Part of:Key features of the Intune management extension
How to restart the Intune Management Extension agent service
When IT has issues with Intune deploying commands to endpoints, IT teams should consider restarting the Intune Management Extension to address lingering issues.
The Microsoft Intune Management Extension is a system service that Microsoft Intune installs onto domain joined and managed Windows devices.
This service is designed to augment existing device management capabilities by enabling Intune to execute a PowerShell script on managed devices. IT can use these scripts for nearly any purpose, such as performing a configuration task or assessing the device's health. Additionally, the Intune management agent verifies a managed device's compliance state.
One of the easiest options is to simply force a reboot on the endpoint running the Intune Management Extension. When the system reboots, any services on that device should also restart, assuming that those services are configured to run automatically.
To force a device restart, log in to the Microsoft Intune admin center and then select the Devices tab and then click All Devices. This should cause Intune to display a list of the managed devices. Click on the device that needs to reboot and then click on Restart. When prompted, click Yes to confirm the reboot.
One of the easiest options is to simply force a reboot on the endpoint running the Intune Management Extension.
Force a sync operation
Another process that admins can perform when Intune Management Extension agent service is not working correctly is to force the device to sync with Intune. It is worth noting that forcing a device to sync does not trigger a restart of the Intune Management Extension agent service. In some cases, however, forcing a sync will cause a device that had been stuck to begin working again.
Forcing a device sync causes the device to check in with Intune immediately instead of waiting for the next scheduled sync time. That way, any pending policy changes or other actions are applied right away. Forcing a device sync is the Intune equivalent to the Active Directory's GPUpdate /force command, which causes group policy changes to be immediately applied. Therefore, forced sync operations are primarily used for expediting policy changes to a device, but forced syncs can also be used for troubleshooting purposes.
To force a device synchronization operation, log in to the Microsoft Intune admin center. Once logged in, click on the Devices tab and then click on All Devices. This will cause Intune to display a list of all managed devices. Locate and then click on the device that you want to sync. When the device's Overview pane is displayed, click the Sync button and then confirm the operation by clicking Yes.
Use the Service Control Manager
Another option for restarting the Intune Management Extension agent service is to use the Windows Service Control Manager. The Service Control Manager is a native tool used for managing all the services that run on the system. IT can access the Service Control Manager by entering the Services.msc command at the Windows Run prompt.
When the administrator opens the Service Control Manager it will initially display the services that are running on your own local device. However, the admin can configure the Service Control Manager to manage the services running on a remote endpoint. To do so, right-click on the Services (Local) tab and then select the Connect to another computer ... option from the shortcut menu (Figure 1). Then follow the prompts to choose the desired computer.
The Service Control Manager menu showing local services to manage via direct input on the desktop.
Once connected to the computer, locate the Intune Management Extension agent service that needs to be restarted. The service is listed as IntuneManagementExtension. Now, just click on the service, and then select the Restart command from the list of services.
Use PowerShell via elevated session
IT teams can also use PowerShell to restart the Intune Management Extension agent service. IT will need to be logged in to its machine using an account that has the permissions necessary to manage the remote machine. Additionally, the admin will need to perform this action from an elevated PowerShell session. To launch an elevated session, right-click on the PowerShell icon in the Windows Start menu and select the More then Run as administrator commands from the shortcut menus.
The Get-Service cmdlet will display a list of the services that are available on the machine, as was the case with the Service Control Manager. However, the services listed here are those from the local machine. To display the services that are installed on a remote machine, the admin must use the -ComputerName parameter, followed by the name or IP address of the computer that you want to manage. For example, to display the services from a computer named WK1, the admin should type: Get-Service -ComputerName WK1.
Most of the time, this command works without issue. If the output is an error message however, it should be relatively easy to troubleshoot the problem. Begin by making sure that the host computer and the managed computer are both joined to the same domain. The admin should also make sure that PSRemoting is enabled on the computer that they are trying to manage. IT can enable it by running the Enable-PSRemoting cmdlet). Finally, make sure that ports 5985 and 5986 are not being blocked.
Once IT has verified that it can display a list of system services on the remote machine, it can use the Restart-Service cmdlet to restart the Intune Management Extension agent service. Just provide the name of the service to restart -- in this case, IntuneManagementExtension -- and the ComputerName parameter along with the name of the remote machine.
