Troubleshooting Windows 10 Application Management
Windows 10 introduces several new configuration service providers (CSP) to push out universal applications (Store and Non-Store) and desktop applications (MSIs). Workspace ONE UEM supports integration with the Business Store Portal or the Microsoft Store for Business. This allows administrators to push public Store applications to devices without having end users sign into the Microsoft Store. However, if you only want the Workspace ONE app, install Workspace ONE Intelligent Hub which auto-downloads and installs the Workspace ONE app. Finally, Workspace ONE UEM supports not only MSIs (like most of our MDM competitors) but also supports MST, MSP, EXE, ZIP through Software Distribution.
This exercise covers a high-level overview to troubleshoot all of these options.
1. Troubleshoot MSI Apps Using EnterpriseDesktopAppManagement CSP
Workspace ONE UEM deploys MSI agents, clients, and apps using the EnterpriseDesktopAppManagement CSP when using a Workspace ONE Standard license or when software distribution is not enabled. This method is used to push the Workspace ONE UEM Intelligent Hub (for native enrollment), the software distribution client, and the Adaptiva client. In this section, you will learn how to troubleshoot these MSI apps.
1.1. Check Registry Key Status Codes
If your apps fail to install or take too long to install, first check the registry. Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement and expand the
MSI folder. The
MSI folder contains keys (GUIDs) for every application sent down from Workspace ONE UEM. In the this example, Workspace ONE UEM installed Google Chrome on the device successfully.
Make sure that there are no entries in the MSI folder before enrolling. If the GUIDs (Product Version key) matches a folder that already exists, then it will fail to install, thinking the application is already installed. This occurs only during a broken un-enrollment. The ProductVersion or the GUID folder name matches the Build Version GUID in the Workspace ONE UEM console. To find this build version, click Edit on the application and see the build version.
Note the following information:
CommandLine: The command line arguments being sent down by Workspace ONE UEM. By default,
/quietis always sent, to perform a silent install.
- CurrentDownloadURL: The device services/content delivery network (CDN) URL that the device is using to download the application. To verify that the application successfully uploaded to the console, manually copy and paste the URL into the browser and the application should download.
- DownloadLocation: The file path where applications are downloaded.
- LastError: Error code for failures. If you see a code, you will also see a new entry called ErrorDescription with details.
- Status: Code of the current status.
The following table describes status codes for errors 10 to 120.
|20||Download in Progress
|50||Install in Progress
|80||Uninstall in Progress
|120||Sideloading is not Enabled
Note: The most common error deals with error code
30—download failed. If you get a status of
30, then ensure that:
- If using a CDN, the user is not blocking access to (users with restricted networks should not use CDN)
- Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) URLs are accessible because by default, devices must verify the validity of the SSL certificate.
Finally, check the BITS log in Event Viewer for details as these applications are downloaded using BITS.
1.2. Check MSI Installer Logs
You can find detailed, application-specific logs in
C:\Windows\Temp. Another troubleshooting step is to manually install the MSI to verify if it is successful. If successful, attempt to install using the command prompt with the
/quiet argument. For example,
2. Troubleshoot Software Distribution
Workspace ONE UEM supports deploying any types of desktop (Win32) applications using software distribution, however, this the most difficult feature to troubleshoot. This section contains best practices and useful information for troubleshooting software distribution.
2.1. Application Failure Checklist
The following list describes items to check if your application fails during software distribution.
- Check the Troubleshooting logs for the device within the Workspace ONE UEM Console under Devices > List View > [Select target Device] > More > Troubleshooting.
- Deployment attempts and results are logged here, so check the logs and locate any events related to deploying/installing the application.
- On the target device, run
regedit(Click Windows button > search
regedit) and review the registries under HKEY_LOCAL_MACHINE > SOFTWARE > AirWatchMDM > AppDeploymentAgent.
- Check the Queue path and the S-1-5-18/S-1-X-X path for any processes. If so, check the LastDeploymentLog and LastStatusCode for more details.
- In Explorer, navigate to
%programdata%/AirWatchMDM/AppDeploymentCache/. Find the folder with the App Manifest ID and open it.
- Ensure that the app folder (should be named the same as the app uploaded to the Workspace ONE UEM Console) is present and that the contents are extracted.
- If the app did not download, you can attempt to re-push the application from Console or restart the Task Schedulers.
- Open WindowsTask Scheduler and navigate to Task Scheduler Library > VMware > AirWatch.
- Select both tasks (Install Validation Task and Software Distribution Queue Task), right-click and select End. Then select both tasks, right-click and select Start.
- Back in Regedit, delete all the paths under the AppDeploymentAgent path in HKEY_LOCAL_MACHINE > SOFTWARE > AirWatchMDM.
- Send the Install command to the device again from the Workspace ONE UEM Console by navigating to Devices > List View > [Select Target Device] > Apps > Select App > Install.
Note: For more details, see Software Distribution Troubleshooting Tips.
2.2. MSI versus EXE/ZIP Apps
The following list contains important information about MSI, ZIP, and EXE apps.
- MSI applications update the install status immediately after completion; ZIPs and EXEs require an application list sample to process
- MSI apps do not require any additional configurations from the admin; ZIPs and EXEs require uninstall command, install command, and detection criteria to be added
- ZIPs and EXEs uploads use autogenerated information
- ZIPs must contain either an EXE or MSI file
- Folder name(s) for ZIPs must be included in the installation path, if applicable
Important: When using registry criteria, registry hive must be in shortened format, for example,
HKLM rather than
Scripts are supported for Install, Uninstall, and Detection. The following lists examples for each type:
powershell -executionpolicy bypass -file file.ps1
cmd /C file.vbs
cmd /C file.js
2.4. Check Troubleshooting Logs Status Messages
The following list describes status messages in the console Troubleshooting logs.
- Install command ready for device: The install command has queued for the device, but the device has not yet checked into Workspace ONE UEM and consumed the command.
- Install command dispatched: The device has checked into Workspace ONE UEM and consumed the command. At this point, the registry should have entries in the AppManifests, ContentManifests, and Queue folders for this application.
- Installed: The application has finished installing on the device and the detection criteria provided successfully confirms the installation status.
- User installed: Detection criterion was fulfilled before Workspace ONE UEM-driven deployment began, indicating that the application was externally installed. As a result, it is reported as installed but unmanaged.
- Failed: Some part of the process (download, requirement evaluation, dependencies, install, detection, and so on) was unsuccessful. Note that if installation was successful but detection failed, the client will rollback the installation of the application using the provided uninstall command.
- MDM removed: Application has successfully uninstalled following the initiation of the application removal through Workspace ONE UEM.
2.5. Check Device Registry Logs
Check the following locations on the device for troubleshooting information.
Note: For improved readability, you can copy and paste the registry data into a text editor for logs or XML editor for manifests.
AppManifestscontains information regarding all of the settings selected in the console. For example, Deployment Options, Install and Uninstall Commands, Supported Architecture, Version, and so on.
ContentManifestscontains details about where the device can download the software, such as Device Services URL, CDN URL, and P2P Content ID.
Queue/S-1-5-Xfolders contain the install status and logs for each application, where
S-1-5-18contains apps being pushed to the device and
S-1-5-21-Xcontains apps being pushed to the user context.
- Includes InstallCount value:
0: The application is not installed and is not actively being deployed.
1: The application is installed, or installation is being attempted. If a dependency application, the dependency is installed and only one package depends on it.
0x8000001: The application (or dependency application) is externally installed, and assume management is not applied.
2+: The dependency is installed and has
xapplications dependent on it, for example, if InstallCount for a dependency is
3, it is installed and three individual application packages depend on it.
- Includes InstallCount value:
Note: If the application is pushed and only the ContentManifest is populated, it indicates the InstallApp command logged an error in the database.
Two of the most useful troubleshooting features are contained within the
- The DeploymentLog entry contains the log of the current deployment, including any error codes and a description of the last error, if applicable
- The StatusCode entry is a mapping to which part of the process the client is currently performing (for example, download, dependency evaluation, installation, and so on)
The following list details StatusCode entries.
- 0x000: Deployment operation queued
- 0x100: First detection in progress
- 0x101: First detection failed
0x102: First detection successful
- 0x200: Check reference count in progress
- 0x201: Check reference count failed
0x202: Check reference count successful
- 0x300: Requirements evaluation in progress
- 0x301: Requirements evaluation failed
0x302: Requirements evaluation successful
- 0x400: Dependency deployment in progress
- 0x401: Dependency failed
0x402: Dependency successful
- 0x500: Sanitize cache in progress
- 0x501: Sanitize cache failed
0x502: Sanitize cache successful
- 0x600: Pending network connectivity
- 0x601: Download in progress
- 0x602: Pending download retry
- 0x603: Download content failed
0x604: Download content successful
- 0x700: Transform cache in progress (decompressing zip packages)
- 0x701: Transform cache failed
0x702: Transform cache successful
- 0x800: Pending user session
- 0x801: Install in progress
- 0x802: Pending deployment retry
- 0x803: Deployment failed
- 0x804: Deployment successful
0x805: Pending reboot
- 0x900: Final detection evaluation in progress
- 0x901: Final detection failed
0x902: Final detection successful
0xC0000000: Deployment operation suspended
- 0xC0000602: Deployment suspended — pending download retry
- 0xC0000802: Deployment suspended — pending install retry
- 0x40000000: Deployment operation failed
- 0x40000603: Deployment failed — download failed
- 0x40000803: Deployment failed — installation failed
- 0x80000000: Deployment operation succeeded
- 0x80000402: Application is externally installed
- 0x80000902: Deployment succeeded — final detection passed
3. Application Sideloading
Sideloading activation keys were a requirement for Windows 8.1, however, this is no longer the case in Windows 10. When you sideload an app, you deploy a signed application package to a device. You maintain the signing, hosting, and deployment of these applications.
In Windows 10, sideloading is different than in earlier versions of Windows:
- You can unlock a device for sideloading using a restrictions profile or manually through Settings.
- License keys are not required
- Devices do not have to be joined to a domain
3.1. Enable Sideloading Using Restrictions Profile
In the Workspace ONE UEM console, you can use the restrictions profile to allow or disable sideloading applications on the device. Developer Unlock is required if you are using Powershell commands to sideload applications.
3.2. Enable Sideloading Manually
On the device you can enable Sideloading through Settings > Updates & Security. Set the level above Store Apps, either Sideload apps or Developer mode will work.
4. Modern Applications
Workspace ONE UEM also deploys modern applications using the Workspace ONE UEM Console. When deploying internal applications many issues can occur. This section helps you to troubleshoot these applications.
4.1. Registry Key and Event Viewer Logs
The most efficient troubleshooting step for modern applications is to use the logging in Event Viewer. The registry reports an error only if the install failed. However, if the application never installed, you already know it failed. Therefore, check Event Viewer and if you do not understand the error, search for the error in Google and report this information back to the QE team (JIRA QE ESC) or the application developer.
Event Viewer Location:
5. Check Web Clips
Similar to the other registry locations, you can view the progress and status of all the web clips sent down to the device.
For a list of status codes and descriptions, see the table in Registry Key — Status.