Device Shows Compliant but Apps Won’t Install in Intune

Intune & Endpoint Fixes / Leave a Comment

Problem

A device shows as Compliant in Microsoft Intune, but applications:

  • Never install
  • Sit in “Pending” or do nothing
  • Don’t appear in Company Portal
  • Or show no error at all

From an admin perspective, this is confusing — compliance suggests the device is healthy, yet app deployment is clearly broken.

This article walks through the real reasons this happens in production and how to troubleshoot them in the correct order.

Important Concept: Compliance ≠ App Readiness

Intune compliance only confirms that:

  • Required security settings are met
  • The device reports successfully to Intune

It does not guarantee that:

  • The Intune Management Extension is working
  • Win32 apps can install
  • Defender or ASR rules are not blocking installers
  • App assignments are correctly scoped

You must troubleshoot app deployment separately.

Step-by-Step Troubleshooting (In the Right Order)

Step 1: Confirm Intune Management Extension Is Installed

Win32 applications will not install without the Intune Management Extension.

On the device, check for:

C:\Program Files (x86)\Microsoft Intune Management Extension

If this folder is missing:

  • The device cannot process Win32 apps
  • Compliance status is irrelevant

If missing:

  • Force a device sync
  • Re-enroll the device if necessary

Step 2: Check Intune Management Extension Logs

Logs are located at:

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

Key file:

IntuneManagementExtension.log

Look for:

  • Assignment processing errors
  • Detection rule failures
  • App install retries
  • Policy download issues

If logs are not updating, the extension may be stalled.

Step 3: Verify App Assignment Targeting

This is one of the most common causes.

Check:

  • Is the app assigned to a device group or user group?
  • Does the affected device actually belong to that group?
  • Are you expecting a Required app or Available app?

Common mistakes:

  • App assigned to a user group, but device is checked
  • App assigned to device group, but user expects to see it in Company Portal
  • App marked Required but user expects visibility

Step 4: Review Assignment Filters Carefully

Filters silently block installs.

Check for filters on:

  • OS version
  • Ownership (Corporate vs Personal)
  • Device category
  • Enrollment profile

A device can appear compliant while still being excluded by a filter.

Step 5: Check for Defender or ASR Blocks

Defender and ASR rules frequently block installers without obvious errors in Intune.

On the device:

  • Open Event Viewer
  • Go to:
Applications and Services Logs →
Microsoft →
Windows →
Windows Defender →
Operational

Look for:

  • Event ID 1121
  • Event ID 1122

These indicate ASR blocks.

If present:

  • Identify the rule
  • Test with a temporary exclusion
  • Re-test app install

Step 6: Confirm Install Context

Many apps silently fail when installed in the wrong context.

Check:

  • Install behavior = System for machine-wide apps
  • User context only for profile-level changes

If the app requires admin rights and runs in user context, it will fail without warning.

Step 7: Force Re-Evaluation

If changes were made:

  • Sync the device from Company Portal
  • Or restart the Microsoft Intune Management Extension service
  • Reboot if necessary

Intune does not always re-evaluate immediately.

When Compliance Is a Red Herring

A device can be:

  • Fully compliant
  • Properly encrypted
  • Correctly reported

…and still completely unable to install applications.

Always treat compliance and app deployment as separate systems.

Remote Troubleshooting Considerations

If you’re troubleshooting devices remotely or working across unsecured networks, using a tool like NordVPN can add an extra layer of protection without complicating access.

(Keep this sentence exactly as-is, with your existing link.)

Final Checklist (Quick Reference)

If apps won’t install on a compliant device:

  • ✔ Intune Management Extension present
  • ✔ Logs actively updating
  • ✔ Correct group assignment
  • ✔ No filter exclusions
  • ✔ Defender / ASR not blocking
  • ✔ Correct install context

If all six are true, app deployment should work.

Final Notes

Most “compliant but apps won’t install” issues are caused by:

  • Extension problems
  • Assignment logic
  • Silent security blocks

Not sync failures.

Troubleshoot in order, and you’ll usually find the issue quickly.

If you’re troubleshooting devices remotely or working across unsecured networks, using a tool like NordVPN can add an extra layer of protection without complicating access.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *