The Intune Management Extension (IME) plays a crucial role in modern device management. It enables advanced capabilities such as Win32 app deployment, PowerShell scripts, and proactive remediations in Microsoft Intune. Understanding how the installation of the Intune Management Extension extension works can provide insights into troubleshooting. In this post, we'll break down the process step by step.
Table of Contents
- Pre-Requisites for IME Installation
- The Trigger: Deployment of Win32 Apps or Scripts
- Installation Steps
- Verification of IME Installation
- Common Issues During IME Installation
- Updating the Intune Management Extension
Pre-Requisites for IME Installation
Your device must meet the following conditions before installing the Intune Management Extension:
- Device Enrolled in Intune: The device must be successfully enrolled via Azure AD Join, Hybrid Azure AD Join, or MDM.
- Windows 10/11: Supported versions for IME are Windows 10 1607 or later and all Windows 11 builds.
- Windows Management Framework (WMF): Ensure that PowerShell 5.1 or newer is available.
- Network Connectivity: The device needs access to Intune service endpoints and Windows Update. Ensure endpoints like
*.manage.microsoft.com
are accessible.
Full list: https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
The Trigger: Deployment of Win32 Apps or Scripts
IME installation is triggered when a Win32 app or a PowerShell script is assigned to the device. This is because native Intune MDM does not handle these tasks directly. When such policies are assigned:
- MDM Policy Sync: During the policy sync, Intune determines that the device requires the Intune Management Extension.
- Install Command Sent: The Intune service instructs the device to download and install the IME.
Installation Steps
The installation process is automated but involves several steps:
CSP Triggers the Download
Intune pushes a CSP policy to the device. This CSP contains details about the Intune Management Extension installer URL.
After installation, you can verify the installation URL in this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\{GUID}\
This key contains the details of the MSI, including the source URL, ensuring transparency and helping with troubleshooting. So make sure that URL is not blocked or under a SSL inspection.
Installation via MSI
- The MSI installer runs silently in the background.
- It installs the extension into:
C:\Program Files (x86)\Microsoft Intune Management Extension\
- A service called "Microsoft Intune Management Extension" (IntuneManagementExtension) is created and starts automatically.
Configuration and Registration
- The extension registers with the Intune service using the device's Intune and Entra ID credentials.
- It creates a secure channel to periodically sync policies, scripts, and app assignments.
Creation of Task Scheduler Entries
- IME uses Task Scheduler to ensure it runs at regular intervals or immediately if triggered by Intune.
Scheduled Task for Client Health
Scheduled Task for Sync
There will be 3 tasks for synchronisation. The first is only used when a device is newly registered and will synchronise the client every 3 minutes for 15 minutes, then every 15 minutes for 8 hours before going into the regular 8 hour cycle.
Verification of IME Installation
Once installed, you can verify the Intune Management Extension using these methods:
- Service: Check if the
IntuneManagementExtension
service is running in the Services application.
- Log Files: Logs are available under:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\
Key logs include:AgentExecutor.log
for execution statusIntuneManagementExtension.log
for service operations
- Registry Entries:
The IME creates registry entries under:HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension
Common Issues During IME Installation
Here are some common issues and how to address them:
Issue | Resolution |
---|---|
IME does not download or install | Check network connectivity and Intune endpoints. |
Service does not start | Review system event logs for error messages. |
Win32 apps or scripts not executing | Inspect log files for detailed error messages. |
Updating the Intune Management Extension
The Intune Management Extension is automatically updated by Microsoft. Devices periodically check for updates and install them without user intervention. You can manually reinstall the extension by re-deploying a Win32 app or script if necessary.
The Intune Management Extension is the backbone of many advanced device management capabilities in Intune. By understanding how it gets installed and functions, IT administrators can streamline deployment, ensure compliance, and troubleshoot issues effectively.