ae64-5862-427f-a9b0-044e62572a4f, errorCode = 3399614465
And messages related to the requirement of multi-factor authentication (MFA):
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘00000003-0000-0000-c000-000000000000’. Trace ID: 9cffb4b7-bdc7-497f-9e67-372728931300 Correlation ID: 4d28a93b-70a7-42d1-836a-ebf09380bf2e
The mentioned ID 00000003-0000-0000-c000-000000000000 was directly recognized as the Microsoft Graph application that can be found under Enterprise Applications in Azure.
Therefore, we looked at the sign-ins in Entra of several users and noticed lots of failure and interrupted messages for the application Microsoft Intune Windows Agent under User sign-ins (non-interactive).
The IDs in the IME log corresponded to the resource ID in the sign-in failure events.
The one related to Microsoft Graph showed the user needs to perform multi-factor authentication. As was also shown in the IME log.
User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.
And the other sign-in failure showed an Application is disabled message.But it didn’t show the AppIdentifier or AppName in the error message.
When we checked related sign-in events from the previous days, it showed MFA requirement was satisfied by claim in the token.
For both sign-in events.
Do we really have an application disabled that could cause this issue?
ID fc0f3af4-6835-4174-b806-f7db311fd2f3 was shown in the IME log, related to AAD token failure. And we can see it’s the ID of the Microsoft Intune Windows Agent Application as shown in the sign-in events.
Upon checking the ID in Azure under Enterprise Applications, it didn’t show any application, but it does when we search on the name (and the ID corresponds to what we found earlier in the log and sign-ins).
I checked a few other Azure tenants and I can’t find the same application under Enterprise Applications, although I do see in the sign-in events it is being used.
And indeed, the application is disabled!
And users cannot access this application.
In the audit logs of the application, we can see the AccountEnabled value was recently changed from True to False.
Directly after we enabled this application again, our clients started downloading applications again!
We saw in the IME logs AAD tokens were refreshed and also the sign-ins confirmed the issue was resolved.
During troubleshooting, we opened a support case at Microsoft. So, we hope to get clarification on what disabled this application. And if this is a more common issue, they will prohibit the issue from happening again. But in the meantime, if you face the issue, you now know how to easily solve the issue.
4 Comments
Hello,
What if Microsoft Intune Windows agent is not available on Enterprise apps
Thanks for this. Always good to learn about new ways to troubleshoot problems like this.
I had a look in my tenant and can’t see the Microsoft Intune Windows Agent enterprise app either. I wonder if it’s some kind of custom / alternative method that’s been used in this one(?)
We did not made any customizations on this. It seems the app was just recently created. The app was disabled byMicrosoft Online Services.
When checking other tenants on the sign-ins, I also see the app is being used, but the app isn’t found under Enterprise Applications in these tenants.
Thanks for this, we also experienced the exact same symptom and we diagnosed it exactly as you have done, just a few months ago. It also affects Autopilot deployments too if any apps in the deployment are assigned to users. We also found that the app would randomly change the Sign In back to “No” so we’ve been flipping it back manually every so often (we still need to report it to Microsoft). It hasn’t done it for a few weeks now, so I am wondering if you heard back from Microsoft at all about this? Thank you.