Intune Management Extension not installing

Copper Contributor

I am testing Intune/EMS on Windows 10 (1709) PCs and trying to get Powershell scripts to run without success. I think the issue is with the Intune Management Extension not installing but cant find much information on how to troubleshoot this particular issue.

 

Can anyone advise how I get Powershell scripts to run ? TIA

 

Scott

70 Replies

I could handle hours, we are talking weeks, and still no Management Extension Service.

Did you follow the troubleshooting advises from this thread?
App deployment via CSP, App install and so on... checked all log files registry entries...

Hi Oliver,

 

I have been having similar issues, however I don't see any logs/folder you have in your troubleshooting steps.

 

I have noticed i have a quite a few entries under configuration source in a provision state and have been for a couple weeks now.

 

Any ideas for me?

Hi Matthew,

 

Can you check the status of the agent deployment via EnterpriseDesktopAppManagment CSP please?

 

See here: https://oliverkieselbach.com/2018/02/12/part-2-deep-dive-microsoft-intune-management-extension-power...

 

best,

Oliver

Hi Oliver,

 

I went to check the registry but there is no folder for enterprisedesktopappmanagement, there is enterpriseappmanagement but the next level is database not and SID.

 

I have applied the intune script to a group that contains users. Is that a problem.

 

Matt

Hi Matt,

 

If you see no EnterpriseDesktopAppManagement then you did not received the MSI install job yet. Did you receive other policies from Intune? 

I assume you are not seeing ./device/Vendor/MSFT/EnterpriseDesktopAppManagement/ in the Advanced MDM report?!?

Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”

 

So the question here is, does your client receive any policies from Intune?

User assignment is correct!

 

Oliver

Hi Oliver

 

You are correct I don't received the policy you mentioned in the report.

 

I would assume it is working in some capacity, as I set the commercial ID for OMS and some computers are reporting data.

 

Matt

Hi Matt,

 

can you assign your user a new PowerShell script wait 10 min. and then sync again. After that can you examine the event log if you can find any evidence of a failed EnterpriseDesktopAppManagement CSP?!

 

Start event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

 

Maybe you can also try to enable “Show Analytic and Debug Logs" and then examine the Debug event log for errors.

 

best,

Oliver

Hi Oliver,

 

I have been in contact with Intune Support who said Intune Powershell isn't avaible on Azure Hybrid Joined PC's with not ETA for that to be available.

 

Hopefully this helps someone in the future :(

Oh yes that's true I assumed AAD joined machines during discussion here all the time.

That's very good to mention here.

The device need to be auto-enrolled in MDM, not manually enrolled. Only with auto-enrollement installation of management extension is triggered.

Is there any way to trigger this with all of my manually enrolled devices? 

I believe I have found the answer, 

 

If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.

Hi Matthew,

 

as time goes by things change :-), support for Hybrid Domain Joined devices is now available.

see here: https://docs.microsoft.com/en-us/intune/intune-management-extension

 

Prerequisites

The Intune management extension has the following prerequisites:

  • Devices must be joined to Azure AD and auto-enrolled. The Intune management extension supports Azure AD joined, hybrid domain joined, and comanaged enrolled Windows devices. GPO-enrolled devices aren't supported.
  • Devices must run Windows 10 version 1607 or later.
  • The Intune management extension agent is installed when a PowerShell script or a Win32 app is deployed to a user or device security group.

 

best,
Oliver

Hey @Oliver Kieselbach 

 

I too am having issues deploying the Intune agent.

 

Specifically this scenario I have noticed

 

I can stand up a machine, join to AAD, it will push the intune agent. Powershell scripts work.

 

IF I RESET the Win 10 machine, it will re-join AAD, but the Intune agent never pushes.

 

Nothing under win\system32\config\systemprofile\appdata\local\mdm

 

Only a few error messages in Event viewer, but nothing I recognize as "intune agent failed to install"

 

The machine does show the MDMDeviceWithAAD property. CompanyPortal is installed via MS Store.

 

I have replicated this behavior on 4 different machines.

 

The one instance I did get the agent to repush, I had to REMOVE the AAD account under 'Accounts -> Work & School' - then re-join it to AzureAD. - The Intune agent re-pushed after this process.

For further investigations, which type of reset did you choose exactly?

With retaining userdata, Autopilot Reset, Factory Reset, ...

This might have additional impact on the situation.

 

Thanks for the info.

Reset with retain user data. 

 

I've selected reset with retain user data from the device locally, and initiated via the Azure portal.

 

When the device finishes, the user profile is re-created and the device automatically joined to Azure AD. I go to Win Store and download Company Portal --- MSI apps that we set to install automatically like OpenDNS and Trend will download... but we never get the Intune agent after that reset event.

 

If I remove all AzureAD accounts from the laptop, switch back to local profile... then rejoin to AzureAD, I will get the intune agent again.

Out of curiosity did you try to reset without retaining user data. Maybe due to the retained user data there is some information stored which actually blocks the re-push of the agent.

As expected:

I performed a full wipe - the machine was not AAD joined afterward - It had a new identity (PC name) -- After manually rejoining AAD, manually reinstalling Company Portal, signing in as my AAD identity, Intune Agent downloaded. I can see in the DeviceManagment-Enterprise-Diagnostic-Provider a few new codes, 1922, 1920, 1906, 1905 - installing various GUID labeled programs - and now agent is available


I performed a 'Fresh Start' wipe on my other test machine. This retained the AAD association and PC name remained the same - after logging in, I manually reinstalled Company Portal. - after 3 hours, multiple reboots, manually initiating sync, No Intune agent.

I just removed the PC from azureAD, rebooted, rejoined manually, launched company portal, hit sync - Intune agent pushed to the machine.

I also experienced this today. I have run through a number of resets using "Keep my files" without an issue but today this occured. I am using 1809 Enterprise x64 patched up to 20-Feb on a Hyper-V VM. I will try a few more times and see what results.