The Intune Management Extension (IME) plays a crucial role in modern device management. It enables advanced capabilities such as Win32 app deployment, PowerShell scripts, and proactive remediations in Microsoft Intune. Understanding how the installation of the Intune Management Extension extension works can provide insights into troubleshooting. In this post, we'll break down the process step by step.

Table of Contents

Pre-Requisites for IME Installation

Your device must meet the following conditions before installing the Intune Management Extension:

  • Device Enrolled in Intune: The device must be successfully enrolled via Azure AD Join, Hybrid Azure AD Join, or MDM.
  • Windows 10/11: Supported versions for IME are Windows 10 1607 or later and all Windows 11 builds.
  • Windows Management Framework (WMF): Ensure that PowerShell 5.1 or newer is available.
  • Network Connectivity: The device needs access to Intune service endpoints and Windows Update. Ensure endpoints like *.manage.microsoft.com are accessible.
    Full list: https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints

The Trigger: Deployment of Win32 Apps or Scripts

IME installation is triggered when a Win32 app or a PowerShell script is assigned to the device. This is because native Intune MDM does not handle these tasks directly. When such policies are assigned:

  1. MDM Policy Sync: During the policy sync, Intune determines that the device requires the Intune Management Extension.
  2. Install Command Sent: The Intune service instructs the device to download and install the IME.

Installation Steps

The installation process is automated but involves several steps:

CSP Triggers the Download

Intune pushes a CSP policy to the device. This CSP contains details about the Intune Management Extension installer URL.
After installation, you can verify the installation URL in this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\{GUID}\

This key contains the details of the MSI, including the source URL, ensuring transparency and helping with troubleshooting. So make sure that URL is not blocked or under a SSL inspection.

Intune Management Extension download URL

Installation via MSI

  • The MSI installer runs silently in the background.
  • It installs the extension into: C:\Program Files (x86)\Microsoft Intune Management Extension\
  • A service called "Microsoft Intune Management Extension" (IntuneManagementExtension) is created and starts automatically.
Intune Management Extension local Service

Configuration and Registration

  • The extension registers with the Intune service using the device's Intune and Entra ID credentials.
  • It creates a secure channel to periodically sync policies, scripts, and app assignments.

Creation of Task Scheduler Entries

  • IME uses Task Scheduler to ensure it runs at regular intervals or immediately if triggered by Intune.

Scheduled Task for Client Health

Intune Management Extension, Scheduled Task

Scheduled Task for Sync

There will be 3 tasks for synchronisation. The first is only used when a device is newly registered and will synchronise the client every 3 minutes for 15 minutes, then every 15 minutes for 8 hours before going into the regular 8 hour cycle.

Intune Management Extension, Scheduled Task for Synchronization interval

Verification of IME Installation

Once installed, you can verify the Intune Management Extension using these methods:

  • Service: Check if the IntuneManagementExtension service is running in the Services application.
Intune Management Extension local Service
  • Log Files: Logs are available under: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\
    Key logs include:
    • AgentExecutor.log for execution status
    • IntuneManagementExtension.log for service operations
Intune / IME logs for installation

  • Registry Entries:
    The IME creates registry entries under: HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension
IME Registry Tree

Common Issues During IME Installation

Here are some common issues and how to address them:

IssueResolution
IME does not download or installCheck network connectivity and Intune endpoints.
Service does not startReview system event logs for error messages.
Win32 apps or scripts not executingInspect log files for detailed error messages.

Updating the Intune Management Extension

The Intune Management Extension is automatically updated by Microsoft. Devices periodically check for updates and install them without user intervention. You can manually reinstall the extension by re-deploying a Win32 app or script if necessary.


The Intune Management Extension is the backbone of many advanced device management capabilities in Intune. By understanding how it gets installed and functions, IT administrators can streamline deployment, ensure compliance, and troubleshoot issues effectively.