Intune Management Extension not installing

Copper Contributor

I am testing Intune/EMS on Windows 10 (1709) PCs and trying to get Powershell scripts to run without success. I think the issue is with the Intune Management Extension not installing but cant find much information on how to troubleshoot this particular issue.

 

Can anyone advise how I get Powershell scripts to run ? TIA

 

Scott

70 Replies

@WalterPrem @Oliver Kieselbach 

I had Azure AD joined device and autenrolled in Intune. Management extension was installed properly. I retire the device from Intune ( WIndows 10 1809) and device get disconnected from Azure AD (from documentation this should not happen)

I logged on with local admin and joined the device again to Azure AD.  Device is enrolled in Intune but management extension is not installed. I tried to deploy one script but nothing happen, management extension is not installed. Did some of you had similar scenario? 

Okay your issue is that you have technically a WorkPlace Joined (WPJ) device and not hybrid AADJ. Because of the use of manually add work/school acount the device is treated as WPJ. The WPJ scenario is not supported by MS for the Intune Management Extension (IME) and I'm not sure it will in near future. As WPJ is more targeted to BYOD and MS don't want to mess with BYOD devices by installing agents on personal devices.

To make the agent work you would need to WPJ un-enroll them and hybrid AADJ them via:

 

How To: Plan your hybrid Azure Active Directory join implementation
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

 

I'm sorry if this introduces efforts on your side.

 

The documentation is telling the fact only implicit by not telling that the IME is supported on WPJ devices:

 

The Intune management extension supports Azure AD joined, hybrid Azure AD domain joined, and co-managed enrolled Windows devices.

 

This is a bit confusing.

 

best,

Oliver

@Oliver Kieselbach 

 

Thanks Oliver,


Yes, the confusion also comes from me thinking that "hybrid Azure AD domain joined" simply means being in a hybrid situation. Since, if you add a local-AD machine to Intune, it's also added to Azure AD and becomes Hybrid. We have AD connect set up (for password sync) and when people login to Outlook, the devices shows in Azure AD devices (even before add school/work account).


The other confusing part is that I would think MAM exists for BYOD scenarios (instead of WPJ), and I can use MDM if I decide to use all intune features on every devices I have (including local AD joined laptops). From my end, the devices don't look WPJ at all. They show as fully managed by intune MDM.

 

I will go over the hybrid AD join methods you linked and see if this can fix our issues. 
I still believe it would be beneficial for all if every MDM intune (not MAM) would support the IME.
Thanks for you time.

@Oliver Kieselbach 


So today, surprisingly, I got the Intune Management Extension working on a WorkplaceJoined PC by removing the work account, and then choosing Enroll only in device management instead (almost hidden on the right...).

For some reason, MDMdiag XML now reports MDMFull instead of MDMFullWithAAD, and to my surprise, after installing the IME, I'm receiving powershell scripts.

 

Again I have a lot of trouble finding documentation on the difference between the above, and why it's working if I use the Enroll only button rather than the CONNECT button.

 

The problem is still that, all our devices are joined to Intune with the CONNECT button either via the add school/work account menu or via the company portal.

This means I would still need to un-enroll and re-enroll all our "WorkplaceJoined" devices.

 

Maybe you know of a way to get "MDMFullWithAAD" devices to be "MDMFull"?

@WalterPrem: Did you ever solved this? I got exactly the same problem :( 

@AlexanderKarls 

Well, the conclusion is that it's simply not supported for devices that are "manually" joined to Intune, e.g. when using add/remove account or the company portal.

You need to use Windows Autopilot or Azure AD join during setup, or setup Hybrid environment (syncing computers) and rolling out Intune using GPO.

Just stumbling across this issue now after manually enrolling 50 or so devices and not realizing that PowerShell will not work on these devices.  Will using the local security policy editor "gpedit.msc" to set this attribute work for 100% remote devices?  I'll be trying this on a few but for the sake of time per device, it'd be nice to be able to disjoin from Work or School and then just set this bit and leave.

 

Computer Configuration > Administrative Templates > Windows Components > MDM

 

Microsoft also has provisions in the portal to change a device from "Personal" to "Corporate" owned... why would they not flip that device to Hybrid Joined then instead of making admins jump on all these machines physically... makes no sense.

@Scott PatersonNeed to be on Windows 10 1803 or higher.

I was running into this on one of my test PC's. We have Azure AD Free + Microsoft Intune Trial + Onsite/Inhouse AD Syncing with Azure AD.

 

The setup in order was:

 

1. Previously joined to Local Inhouse AD.

2. Enroll in MDM only.

3. Connected with Work or school account.

 

In Intune's "endpoint" dashboard I see the device correctly:

 
Name: RLABRECQUE-DT
Management name: rlabrecque_Windows_1/15/2021_7:30 AM
Intune Device ID: REDACTED-****-****-****-***************
Azure AD Device ID: REDACTED-****-****-****-***************

 

In Azure AD I see the Device as:

Name: RLABRECQUE-DT
Join Type: Azure AD registered
MDM: Microsoft Intune

 

I would receive business applications, but would not get the Intune Management Extension and Powershell scripts would not run as a result.

 

The missing piece for me was in Intune on the Devices tab of the Intune "endpoint" dashboard the machine was Personal. As soon as I changed it to a Corporate Device, synced in Intune "endpoint" dashboard, synced in the "Managed by <Corp>" settings dialog on the device, and restarted the device, Intune Management Extension installed and the Powershell script ran!

 

https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/windowsDevi...

 

 

I should note that my other test PC which was setup like so:

1. Connected with Work or school account
2. Joined to Azure AD.
3. Manually enrolled in MDM only.

It also did say Personal device, but did not suffer from this issue.
Hello everyone, I have the same problem that is discussed below! After joining Azure Ad Intune, the Microsoft Intune Managenent extension service is not installed. I will tell you about this problem in more detail. I am using an enterprise Windows image 21H1 19043.1052 for installation. The image was created using sysprep /audit, and then sealed using sysprep /generalize. The task is to deploy this image on 200 machines and connect them to Azure AD, take control of Intune.There is no connection of machines to the local AD controller. When I deployed this image on the first machine and connected it to Azure AD, the machine connected correctly, the Microsoft Intune Management Extension service was installed and started correctly, all Win32 applications and policies come from Intune.Later, I deployed this image on five more test machines and connected them to Azure AD, they all have the same image: 1. The Microsoft Intune Management Extension Service is not installed. 2. In Intune, the machines are displayed strangely IRegistration_Windows_8/24/2021_9:55 am 3. In C:\ProgramData\Microsoft the IntuneManagementExtension 4 folder is missing. In the event viewer, Device Management-Enterprise Diagnostics 0 - Or errors 844, 76. This situation is observed on all other machines except the first one. There is a suspicion that Intune believes that this is a single machine, and does not install the Microsoft Intune Managenent extension service. It is not very clear which SID Intune binds to, and sysprep should have solved this problem. Please help me!!!