Troubleshoot application installation for devices uploaded to the admin center (preview)
Applies to: Configuration Manager (current branch)
Use the following to troubleshoot Configuration Manager applications in the Microsoft Endpoint Manager admin center:
This information relates to a preview feature which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Common errors from the Microsoft Endpoint Manager admin center
When viewing or installing applications from the Microsoft Endpoint Manager admin center, you may run across one of these errors.
You don’t have access to view this information
Error message: You don’t have access to view this information. Make sure a proper user role is assigned from Intune.
Possible cause: The user account needs an Intune role assigned. In some cases, this error may also occur during replication of information and it resolves without intervention after a few minutes.
Unable to get application information
Error message 1: Unable to get application information. Make sure Azure AD and AD user discovery are configured and the user is discovered by both. Verify that the user has proper permissions in Configuration Manager.
Possible causes: Typically, this error is caused by an issue with the admin account. Below are the most common issues with the administrative user account:
Use the same account to sign in to the admin center. The on-premises identity must be synchronized with and match the cloud identity.
Verify the account has Read permission for the device's Collection in Configuration Manager.
Make sure that Configuration Manager has discovered the administrative user account you're using to access the tenant attach features within Microsoft Endpoint Manager admin center. In the Configuration Manager console, go to the Assets and Compliance workspace. Select the Users node, and find your user account.
If your account isn't listed in the Users node, check the configuration of the site's Active Directory User discovery.
Verify the discovery data. Select your user account. In the ribbon, on the Home tab select Properties. In the properties window, confirm the following discovery data:
- Azure Active Directory Tenant ID: This value should be a GUID for the Azure AD tenant.
- Azure Active Directory User ID: This value should be a GUID for this account in Azure AD.
- User Principal Name: The format of this value is user@domain. For example,
If the Azure AD properties are empty, check the configuration of the site's Azure AD user discovery.
Unexpected error occurred
Error message: Unexpected error occurred
Error code 500 with an unexpected error occurred message
- If you see
System.Security.SecurityExceptionin the AdminService.log, verify that your user principal name (UPN) discovered by Active Directory User discovery isn't set to a cloud UPN rather than an on-premises UPN. An empty UPN value is also acceptable as it means the Active Directory discovered domain name is used. If you see cloud-only UPN (example: onmicrosoft.com) that's not valid domain UPN (contoso.com), you have an issue and may need to go set the UPN suffix in Active Directory.
- Install KB4576782 - Application blade times out in Microsoft Endpoint Manager admin center if you see the below error in the AdminService.log:
System.Data.Entity.Core.EntityCommandExecutionException: An error occurred while executing the command definition. See the inner exception for details. System.Data.SqlClient.SqlException: Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. System.ComponentModel.Win32Exception: The wait operation timed out
Error code 3 with an unexpected error occurred message
The Admin Service isn't running or IIS isn't installed. IIS must be installed on provider machine. For more information, see Prerequisites for the administration service.
Other possible causes of unexpected errors
- Verify the service connection point has connectivity to the cloud using the CMGatewayNotificationWorker.log.
- Verify the administrative service is healthy by reviewing the SMS_REST_PROVIDER component from site component monitoring on the central site.
- IIS must be installed on provider machine. For more information, see Prerequisites for the administration service.
The site information hasn't yet synchronized
Error message: The site information hasn't yet synchronized from Configuration Manager to the Microsoft Endpoint Manager admin center. Wait up to 15 minutes after you attach the site to your Azure tenant.
- This error typically occurs when newly onboarding to tenant attach. Wait up to an hour for the information to synchronize.
- This error may also appear if the central administration site has been upgraded to a new Configuration Manager version but some child primary sites haven't been upgraded yet.
Application shows as installed after creating a new deployment
Symptom: An application is shown as installed in the Microsoft Endpoint Manager admin center after creating a new device available requires approval deployment or a user available deployment.
Possible cause: The application state shown for that device is from another active or past deployment.
Errors when searching or retrying an installation
Symptom: Errors occur when performing the following actions:
- Use search
- Select Retry installation
Possible cause: Ensure that Update Rollup for Microsoft Endpoint Configuration Manager version 2002 and the corresponding version of the console is installed. For more information, see prerequisites for installing an application from the admin center.
Application installation times out if application requires restart
Scenario: If you're running Configuration Manager version 2002 and an application requires a restart to complete the installation process, the installation may time out.
Symptoms: The user will see
restart pending notifications and in Software Center. From the Microsoft Endpoint Manager admin center, the application stays in the
Workaround: Once the user restarts the device, the correct status is displayed in the admin center.
When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don't work
Scenario: If the SMS provider machine that communicates with the service connection point are configured to use multi-factor authentication, you'll be unable to install applications, run CMPivot queries, and perform other actions from the admin console. You'll receive error code 403, forbidden.
Workaround: The current workaround is to configure the on-premises hierarchy to the default authentication level of Windows authentication. For more information, see the Authentication section in the SMS provider article.