Usage guide: Intune client continuity

The Intune client continuity library pack enables EUC teams to:

  • Identify common Intune client issues

  • Automatically apply fixes for the most common Intune client issues

  • Report the cases where automatic fixes were not available or where these fixes did not help through the ITSM ticket.

Library pack uses

Jump to Use cases on this page to see relevant scenario applications.

Use the library pack content for the following purposes.

Visibility

The Intune client continuity workflow is the starting point for this library pack. This automated workflow performs checks and self-healing actions to ensure Intune client compliance, resolving common issues and creating ITSM tickets for unresolved ones, allowing support teams to focus on more critical problems.

Use cases

This section describes the key part of this workflow, which identifies the health of the Intune client's key components, applies the remediation to bring the client to a working state, and then verifies its synchronization and compliance status.

Check Intune enrollment and compliance

  1. The device's Intune enrollment state is checked directly through a Graph API connection

  2. If the device is not enrolled, then the workflow terminates.

  3. If the device is enrolled correctly, the workflow checks the status of Intune client synchronization with a Get Intune synchronization status remote action.

  1. If the synchronization status is healthy, the workflow checks the device's Intune compliance status.

  2. If compliant, the workflow terminates.

  3. If not compliant, the workflow will next force the Intune client to sync policies. This is covered in Step 10 here.

Intune synchronization troubleshooting

  1. If the synchronization status is not healthy, the remote action 'Get Intune device status' is run on the device.

  2. The first check is whether the IME service is detected.

  3. If not, a diagnostics check is made on the device and an ITSM ticket is logged, this is explained here.

  4. If detected, the next check is whether the IME service is running.

  1. If the IME service is not running, the remote action 'Configure IME service' is run on the device, and the workflow moves to step 9.

  2. If the IME service is running, the workflow checks whether an MDM certificate is present on the device.

  3. If not present a diagnostics check is made on the device and an ITSM ticket is logged, this is explained here.

  4. If an MDM certificate is present, the certificate's validity is checked.

  5. If the MDM certificate is not valid, a diagnostics check is made on the device and an ITSM ticket is logged, this is explained here.

  6. If the certificate is valid, the Intune DmWapPushService is restarted using the 'Restart Intune service' remote action.

  7. The next step is to force the Intune client to sync policies, using the remote action 'Invoke Intune policy sync'.

  8. The workflow will now pause for 5 minutes to allow the synchronization process to complete.

The last section of the workflow repeats the synchronization and diagnostic checks already performed to confirm that the self-help process has completed successfully.

Create diagnostics reports for devices with synchronization issues

  1. If the synchronization process is still failing, the remote action 'Execute Intune diagnostics script' is run to collect diagnostics data

  2. This is then written to an ITSM ticket.

Create diagnostics reports for non-compliant devices

  1. If the device is now synchronized with Intune, it is checked to ensure compliance with Intune policies.

  2. If the device is non-compliant, the remote action 'Execute Intune diagnostics script' is run to collect diagnostics data.

  3. This is then written to an ITSM ticket.

Check Intune enrollment on macOS devices

This branch of the workflow is dedicated to macOS devices and is triggered only when the device platform check confirms macOS. Its purpose is to renew Intune enrollment, force a policy synchronization, and determine the device’s compliance state.

  1. Check Device Platform: The workflow identifies if the endpoint is macOS. If the device is not macOS, this branch is skipped.

  2. Check Intune Enrollment: The workflow verifies if the macOS device is enrolled in Intune. Not Enrolled: the workflow ends for this device. Enrolled: proceed to the next step.

  3. Trigger Remote Action: Intune Policy Sync & Profile Refresh (macOS): This Remote Action renews the macOS device's Intune enrollment and forces policy and profile synchronization with Intune.

  4. Wait 5 Minutes for Synchronization: The workflow delays 5 minutes to allow Intune to complete the enrollment refresh and policy sync.

  5. Check Intune Enrollment Status: The workflow checks if the device has successfully renewed its Intune enrollment, with two possible results: Renewed: continue to compliance verification, or Not Renewed: the device is reported as an exception (an ITSM ticket is created).

  6. Check Device Compliance State: For devices with successful enrollment renewal, the workflow checks their Intune compliance status. For devices with successful enrollment renewal, the workflow checks their Intune compliance status: Compliant: end state (success) or Non-compliant: device is reported via ITSM ticket for follow-up.

  7. ITSM Ticket Creation (if required): When a device fails to renew enrollment or remains noncompliant, the workflow automatically: Creates an ITSM ticket and reports the device details and logs for support team investigation.


RELATED TOPICS

Last updated

Was this helpful?