Edit

Share via

Intune management extension for Windows

  • Article

The Intune Management Extension (IME) is an installer agent. The management extension enhances Windows device management (MDM). The Intune management extension supplements the standard Windows MDM feature by enabling advanced device management capabilities.

Note

For information about PowerShell scripts, see Use PowerShell scripts on Windows 10/11 devices in Intune.

Important

To support expanded functionality and bug fixes, use .NET Framework 4.7.2 or higher with the Intune Management Extension on Windows clients. If a Windows client continues to use an earlier version of the .NET Framework, the Intune Management Extension continues to function. The .NET Framework 4.7.2 is available from Windows Update as of July 10, 2018, which is included in Win10 1809 (RS5) and newer. Note that multiple versions of the .NET Framework versions can coexist on a device.

This feature applies to:

  • Windows 10 and later (excluding Windows 10 Home and Windows devices running in S mode).

Note

Once the Intune management extension prerequisites are met, the Intune management extension is installed automatically when a PowerShell script or Win32 app, Microsoft Store apps, Custom compliance policy settings or proactive remediations is assigned to the user or device. For more information, see Intune Management Extensions prerequisites.

Prerequisites

The Intune management extension has the following prerequisites. Once they're met, the Intune management extension installs automatically when a PowerShell script or Win32 app is assigned to the user or device.

  • Devices running Windows 10 version 1607 or later. If the device is enrolled using bulk auto-enrollment, devices must run Windows 10 version 1709 or later. The Intune management extension isn't supported on Windows 10 in S mode, as S mode doesn't allow running nonstore apps.

  • Devices joined to Microsoft Entra ID, including:

  • Devices enrolled in Intune, including:

    • Devices enrolled in a group policy (GPO). See Enroll a Windows device automatically using Group Policy for guidance.

    • Devices manually enrolled in Intune, which is when:

      • Auto-enrollment to Intune is enabled in Microsoft Entra ID. Users sign in to devices using a local user account, and manually join the device to Microsoft Entra ID. Then, they sign in to the device using their Microsoft Entra account.

      OR

      • User signs in to the device using their Microsoft Entra account, and then enrolls in Intune.

    • Co-managed devices that use Configuration Manager and Intune. When installing Win32 apps, make sure the Apps workload is set to Pilot Intune or Intune. PowerShell scripts will be run even if the Apps workload is set to Configuration Manager. The Intune management extension will be deployed to a device when you target a PowerShell script to the device. Remember, the device must be a Microsoft Entra ID or Microsoft Entra hybrid joined device. And, it must be running Windows 10 version 1607 or later. See the following articles for guidance:

Note

For information about using Window 10/11 VMs, see Using Windows 10/11 virtual machines with Intune.

Understand Intune management extension agent installation

For devices that meet the prerequisites, the Intune management extension is installed automatically when certain features are assigned to a user or device. Installation commonly occurs when the following features are assigned:

Note

For information about how the IME is rolled out and updated, see Service information for Microsoft Intune release updates.

The agent is installed at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs when applicable and doesn't appear in the start menu on Windows devices. The agent appears as IntuneManagementExtension under Services in Task Manager when running on Windows devices.

Intune management extension functionality

  • The IME silently authenticates with Intune services before checking in to receive assigned installations for the Windows device.
  • The IME checks for new or updated installations with Intune services usually every 8 hours. This check-in process is independent of the MDM check-in.

Manually initiate an Intune management IME check-in from a Windows device

On a Windows Device that has the IME installed, open Company Portal, select Settings > Sync. This initiates an MDM check-in as well as an IME check-in.

Alternatively, you can open Task Manager, find the service IntuneManagementExtension, right-click and select Restart. The IntuneManagementExtension service restarts immediately, which will initiate a check-in with Intune.

Note

The Sync actions from either the Settings app (Windows 10 or later), or Devices in Microsoft Intune admin center, initiates an MDM check-in and doesn't force an IME check-in.

Intune management extension removal

There are several conditions that can cause the IME to be removed from the device, For example:

  • Shell scripts are no longer assigned to the device.
  • The Windows device is no longer managed.
  • The IME is in an irrecoverable state for more than 24 hours (device-awake time).

Common issues and resolutions

Issue: Intune management extension doesn't download.

Possible resolutions:

  • The device isn't joined to Microsoft Entra ID. Be sure the devices meet the prerequisites (in this article).
  • There are no PowerShell scripts or Win32 apps assigned to the groups that the user or device belongs.
  • The device can't check in with the Intune service. For example, there's no internet access, no access to Windows Push Notification Services (WNS), and so on.
  • The device is in S mode. The Intune management extension isn't supported on devices running in S mode.

To see if the device is auto-enrolled, you can:

  1. Go to Settings > Accounts > Access work or school.
  2. Select the joined account > Info.
  3. Under Advanced Diagnostic Report, select Create Report.
  4. Open the MDMDiagReport in a web browser.
  5. Search for the MDMDeviceWithAAD property. If the property exists, the device is auto-enrolled. If this property doesn't exist, then the device isn't auto-enrolled.

Enable Windows automatic enrollment includes the steps to configure automatic enrollment in Intune.

Intune management extension logs

IME logs on the client machine are typically in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. You can use CMTrace.exe to view these log files.

Screenshot or sample cmtrace agent logs in Microsoft Intune

In addition, you can use the log file AppWorkload.log to help troubleshoot and analyze Win32 app management events on the client. This log file contains all logging information related to app deployment activities conducted by the IME.

IME log files

Log file Description
IntuneManagementExtension.log This is the main log file. It contains all the IME check-ins, policy requests, policy processing and reporting activities.
AgentExecutor.log This file tracks PowerShell script executions (deployed by Intune).
AppActionProcessor.log This file tracks detection and applicability checks actions for assigned apps.
AppWorkload.log This file helps troubleshoot and analyze Win32 app deployment activities.
ClientCertCheck.log This file tracks device client certificate checks.
ClientHealth.log This file tracks the health of the Intune management extension.
DeviceHealthMonitoring.log This file tracks the health of hardware readiness, device inventory and other data collectors.
HealthScripts.log This file tracks the health of remediations that run on a regular schedule.
Sensor.log This file tracks the health of the Endpoint analytics data collector, including boot performance, app reliability and more.
Win32AppInventory.log This file tracks the health of the app inventory collector.

Next steps