Forum Discussion
Intune Confusion
Hey guys,
I'm relatively new to Microsoft Intune and have been playing with the platform with a view of potentially using it as our corporate endpoint management solution.
I've been playing with it for a few days and I'm a little confused.
Within our organisation we have about 25 'hotdesks' shared by Call Centre staff working on shifts - I thought that Intune Plan 1 Device Only would be a good fit for these systems. For the remainder of our staff (circa 250), I was thinking maybe Device Only or maybe User license. I'm not sure we require a full user license for everyone as we have a small amount of corporate software (so no real requirement for corporate software catalogue within the user portal etc) and only really need to manage Windows updates, configuration / security policies and to push / remove software - which I 'believe' is possible with the device only licenses.
I've started off by acquiring x4 device only licenses (thus have not assigned them to any users) for testing purposes. My 4 test systems were already AAD joined and so to enroll them I did this using by a Device Enrollment Manager account and joined through 'Settings > Accounts > Access work or school > Enrol only in device management' on each test workstation. All 4 test systems enrolled without issue and are visible within the Intune Portal and are checking in.
This is where I get confused:
1 of the 4 test workstations has the IntuneManagementExtension service running in Windows. The other 3 do not. The system that does have the service running also has the IME log directory present = C:\ProgramData\Microsoft\IntuneManagementExtension\Logs - the others do not. Again, all 4 systems are enrolled and checking in and reporting as compliant. Also, I've pushed a test piece of software to all 4 test systems (mandatory push)... none have received it. This was 8 hours ago.
I also noticed when running dsregcmd / status that the MDMurl was blank on these workstations.
I have a personal M365 tenant with Intune Plan 1 user licenses that I've used for a year or two and have had no problems or oddities experienced with software pushes (probably not oddities but more of a lack of understanding of device licenses on my part perhaps). I checked one of my personal workstations and they do have the Intune service running and the logs directory.
Can anyone shine any light on why:
A) One system has the service running / the log directory present and the others do not?
B) Is there something fundamentally wrong with my understanding of device only licensing perhaps? Is there something wrong with the way in which I have enrolled these systems perhaps?
C) Any idea why the software would not install on any of these 'device only' systems (nothing is being reported at all RE the deployment in Intune and I deployed the software about 8 hours ago)?
D) Why would the MDMurl be blank but all systems are successfully checking in?
Any pointers appreciated as I've been tying myself in knots with this. Pretty certain this is due to a chronic lack of understanding on my part.
Greatly appreciate any assistance guys.
4 Replies
Hy,
Intune Management Extension:
IME is responsible for running PowerShell scripts and Win32 app deployments, so a device will first become the IME after a proper app or script assignment.
The IME Service only runs when device configuration policies, Win32 app or Scripts deployments are targeted to the device
So it could be possible, that the system with IME running has received a policy or app assignment which triggers it, while the others have not yet triggered IME because no applicable policies or apps are assigned (or successfully targeted) to them yet.
Device Only licensing:
these are intended for devices that are not user-affiliated, such as shared devices, kiosks, or hotdesks.
MDMURL blank:
dsregcmd output can mean the device is only enrolled in device management mode (device-only enrollment) without full MDM configuration profile or user MDM enrollment.
Questions:
Can you try to make an app deployment to those devices?
Check the Events under Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
Good luck!
Hi,
A) Why does only one device have IntuneManagementExtension and log folder?Force sync in Intune (Devices > Windows > Sync). Check service via PowerShell (Get-Service IntuneManagementExtension). Re-enroll one device without DEM if needed.
B) Is something wrong with Device Only licenses or enrollment?
Verify license assignment (Devices > Properties > Licenses). Test enrollment without DEM using automatic enrollment. Check enrollment restrictions (Devices > Enroll devices).
C) Why isn’t the app installing?
Ensure app is assigned to device group and marked "Required." Force sync (Devices > Sync). Check logs on device with service (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs). Test with simple app (e.g., 7-Zip).
D) Why is MDMurl blank but devices check in?
Check MDM settings (Devices > Windows enrollment > Automatic Enrollment). Run dsregcmd /debug for details. Re-enroll one device without DEM.
Next steps: Sync devices, check logs, test enrollment without DEM, verify MDM and app settings. Let me know if you need specific steps!
Update... the system with Intune service running installed the test software. I then manually installed the Intune agent (IntuneWindowsAgent.msi) on one of the systems that did not have the service running and it immediately installed the test software.
Does anyone have any guess as to why we'd need to manually install the agents upon these 3 systems?
Update - the workstation with the IntuneManagementExtension service running has deployed to the test software.
