Forum Discussion
Intune Management Extension Deployment
- Jun 15, 2025
Hy Jamie,
So... Microsoft uses multiple CDN and management endpoints to ensure availability and redundancy.
The IME can failover between these endpoints if one is unreachable.:
- If login.live.com remains blocked, new device enrollments or new user authentications may fail, preventing fresh installations or re-enrollments.
- However, already installed IME agents should continue to update and communicate via manage.microsoft.com and CDN endpoints, assuming those URLs are allowed. i don't know if its suitable for a ,msi install.
back again, login.live.com is mainly needed once for initial authentication if this apply to the .msi installation, you need to test or go and watch traffic on fresh new installed Client in order to better understand this facts.
Good luck!
thanks for the feedback :)
we can't check the logs as the folder will not exist unless the IME is installed, even when the first contact is made via the company portal the triggering of the W32 app or scripts won't initiate the IME deployment. From what i can tell it's definitely getting blocked by our firewall but the team responsible aren't using all of the endpoint whitelist.
At the moment we are pulling the agent down using reg hive entries to get the correct URL and then deploying manually to the endpoints, this in turn allows the devices to start receiving all required apps and scripts. but I am looking for technical knowledge to advise if this is still blocked would these agents still be able to update themselves??
Hy,
Based on your first comment, I assumed that you have some agents that already have IME that you can check.
The approach is completely wrong at this point as all management and traffic is done via IME and this service goes live and checks the CDG from Microsoft and the Intune backend.
Good luck!
- JamieMcC1590Jun 12, 2025Copper Contributor
Hi Bogdan
your input is invaluable at this time 😀 just to clarify before Microsoft changed some of the endpoint whitelist settings earlier this year around April time, our IMEs did manage to deploy in the correct manner. I don't have the full picture from our server network team, but I can only assume that something in our block list is now stopping the IME from reaching our endpoints. Hence why we have a temporary workaround solution which is not ideal.
My main question is - if this block remains in place and we continue to deploy the msi manually would the IME still be able to update itself? i.e. would it use the same URLs to reach the update? I'm led to believe there are primary and secondary servers available for the agent to deploy from and possibly a backup?
forgive me but my understanding is purely based on in the field observations and Microsoft's own documentation. any further input is greatly appreciated 💙