How to restart the Intune Management Extension agent service

Force the endpoint to reboot

One of the easiest options is to simply force a reboot on the endpoint running the Intune Management Extension. When the system reboots, any services on that device should also restart, assuming that those services are configured to run automatically.

To force a device restart, log in to the Microsoft Intune admin center and then select the Devices tab and click All Devices. This should cause Intune to display a list of the managed devices. Click on the device that needs to reboot and select Restart. When prompted, click Yes to confirm the reboot.

In some cases, however, forcing a sync will cause a device that had been stuck to begin working again.

Force a sync operation

Another troubleshooting step admins can take when IME-related actions are not working correctly is to force the device to sync with Intune. It is worth noting that forcing a device to sync does not trigger a restart of the Intune Management Extension agent service. In some cases, however, forcing a sync will cause a device that had been stuck to begin working again.

Forcing a device sync causes the device to check in with Intune immediately instead of waiting for the next scheduled sync time. This can help apply pending MDM-delivered policy changes more quickly, but it does not force an IME check-in for tasks such as Win32 app processing or PowerShell script actions. Forcing a device sync is the Intune equivalent to the Active Directory's gpupdate /force command, which causes group policy changes to be immediately applied. Therefore, forced sync operations are primarily used for expediting policy changes to a device, but forced syncs can also be used for troubleshooting purposes.

To force a device synchronization operation, log in to the Microsoft Intune admin center. Once logged in, click on the Devices tab and then click on All Devices. This will cause Intune to display a list of all managed devices. Locate and then click on the device that you want to sync. When the device's Overview pane is displayed, click the Sync button and then confirm the operation by clicking Yes.

Use the Service Control Manager

Another option for restarting the Intune Management Extension agent service is to use the Windows Service Control Manager. The Service Control Manager is a native tool used for managing all the services that run on the system. IT can access the Service Control Manager by entering the Services.msc command at the Windows Run prompt.

When the administrator opens the Service Control Manager it will initially display the services that are running on your own local device. However, the admin can configure the Service Control Manager to manage the services running on a remote endpoint. To do so, right-click on the Services (Local) node and then select the Connect to another computer ... option from the shortcut menu (Figure 1). Then follow the prompts to choose the desired computer.

Once connected to the computer, locate the Intune Management Extension agent service that needs to be restarted. The service is listed as IntuneManagementExtension. Now, just click on the service, and then select the Restart command from the list of services.

Use PowerShell via elevated session

IT teams can also use PowerShell to restart the Intune Management Extension service, but the exact method depends on whether they are working locally or remotely.  Admins will need to be logged in to the machine using an account that has the permissions necessary to manage the remote machine. Additionally, the admin will need to perform this action from an elevated PowerShell session. To launch an elevated session, right-click the PowerShell icon in the Windows Start menu, select More, and then select Run as administrator.

In Windows PowerShell, the Get-Service cmdlet can display services on a remote machine by using the -ComputerName parameter. For example, to display services on a computer named WK1, type: Get-Service -ComputerName WK1.

If the command returns an error, start by verifying network connectivity, permissions and the remote computer name. If you choose to use a PowerShell remoting method such as Invoke-Command, make sure remoting is enabled and that the required management ports are not blocked.

Once IT has verified that it can access the service, it can restart IME locally with Restart-Service -Name IntuneManagementExtension. For a remote system, admins can either use a remoting-based command such as Invoke-Command or use another remote management method, because Restart-Service itself does not provide a ComputerName parameter.

For example, a local restart uses:

Restart-Service -Name IntuneManagementExtension

A remote restart using PowerShell remoting can use:

Invoke-Command -ComputerName WK1 -ScriptBlock { Restart-Service -Name IntuneManagementExtension }

Restarting the Intune Management Extension is not always the first troubleshooting step, but it can help when policies, scripts or app actions stop applying to a managed Windows endpoint. For IT teams, the key is choosing the right response -- reboot, sync or service restart -- based on what the device is failing to do.

Editor's note: This article was updated to reflect current Intune Management Extension behavior and to clarify local and remote restart options.

Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.