Part of:Key features of the Intune management extension
Using the Intune management extension for PowerShell scripts
Intune and PowerShell have a lot of unique management actions they can take, but with the help of the Intune management extension, they can communicate and manage more efficiently.
Microsoft Intune is the cloud endpoint management platform that Microsoft provides to endpoints within organizations with capabilities to control all aspects of the Windows OS and install apps on those devices.
With the help of the Microsoft Intune management extension, IT teams can take basic Intune management further to provide more complicated application management and other customizations.
What is the Intune management extension?
The Intune management extension is -- as the name already implies -- an extension that adds more functionality for Windows device management. It extends the existing management capabilities that are available within Windows, mainly focused on providing more app installation capabilities and customizations options, the latter by providing support for PowerShell scripts, via Microsoft Intune.
Besides that, nowadays, there are also capabilities for app inventory and basically any PowerShell script that's used within Microsoft Intune. This includes the remediation functionality of proactive remediations and the detection functionality of Win32 Windows apps.
What prerequisites must be in place to use the Intune management extension?
When looking at the prerequisites for the Intune management extension, the quick conclusion is that it is installed on nearly all managed devices. It is, however, good to be familiar with the perquisites that must be in place on the Windows device:
The device must be running Windows 10 version 1607 or later. And, for devices enrolled with bulk enrollment, it must be Windows 10 version 1709 or later. This includes any version of Windows 11 as well.
IT can use the Intune management extension in combination with comanagement. In that case, it is important that the Apps workload is set to Pilot Intune or Intune.
A graphic that explains the timeline of Microsoft Intune over the years
How does the Intune Management Extension operate?
From a technical perspective, the Intune management extension is installed automatically as a Windows service. That service has the display name Microsoft Intune Management Extension and the service name IntuneManagementExtension. That service starts automatically with a delayed start, and IT can manage it like any other Windows service.
The installation location of the Intune management extension service is C:\Program Files (x86)\Microsoft Intune Management Extension. That location contains all the required source files for the service, including configuration files. The executable used for the service is also available in that location and is Microsoft.Management.Services.IntuneWindowsAgent.exe. Besides that, there are also pieces of data and configuration stored in the registry of the Windows device That can be found at HKLM\SOFTWARE\Microsoft\IntuneManagementExtension. That location includes a lot of information around the configuration of the Intune management extension, collected inventories and status reports of any action performed by the Intune management extension.
Once the service is up and running, it performs a standard synchronization with Microsoft Intune to see if new policies are available. Those policies can include anything that requires the Intune management extension, including PowerShell scripts and Win32 Windows app deployments. The default configuration for that synchronization is once every 60 minutes.
To make sure that the Intune management extension is healthy and can perform its activities, there is a scheduled task configured on the device. That task is located in Task Scheduler Library at Microsoft > Intune and runs the ClientHealthEval.exe that is available within the installation directory. When that task is running, it verifies some basic configurations around the Intune management extension to verify its health. That includes all sorts of checks around the status of the service, including its availability, startup type, memory usage and more.
Basically, Windows logs every action of the Intune management extension and related services in different log files. There used to be just a few log files that contained all the information, but nowadays, -- with the introduction of more and more functionalities -- that information is stored across many more different log files. Those logfiles are available at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
What functionality is provided by the Intune management extension?
Microsoft introduced the Intune management extension to provide some basic functionalities around running PowerShell scripts. But, luckily for IT administrators, Microsoft expanded those functionalities quickly. Today, the Intune management extension contains the following functionalities:
PowerShell scripts. The Intune management extension enables basically any form of running PowerShell scripts on managed devices. That includes the PowerShell scripts that are used in proactive remediations and custom device compliance policies, the PowerShell script functionality itself and even PowerShell scripts that are used within the detection methods of Win32 Windows apps. With that, the Intune management extension provides the IT administrator with a lot of flexibility, customization and management capabilities on the managed devices.
App deployments. The Intune management extension also enables the capabilities for installing more advanced application types through Microsoft Intune. That includes the following important application types for Windows devices:
Win32 Windows apps. This application type includes installation files of an application -- or anything else that an IT administrator likes to bring to the devices -- that are wrapped by the Microsoft Win32 Content Prep Tool into the .intunewin file format. The Intune management extension contains the technology to bring that file to the device, extract the files and perform the configured actions.
Microsoft Store apps. This application type includes similar intelligence as provided by winget but then directly integrated into Microsoft Intune. That enables the IT administrator to install apps that are available via the Microsoft Store. The Intune management extension can bring those installation capabilities to the device and to provide support for the installation of apps from the Microsoft Store. This application type no longer requires the Microsoft Store for Business, which will be retired.
App inventories. When the Intune management extension is installed on a managed device, it also provides an add-on to the application inventory. In that case, the Intune management extension performs the inventory of the installed Win32 applications that are installed on the device. That includes all the apps that are installed via Microsoft Software Installer (MSI) and provides information about the installation date, name and version number. This inventory has a refresh cycle of every 24 hours after the device enrollment. This inventory also includes MSI applications that are not installed via Microsoft Intune.
The IT administrator doesn't have to perform a specific additional action to install the Intune management extension.
How to utilize the Intune management extension
The IT administrator doesn't have to perform a specific additional action to install the Intune management extension. That is because the Intune management extension is automatically installed when assigning one of the functionalities that relies on the Intune management extension. So, when a PowerShell script, remediation, Win32 Windows app, Microsoft Store app or custom compliance policy is assigned to the user or the Windows device, the Intune management extension is automatically installed on that device.
That makes it a device-specific installation and also means that the Intune management extension is not available on every Windows device by default. The additional inventory of Win32 apps is only available for Windows devices that have one of those assignments. Without one of them, that endpoint's inventory is not available.
What you should know before using the Intune management extension
When looking at the Intune management extension, the following items are good to know before starting with PowerShell scripts and Win32 apps:
Never forget the power of PowerShell scripts when running in system context or in user context when the user has administrator permissions.
Never include sensitive information in PowerShell scripts, as the scripts are available locally on the device.
PowerShell scripts are executed before the installation of Win32 apps.
PowerShell scripts have a default timeout of 30 minutes, and the default timeout for Win32 apps is 60 minutes. The latter is now configurable.
Support for Azure AD registered devices is limited.
These items are basically applicable to all functionalities of the Intune management extension but are specifically called out for PowerShell scripts and Win32 apps, as those functionalities are used the most often.
