Intune Management Extension: Install, Verify, and Fix

Microsoft holds roughly 37.2% market share in the MDM category across more than 36,000 companies (Enlyft), so understanding IME is practical knowledge for a large portion of enterprise IT teams. If you are just starting with Intune itself, the Microsoft Intune Setup: Step-by-Step Guide for IT Admins covers enrollment and tenant configuration before you reach IME.

IME authenticates silently with Intune services before checking in to receive assigned installations, and the agent appears as IntuneManagementExtension under Services in Task Manager (Microsoft Learn).

Prerequisites for Intune Management Extension Installation

Every item below must be true on the target device before IME can install. Missing even one will stall the process silently.

• Intune enrollment - the device must complete Azure AD Join, Hybrid Azure AD Join, or standard MDM enrollment.
• Supported OS - Windows 10 version 1607 or later, or any Windows 11 build.
• PowerShell 5.1 or newer - supplied by the Windows Management Framework (WMF).
• Network access - the device must reach Intune service endpoints, including *.manage.microsoft.com. The full list is in the Microsoft Intune network endpoints documentation.
• No SSL inspection blocking the MSI URL - deep-packet inspection proxies can break the download silently when the IME installer URL is intercepted without a trusted certificate.

If you are unsure whether your device is correctly enrolled, check the Microsoft Intune Setup: Step-by-Step Guide for IT Admins before continuing. Consistent naming across your tenant also matters - the Intune Naming Conventions: Sysadmin Step-by-Step Guide prevents policy-targeting mistakes that can make IME assignment failures look like installation failures.

How Does the Intune Management Extension Install? (Steps 1-4)

IME installation is fully automatic. The four steps below run in sequence without any prompt to the end user. Understanding each step helps you pinpoint exactly where a failure occurred.

Step 1: Assign a Win32 App or PowerShell Script

The trigger is an assignment. IME does not install speculatively. A Win32 application or a PowerShell script must be targeted at the device or a group it belongs to inside the Intune portal. Native MDM cannot execute these payload types, so Intune flags the device as needing IME the moment such an assignment lands.

During the next policy sync, the Intune service evaluates the device's capabilities, confirms IME is absent, and queues the install command. This is the most common point of confusion - admins sometimes expect IME to pre-exist, but Intune installs it on demand. For a practical example, see Deploy Citrix Workspace App via Intune Enterprise App Catalog, which walks through a real Win32 assignment that triggers IME.

The assignment also determines which user context IME will use for subsequent script execution. Get the assignment scope wrong and scripts may run under the wrong account - or not at all.

Step 2: CSP Delivers the Installer URL

Intune pushes a Configuration Service Provider (CSP) policy to the device carrying the direct download URL for the IME MSI installer. After installation you can inspect that URL in the registry to confirm what was fetched and verify your proxy or firewall did not alter it.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\{GUID}\

The {GUID} sub-key holds the source URL and MSI metadata. If the URL shown there is blocked or rewritten by an SSL inspection appliance, installation fails silently. Compare the URL against your firewall allow-list and confirm no certificate substitution is occurring.

Microsoft now requires HTTPS delivery for managed Win32 app content. Organizations using Microsoft Connected Cache that have not configured cache nodes for HTTPS will see clients fall back to the CDN, potentially increasing internet traffic (Microsoft Learn).

Step 3: Silent MSI Installation

Windows runs the MSI in the background - no user prompt appears. Windows creates the IntuneManagementExtension service and auto-starts it. The extension installs to a fixed path.

Installation path:

C:\Program Files (x86)\Microsoft Intune Management Extension\

Confirm the service state immediately after installation:

Get-Service -Name IntuneManagementExtension | Select-Object Name, Status, StartType

Expect Status: Running and StartType: Automatic. Anything else points to a broken MSI or a missing dependency. In our lab environment, a missing WMF 5.1 update on a Windows 10 1607 image was the only case where the service existed but refused to start.

Devices must run IME version 1.58.103.0 or later. Endpoints on earlier builds do not receive Win32 app deployments, PowerShell scripts, remediations, or platform scripts (Microsoft Learn).

Step 4: Registration and Secure Channel Setup

IME registers itself with Intune using the device's Intune and Entra ID credentials. This registration builds an authenticated channel for all subsequent policy, script, and app-assignment syncs. No manual credential entry is required - the process reuses the enrollment identity already on the device.

Registry entries that track this registration appear under:

HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension

Browse these keys to confirm the extension recognises its device identity and tenant. A missing or empty key after a successful MSI install almost always means the registration call failed - check Entra ID join status and the device certificate first.

How Does IME Stay in Sync? Task Scheduler and Check-In Cadence

IME uses three scheduled tasks rather than a simple polling loop. This gives new devices an aggressive early-check cadence that relaxes over time, as documented by community researchers at scloud.work. Note that the specific minute-level intervals below come from community observation, not official Microsoft documentation - treat them as indicative rather than guaranteed.

• The first task fires on newly registered devices, syncing every 3 minutes for the first 15 minutes.
• Frequency then drops to every 15 minutes for the next 8 hours.
• After that, the device settles into a regular 8-hour sync cycle.

Microsoft's own documentation confirms the 8-hour check-in independently of the standard MDM cycle (Microsoft Learn). A separate client-health scheduled task also monitors the service and restarts it if it stops.

List all IME-related tasks at once:

Get-ScheduledTask | Where-Object { $_.TaskName -like '*Intune*' } | Select-Object TaskName, State

Step 5: Verify Intune Management Extension Health End-to-End

Run these three checks in sequence. Passing all three confirms IME is healthy and actively managed.

Service check:

Get-Service -Name IntuneManagementExtension

Log file review - stream the last 50 lines of each log:

Get-Content "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" -Tail 50
Get-Content "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log" -Tail 50

• IntuneManagementExtension.log - tracks service startup, policy sync, and registration events.
• AgentExecutor.log - records execution status for individual scripts and Win32 app installs.

Registry key presence:

Test-Path "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension"

A True result confirms the extension wrote its configuration to the registry. A False result after a clean MSI install points directly to a registration failure, not an installation failure - those are different problems with different fixes.

Troubleshooting the Intune Management Extension

The table below is a first-response guide for the four most common failure patterns. Work through the "Where to look" column before attempting a reinstall.

AgentExecutor.log

IntuneManagementExtension.log

Pull recent errors from the IME log with this one-liner:

Select-String -Path "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" -Pattern "Error|Failed" | Select-Object -Last 20

If IME needs a forced reinstall, re-assign any Win32 app or PowerShell script in the Intune portal. Intune treats it as a new requirement and repeats the full installation flow. For script-specific failures, confirm your PowerShell execution policy settings - the principles in Deploy Citrix Workspace App via Intune Enterprise App Catalog cover common execution-policy blockers in an Intune context.

One security note worth raising here: in 2026, CISA confirmed it is tracking malicious activity targeting endpoint management systems after attackers reportedly gained administrator-level access to Microsoft Intune and wiped device data. CISA urged organizations to apply least-privilege principles and enforce phishing-resistant MFA on Intune admin roles (Industrial Cyber). A compromised Intune admin account can push malicious Win32 apps through the exact IME pipeline this article describes - so securing the portal matters as much as verifying the agent.