# Troubleshooting Steps

This section of the documentation is designed to assist users in identifying and resolving common issues that may arise when deploying applications through Pckgr. While Pckgr is built to streamline and automate software deployment into Microsoft Intune, variables such as device configurations, installer types, scope mismatches, or network issues can occasionally lead to unexpected results. 

Here, you'll find practical guidance and diagnostic steps for addressing these problems efficiently—whether it's an application failing to deploy, not being detected after installation, or any other aspect of your deployment workflows. Before reaching out to the support team, we recommend reviewing these guides to perform initial checks that often resolve issues independently.

### Have you checked the Install Logs?

Pckgr creates install logs on the devices for all applications to provide further insight into your installation procedures - we recommend checking these for troubleshooting any errors. Read more [here](https://docs.intunepckgr.com/troubleshooting/install-logs).

### Is your application deployed from Pckgr's Winget Repository?

If you joined Pckgr prior to May 2025, you may have been deploying applications from Pckgr's Winget Repository, which you can now upgrade to the Private Repository version, following the instructions in our [Upgrade Applications ](https://docs.intunepckgr.com/getting-started/creating-deployments/repositories/private-repository/upgrading-a-winget-application-to-the-private-repository)page. For more information on our transition away from our Winget Repository and allowing all users access to our Private Repository, please read the information on our [Private Repository](https://docs.intunepckgr.com/getting-started/creating-deployments/repositories/private-repository) page.

The first step is to check which repository you have deployed this application from; this can be determined in your Application Library under the title 'Source' for that application. If it states 'Winget', please upgrade this application to the Private Repository version before any next steps. 

After this upgrade has successfully deployed, please assess if your installation error still occurs.

If you joined Pckgr after May 2025, the Winget Repository information will not be applicable to your Pckgr experience and you can move to the next steps.

***

## Common Errors

### ERROR: 0x87D1041C Application Installed but Not Detected

Occasionally, users may encounter a scenario where an application is reported as successfully installed in Intune, but Pckgr (or Intune) does not detect the application. Below are steps to identify and resolve the most common causes of this issue.

<details>

<summary>Read troubleshooting steps</summary>

#### Step 1:  *First, please check if your application is deployed from the Winget Repository and follow the 'upgrade' instructions mentioned above. This will likely resolve your issue.*

#### Step 2: Check for Installer Type Mismatch (EXE vs MSI)

A common cause of detection failures is an installer format mismatch between what's already on the device and what's being deployed. For example:

* If the deployed version uses an **EXE** installer but the device already has the **MSI** version (or vice versa), the detection script may fail.
* MSI installations typically leave registry traces or product codes that EXE versions do not, and detection logic is often tailored to one or the other.

**Solution:**

* Identify which version is currently installed on the device.
* Compare this with the installation method being used by the Pckgr deployment.
* Redeploy using the matching version type, or uninstall the existing conflicting version first.

#### Step 3: Check for Scope Mismatch (User vs System)

Another frequent cause is a scope mismatch:

* If the application was previously installed in **User Scope** (under the user profile) but is being redeployed in **System Scope** (for all users), the detection logic may miss it—or vice versa.

**Solution:**

* Determine how the existing installation was scoped (look at the install path—e.g., under `C:\Users\<User>\AppData` for user installs, or `C:\Program Files` for system installs).
* Re-align your deployment scope in Pckgr to match the existing installation, or uninstall the original to avoid conflict.

#### Step 4: Review Installation Logs

Pckgr logs the installation process to help identify what occurred during the deployment:

* For **System Context** installs:\
  `C:\ProgramData\Pckgr`
* For **User Context** installs:\
  `C:\Users\<Username>\AppData\Local\Pckgr`

These logs can provide clues such as:

* Whether the installation silently failed.
* If a different version was installed.

Review these logs to verify the installation and understand any anomalies. If you're unsure what the logs indicate, you can include them in a support request for further help.

#### Step 5: When to Raise a Support Ticket

If you have verified:

* The installer type and scope are correct,
* The logs do not show any clear failure or misconfiguration,
* And the detection still fails,

Then it's time to raise a support ticket with our team. Please include the following:

* A copy of the relevant installation log.
* Any error codes or statements showing in Intune for this application.

You can raise a support ticket by following the steps outlined in the [Pckgr ChatBot](https://docs.intunepckgr.com/support/pckgr-support-channels/pckgr-chatbot) page.

</details>

***

### macOS App Updates Not Working

If your macOS applications are no longer updating through Pckgr — even though they were previously deployed successfully — this is likely due to a recent permission enforcement by Microsoft Intune.

Pckgr deploys macOS apps using Installomator-based scripts, which are managed through the **Devices > macOS > Scripts** section in Intune. These deployments rely on Microsoft Graph API access.

Microsoft now requires an additional permission to perform script-based operations. If this permission has not been granted, macOS app updates through Pckgr will stop without error.

<details>

<summary>Read troubleshooting steps</summary>

### New Required Permission

To continue managing and updating macOS applications via scripts, your Microsoft tenant must approve the following Graph API permission:

```
DeviceManagementScripts.ReadWrite.All
```

This permission allows approved applications to create, assign, and modify PowerShell and shell scripts within Intune.

Official Microsoft documentation:\
DeviceManagementScripts.ReadWrite.All – Microsoft Graph Permissions Reference

***

### What’s Affected

* Affected: macOS apps deployed through the **Scripts** section in Microsoft Intune
* Not affected: Apps deployed through the **Apps** section of Intune (e.g. Windows apps)

You may notice:

* Updates are no longer being delivered to macOS devices
* Intune shows apps as deployed but with outdated versions
* No error appears in Pckgr or Intune — deployments silently stop updating

***

### How to Fix It

To restore macOS update functionality, you’ll need to reconnect your Intune tenant and accept the updated permission scope. This can be done through the **Policy Manager** tab in your Pckgr dashboard.

#### Steps:

1. Log in to your Pckgr Dashboard: <https://intunepckgr.com/dashboard>
2. Open the **Policy Manager** tab
3. Click **Reconnect to Intune**
4. When prompted by Microsoft, review and accept the updated permissions, including `DeviceManagementScripts.ReadWrite.All`

After completing this process, Pckgr will resume managing and updating macOS apps automatically. There is no need to redeploy any existing apps.

***

### Additional Notes

* Microsoft has not issued a formal public announcement for this change, but it is now actively enforced across many tenants
* This requirement affects all third-party tools that manage Intune scripts via the Microsoft Graph API
* This is the only permission change required to restore functionality

***

### Still Having Issues?

If your macOS updates are still not working after reconnecting:

* Ensure the Microsoft account used during reconnection has **Global Administrator** privileges
* Confirm that the tenant shows a **Connected** status in the Policy Manager tab

If problems persist, please contact Pckgr support at <support@intunepckgr.com> or use the in-app chat in the dashboard.

</details>

***

### Cannot Connect a Tenant or Company to Pckgr

If you're unable to connect a Microsoft Intune tenant to Pckgr, this guide outlines the steps to troubleshoot and reset the connection.

#### Initial Requirements

Before attempting a reset, confirm the following:

* You are signing in using a **Global Administrator** account for the Microsoft tenant when prompted.
* All requested Microsoft permissions are being accepted during sign-in.
* The Microsoft sign-in redirect is allowed to fully complete, do not close the browser tab early.

If any of these are skipped or incomplete, the connection to Pckgr may not succeed.

#### Full Tenant Reset Procedure

If the connection still fails after the initial checks, follow these steps to fully reset the integration:

<details>

<summary>Connection Reset Procedure</summary>

1. **Ensure Global Admin** is used throughout the entire process.
2. **Remove any existing Pckgr-related Azure entries:**
   * Go to **Azure Active Directory > Enterprise Applications** and delete any applications related to Pckgr.
   * Go to **Azure AD > App Registrations** and remove any entries created by or for Pckgr.
   * Under **Admin Consent Requests**, revoke any pending or failed consent grants related to Pckgr.
3. **Delete the Company in Pckgr**:
   * In the **My Companies** section of the dashboard, remove the affected company.
4. **Open a private/incognito browser window**.
5. **Sign into Pckgr**.
6. **Re-add the company** under the My Companies section.
7. **Connect the company to Intune** via the "Connect to Intune" button.
8. **Sign in again with Global Admin** when prompted.
9. **Accept all permissions** that are requested during the sign-in and consent flow.
10. Let the redirect **fully complete** before navigating away or closing the tab.
11. Return to the **My Companies** page and confirm the tenant is now marked as "Intune Verified."

</details>

***

### Tenant Connection Fails with AADSTS50097

Tenant connection fails with AADSTS50097 (Device authentication is required)

If a user attempts to connect their tenant and is redirected back to the Pckgr dashboard with a URL containing error=invalid\_grant and AADSTS50097: Device authentication is required, this indicates the authentication was blocked by Microsoft.

This error is caused by Microsoft Entra Conditional Access policies in the customer’s tenant.

These policies can require the sign-in (used during the consent flow) to come from:

* A compliant device
* A Microsoft Entra joined or hybrid joined device

If the admin performing the connection does not meet these requirements (for example, using a personal or non-compliant device), Microsoft will block the authentication and return this error in the redirect URL.

#### How to fix it

<details>

<summary>Conditional Access workaround</summary>

**The customer can resolve this using one of the following options:**

* Retry the connection from a compliant company device
  * Device should be Entra joined or hybrid joined
  * Device should be marked compliant in Intune
* Temporarily exclude the admin from Conditional Access
  * Exclude the user from the relevant policy
  * Re-run the tenant connection
  * Re-enable the policy after completion

**To confirm this is the cause:**

* Go to Microsoft Entra Admin Center
* Navigate to Sign-in logs
* Locate the failed sign-in using the timestamp or correlation ID from the redirect URL
* Open the entry and review the Conditional Access tab to see which policy blocked the request

**Summary**

If this error appears in the redirect URL, the redirect itself is working correctly. The failure is caused by tenant-level Conditional Access restrictions, not an issue with Pckgr.

</details>

***

#### Related Sections in Documentation

For more context on the features and requirements of tenant integration, see:

* [**Microsoft Single Sign-On**](https://docs.intunepckgr.com/about-pckgr/security-of-pckgr/microsoft-single-sign-on)
* [**Managing Companies**](https://docs.intunepckgr.com/getting-started/setting-up-your-dashboard/managing-companies)
* [**Connecting Tenants**](https://docs.intunepckgr.com/getting-started/setting-up-your-dashboard/connecting-tenants)

These sections cover how permissions work, how companies and tenants are stored, and how to ensure a clean setup.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.intunepckgr.com/troubleshooting/troubleshooting-steps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.