Skip to main content
AppWorkload.log and the Win32app Policies inside
  1. Posts/

AppWorkload.log and the Win32app Policies inside

Michael Escamilla
Author
Michael Escamilla
Table of Contents

I hope to make this into a series of posts that dive into the AppWorkload.log and the Win32app policies inside it. We’ll start with an introduction to the log and the policies, and then move into the specifics of what you can see and decipher.

If you have ever worked with Intune, you have come across the many logs that the Intune Management Extension creates. But when troubleshooting Win32app deployments, the AppWorkload.log is one that you will have seen before.

The AppWorkload.log is nothing new; it has been around for a couple of years now after it was broken out of the IntuneManagementExtension.log.

AppWorkload.log
AppWorkload.log in the IME log folder

And there is a JSON array hidden inside with a wealth of information about the Win32app deployments.

Win32app JSON array
Win32app JSON array in the AppWorkload.log

What is the AppWorkload.log?
#

As the docs page says, the AppWorkload.log helps troubleshoot and analyze Win32 app deployment activities. Inside you’ll see lines about detection scripts being run, requirements being evaluated, and install commands being executed.

Example of the AppWorkload.log
Example of the AppWorkload.log entry of an installation

But if you’re like me, and are troubleshooting Win32app deployments every day, there is a log line that is extra special.

And it starts with get policies =.

get policies
get policies log line

When do these lines show up?
#

The Intune Management Extension (IME) will evaluate the policies that are assigned to the user and device. When it syncs the policies, the results are written to the AppWorkload.log. It will run an app check-in for both “Available” and “Required” apps, resulting in two separate log lines.

Required Apps
#

For the most part, required app check-ins occur every 60 minutes. This is a default timer, but other things can trigger a check-in, like hitting the “Sync” button in the Company Portal, a user logging on, or an assignment deadline being reached.

When this happens, the IME will check for all logged on users and pull down the policies for each user. Device-assigned apps ride along in each user’s response. If there are no users logged on, the SYSTEM/Device is used to check for device-assigned apps.

In the log, you will see the sync start with the line:

  • [Win32AppAsync] Starting app check in
Required app check-in log line
Required app check-in log line

You can also confirm this is a required app check-in by looking for the lines:

  • [Win32App] isSessionLogOnAvailableCheckIn = False

  • [Win32App] isSessionScheduledAvailableCheckIn = False

Required app check-in log lines
isSession Available CheckIn log lines

And as the policies are pulled down, you will see the results in the log:

  • [Win32App] Requesting required apps

After that you should see some results. In this example, we got 46 apps, followed by the get policies = line.

Required app policy results
Required app policy results log lines

Available Apps
#

Available app check-ins are user-driven and really only occur whenever someone hits “Sync” or opens the Company Portal, at user logon, or a quiet 8-hour scheduled fallback that runs if a user is logged on.

Because “available” assignments are only for the Company Portal, these check-ins always run per signed-in Entra ID user. You won’t see them for the SYSTEM, and they’re skipped entirely on multi-session SKUs.

In the log, you will see similar lines, but focused on ‘Available’ apps:

  • [Win32AvailableAppAsync] Starting app check in
Available app check-in log line
Available app check-in log line

The isSession Available CheckIn lines can look like this:

Available app check-in log lines
isSession Available CheckIn log lines

And as the policies are pulled down, the line reads a bit differently:

  • [Win32App] Requesting available apps only

And the results lines should look just the same:

Available app policy results
Available app policy results log lines

Show me the Policies
#

But what is in those get policies = lines??!?

In these lines, you will see a JSON array that contains all of the Win32app information that was returned from the app check-in. And it includes so much information!

Let’s get that JSON out of there by doing it the most manual way possible. In the future we’ll look at some easier ways, but right now, the point is to know where everything comes from.

Tip

Don’t use CMTrace to Extract
#

I love CMTrace as much as the next ConfigMgr admin. But the get policies = lines are most likely going to be truncated in the details pane of CMTrace.

For example, here we can see the policy starts out great. We see the start of some information for an app…

Start of the get policies line in CMTrace
Start of the get policies line in CMTrace

But if we scroll down to the bottom, the rest of the JSON is missing.

End of the get policies line in CMTrace
End of the get policies line in CMTrace

How about Notepad++?
#

Let’s use a text editor that also has some plugins that can help us out.

Search and find the get policies = line in the AppWorkload.log. From there, you are going to want to start your selection at the first [ character after the = sign.

Start of the JSON array in Notepad++
Start of the JSON array in Notepad++

Then scroll down to the end of the line and select all the way to the last ] character of the JSON array.

Warning

There will be two closing ] characters, one for the JSON array and one for the log line. Ensure you are selecting the closing ] character of the JSON array.

End of the JSON array in Notepad++
End of the JSON array in Notepad++

Open a new file, and paste the JSON array into it.

Paste the JSON array into a new file
Paste the JSON array into a new file
Tip

Install the JSON Tools plugin for Notepad++ to help format and view JSON data.

From the Plugins menu, select JSON Tools and then select “Pretty-print current JSON file”

Format the JSON array in Notepad++
Format the JSON array in Notepad++

And now you can marvel in all its glory! Win32app policy information!

Win32app JSON array in Notepad++
Win32app JSON array in Notepad++

What’s all there?
#

Almost everything you would want to know about the Win32app is in this JSON array: install commands (including script installers), detection rules (even the scripts), as well as dependency and supersedence information. So much of it is a lifesaver for troubleshooting.

Some of the information is obvious, like the app name, description, Return Codes:

[
    {
        "Id": "05736b9e-c726-4f37-9403-e829dcd492fa",
        "Name": "Update for Tableau Reader 2024 24.3.965 (EXE-x64)",

        ...

        "ReturnCodes": "[{\"ReturnCode\":0,\"Type\":1},{\"ReturnCode\":1707,\"Type\":1},{\"ReturnCode\":3010,\"Type\":2},{\"ReturnCode\":1641,\"Type\":3},{\"ReturnCode\":1618,\"Type\":4}]",
    }
]

But some of it is less obvious:

Like what does a RequiredOSArchitecture of 48 mean?

[
    {
        "RequirementRules": "{\"RequiredOSArchitecture\":48,\"MinimumFreeDiskSpaceInMB\":516,\"MinimumWindows10BuildNumer\":\"10.0.14393\",\"MinimumMemoryInMB\":null,\"MinimumNumberOfProcessors\":null,\"MinimumCpuSpeed\":null,\"RunAs32Bit\":false}",
    }
]

Well, it means x64 and arm64. But once you know that, it could help you figure out why an app isn’t installing on a 32-bit machine, assuming you still have some of those around.

Future Posts
#

This is what I want to cover in future posts: diving into certain areas of the JSON array and explaining what they mean, possible values, and how you can use that information to troubleshoot deployments.