Troubleshooting

Common issues and their solutions.

Tenant connection

I can't connect my tenant

• Ensure you're signing in with a Global Administrator account
• Check that your Entra ID tenant doesn't have conditional access policies blocking the Robopack enterprise application
• Try the connection in a private/incognito browser window to rule out cached credentials
• Guest admin accounts in Entra ID can cause enrollment failures — use a native admin account

Robopatch isn't available for my tenant

Robopatch requires the Admin Consent authorization method. If your tenant was connected using the user-based method, you'll need to reconnect using Admin Consent. See Connecting Your Intune Tenant.

The authorization test fails

• Verify that the Global Admin account has not been disabled or had permissions revoked
• Check the Entra portal to confirm the Robopack enterprise application is present under Enterprise Applications
• Ensure no Conditional Access policies are blocking the Robopack service principal

"Tenant already registered" error

This occurs when a tenant has been previously registered with Robopack. Contact support to have the tenant registration moved or re-registered.

Tenant loses connection / permissions errors

If you see intermittent permissions errors or your tenant loses its connection:

1. Go to Settings > Tenants
2. Click Reconnect using a Global Administrator account
3. Re-grant all requested permissions during the consent flow

This is also the fix for authentication errors that mention "request requires user sign-in" — Robopack uses client-credential flow (application permissions) and the Enterprise App may need its permissions refreshed.

SSL / certificate errors when connecting

DPI-SSL (Deep Packet Inspection) proxies can interfere with Robopack connections. If you see SSL or certificate errors, whitelist Robopack domains in your DPI-SSL configuration.

App deployment

An app failed to import to Intune

• Check the app status in Packages for error details
• Ensure your tenant connection is still active (green authorization indicator in Settings > Tenants)
• Verify that your account has Package Writer or Organisation Administrator permissions
• For large apps, the upload may take longer — check back after a few minutes
• If the upload fails repeatedly, try re-uploading the package. An automatic retry function is being developed

Detection method isn't working

• Verify the detection rule matches the installed application (file path, registry key, or MSI product code)
• For custom apps, re-run the Analyze and Test step to regenerate detection methods
• Check that the app version in the detection rule matches what's actually installed on the device
• If a newer version is already installed and Intune keeps trying to reinstall, enable Match newer versions in detection method on the patch flow to change from "Equals" to "Greater than or equals to"

"Threat detected in package content" error

Robopack runs antivirus scans on all uploaded packages. False positives can occur with legitimate installers.

To resolve:

1. Contact Robopack support
2. Upload the installer to the SharePoint link provided by support for review
3. The team will verify and whitelist the file if it's a false positive
4. After whitelisting, delete the package from Robopack and re-upload it

App deploys in the wrong context (user vs system)

If an app is deploying in the wrong scope:

1. Check the Context setting in Custom App Settings for the app
2. If using a patch flow, verify the scope setting in the flow configuration
3. After changing context, use Sync app settings to push the change to Intune

Some apps (like Spotify, 1Password CLI) must be installed in User context and assigned to user groups, not device groups.

Package fails quality assurance

If a custom package upload fails QA testing:

• Check if the failure is due to Custom App Settings code interfering with the installation
• Review the error details — common failures include leftover files after uninstall, installer requiring user interaction, or missing dependencies
• You can Suppress error if you know the behaviour is acceptable and still want to use the package
• Packages requiring a non-silent installer cannot be deployed through Robopack

Intune error 0x87D300D9 (application not detected after install)

This typically means the detection rule doesn't match what was actually installed. Common causes:

• The application hasn't fully completed installation (e.g. Chrome needs to be closed before its file version updates)
• Version mismatch between the detection rule and installed version
• Fix: Go to the patch flow and click Sync app settings to refresh the detection rule

Intune error 0x8007EA61

This error can indicate two different situations:

• App already installed manually — the same app was installed outside Intune and conflicts with the system-context deployment. Switching to the WinGet version and using Radar Tracking can resolve this
• User deferred via PSADT — PSADT deferral error code 6001 shows as 0x8007EA61 in Intune. This is expected behaviour when a user chooses to defer

Robopatch flows

Patch flow not picking up new versions

If a flow stops detecting new versions from Winget:

1. Check if the app has a language filter set that may be blocking the new version
2. Try Pause deployment then Start deployment to retrigger
3. Use Import specific version to manually add the version
4. Contact support if the issue persists — the update cycle may need to be restarted server-side

Deployment shows incorrect success percentage

Robopack relies on data from Intune, which can sometimes show imprecise numbers. Click Refresh deployment status under the patch flow to get an updated count.

Intune assignments removed after modifying wave settings

Modifying wave settings while a flow is active can temporarily remove and re-add assignments. To avoid issues:

1. Pause the deployment before making changes
2. Make your modifications
3. Start the deployment again

Wave not advancing

• Check if a Wave Time Limit is configured — the flow advances automatically when the time limit is reached
• If Manual proceed is enabled, you must click Skip to next wave to advance
• Verify devices are reporting back to Intune

Old versions not being superseded

If old versions remain in Intune after new ones are deployed:

• Check the supersedence limit in the patch flow (default: keeps 3 previous versions)
• Use Refresh deployment status to trigger a sync
• In some cases, manual cleanup of old versions in Intune may be needed

Radar Tracking

Radar scan shows no results

• Ensure the Device.Read.All and DeviceManagementManagedDevices.Read.All permissions are granted
• The initial scan may take time depending on the number of devices in your tenant
• Verify that devices are actively reporting to Intune
• Only Instant Apps appear in Radar — custom apps are not supported

"Could not resolve the directory ID" error

This is a permissions issue with the Entra ID Enterprise App.

To fix:

1. Go to Settings > Tenants
2. Click Reconnect using a Global Administrator account
3. Navigate to the Radar section and click Refresh Radar data

Radar groups are empty

• Radar groups are populated based on Intune's Discovered Apps data, which can take time to update
• Verify the tenant connection has the required permissions — try a reconnect
• Click Refresh Radar data in the Radar section
• Check that the naming for Radar groups is set to dynamic (creating a separate group for each app)

Devices aren't being updated by Radar

• Check that the Radar Tracking toggle is enabled on the Robopatch flow
• Verify the Deployment Wave configuration has valid groups
• Ensure the flow is in an active state (not paused)
• Radar data refreshes every 24 hours based on Intune's Discovered Apps data

Changing patch group causes Radar errors

If editing a patch group (adding waves) causes an error:

1. Disable Radar Tracking first
2. Make changes and save
3. Re-enable Radar Tracking

Script templates & PSADT

PSADT scripts blocked by execution policy

If your tenant requires all PowerShell scripts to be signed:

• Robopack signs the main Deploy-Application.ps1 script automatically
• PSADT v4 scripts in the Strings and Extensions folders are also signed
• Customer-uploaded custom scripts in Script Accessory Files are not signed by Robopack — you must sign these separately if required

Defender flags PSADT as malware ("Dirtelti backdoor")

This is a known false positive with Microsoft Defender. Try using the latest version of PSADT. If the issue persists, submit the file to Microsoft as a false positive.

Custom script template not being applied to flows

If a custom script template is not being used:

1. Check that the correct template is selected in the flow or Custom App Settings
2. Click Sync app settings on the deployment
3. Stop and Start the flow to force a refresh
4. If the flow was created when a package already existed for that installer, it may use the template from the existing package — stop and restart to pick up the new template

AppLocker blocks the PSADT deferral dialog

If AppLocker is enabled on target devices, it may block the PSADT deferral dialog. This requires adjusting local AppLocker configuration to allow the PSADT executable — it is not related to Robopack's code signing.

Roles & permissions

A user can't see certain features

• Check their assigned roles in Settings > Users
• Verify per-tenant permissions in Settings > Tenants if using multi-tenant
• If using Entra ID roles, confirm the user's group membership in the Entra portal
• Organisation Administrator is required to add Instant Apps to Patch Groups
• Robopatch Writer can only modify flows they personally created

Cannot add Organisation admin role

If you receive a 400 error when adding an Organisation admin:

1. Delete the user account in Robopack
2. Recreate them as a username/password account
3. Have the user go to Settings > Account and connect their Entra ID

Still stuck?

Contact support at support.robopack.com.