Intune Management Extension Deep Dive with the Patch My PC team
68 Slides9.63 MB
Intune Management Extension Deep Dive with the Patch My PC team
Agenda What is the IME? How is the IME installed? How does the IME process app policy? How does the IME process scripts? Digging into win32app policy event state messages Try again, how the IME handles failures and retries Invoke IME actions remotely like a boss Inventory Q&A
What is the IME?
What is the IME? A component installed in Windows, by Intune and leveraged by Intune Mainly used to deploy and execute PowerShell scripts or Win32 applications on Windows devices that are enrolled in Intune
What is the IME? Where does the IME sit in the Microsoft RMM agent stack? ConfigMgr Client (MSI) IME (MSI) Windows MDM Agent (Built in to the OS) ConfigMgr Apps, Policy, Scripts Intune (Win32 / MSStore / WinGet) apps, Scripts, Custom Compliance Policies Intune Config, Apps (LOB)
What is the IME? IntuneManagementExtension.log Contains information about the activities and processes related to the execution of scripts and installation of apps deployed through Microsoft Intune. It provides insights into how the IME is functioning on the device and can be useful for troubleshooting and monitoring purposes AgentExecutor.log Contains information about the execution of scripts deployed through Microsoft Intune HealthScripts.log Contains information about proactive remediation scripts deployed through Microsoft Intune ClientHealth.log Contains client health activities for the IME (Check service is running, send agent status reports to Intune) C:\ProgramData\Microsoft\IntuneManagementExtension\
What is the IME? Clienthealth.log "C:\Program Files (x86)\Microsoft Intune Management Extension\HealthCheck.xml"
What is the IME? Logs rolling over? No problem
How is the IME installed?
How is the IME installed? The IME is installed when a managed device is targeted with either a:1. PowerShell Script or Proactive Remediation 2. Win32 app or Microsoft Store app (New) Custom compliance settings
How is the IME installed? The IME is installed, from an MSI, via the OMA-DM channel using the:EnterpriseDesktopAppManagement Configuration Service Provider (CSP) This CSP is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. https://learn.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp
How is the IME installed? You can track the install via the local registry HKEY LOCAL MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\ S-0-0-00-0000000000-0000000000-000000000-000\MSI New versions are rolled out automatically Snapshots are a curse https://euprodimedatasec.azureedge.net/
How is the IME installed?
How is the IME installed? View the SyncML message where OMA-DM initiates the MSI install for the IME https://github.com/okieselbach/ SyncMLViewer
How is the IME installed? LAB Time BW-W11-5 Snapshot: PreAADJoin Shift F10 during OOBE and install SyncML/View Registry https://github.com/okieselbach/ SyncMLViewer/blob/master/ SyncMLViewer/dist/ SyncMLViewer-v108.zip
How does the IME process app policy?
How does the IME process app policy? Policy is deployed Policy reaches the device Dependencies checked Detection rule checked Applicability and requirements checked
How does the IME process app policy? IME begins content download (content phase 1) IME validate the package and decrypts content (content phase 2) Content cleaned up and moved (content phase 3) App install begins (Detection run again) App install continues
How does the IME process app policy? Reboot Manager checks exit code for reboot requirement and content cleaned up Detection reevaluated Compliance state set in registry and sent to the Intune service Toast Success or Company Portal update Drink Coffee
How does the IME process scripts?
How does the IME process Scripts? Simple Platform Script Deployed From Intune
How does the IME process scripts?
How does the IME process scripts?
How does the IME process scripts? Enforce script signature is now enabled by default
How does the IME process scripts? Agent Executor Invokes PowerShell to run scripts and sets the PowerShell policy to allsigned/bypass as necessary
Digging into Win32 app policy state messages
Digging into win32 app policy event state messages Win32 app policy events are stored in the registry Apps deployed to the device Apps deployed to the User (EntraID Object GUID) HLKM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps
Digging into win32 app policy event state messages Win32 app policy events are stored in the registry
Digging into win32app policy event state messages State Message
Digging into win32app policy event state messages State Message Magic stateMessageComplianceState @{ 1 "Installed" 2 "NotInstalled" 4 "Error" 5 "Unknown" 100 "Cleanup" }
Digging into win32app policy event state messages State Message Magic
Digging into win32app policy event state messages LAB Time BB-W10-5 Registry State messages PowerShell
Try again. When will my app install and how does the IME handle failures and retries
Try again. How the IME handles failures and retries Failed app retry every 24 hours if they are required and the installer exits with a failure or unknown exit code Failed apps retried every 3 times every 5 minutes and then every 24 hours if they are required and the installer exits with a known retry code
Try again. How the IME handles failures and retries %programdata%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log When a new app is assigned, it is evaluated as a first step Time Column is local Time in the low row is UTC Two components: Reevaluation Schedule Manager – expires every 8 hours Global Retry Schedule (GRS) - expires every 24 hours; it controls when a failed app install is retried.
Try again. How the IME handles failures and retries Policy is processed and GRS key is set
Try again. How the IME handles failures and retries In this example, the app installer terminated with a known retry code and tried 3 more times to attempt the installation (5 minute intervals) Initial Install
Try again. How the IME handles failures and retries After 3 failed retries, the policy will be tried again in 24 hours time when the GRS value expires
Try again. How the IME handles failures and retries GRS Summary 1. Policy evaluated and installation begins 2. If the install fails, does the exit code indicate “Retry”? If so, retry 3 more times every 5 minutes 3. If the installation is failed (still), add the app to the GRS 4. Evaluate a sub graph every 8 hours to check when 24 hours have passed since the app was added to GRS 5. After 24 hours, retry the installation. If failed, update GRS check-in time value. 6. Repeat forever until successful
Win32 app assignments with a schedule. What happens on my device?
Try again. How the IME handles failures and retries Win32 apps can be assigned as: Available Required Can be configured to install asap Can be scheduled when to install Available date Deadline date
Try again. How the IME handles failures and retries In some cases, assignments with a start and deadline date can be slightly misleading, because: Even before the start date, IME evaluates the policy for that app. It also runs detection! If detected Installed - can be misleading If not detected Not installed
Try again. How the IME handles failures and retries Here we have a win32 app: Start time 12 hours later Deadline 1 day later
Try again. How the IME handles failures and retries Even though IME processes the policy before the start date, it evaluates policy, runs detection and reports the results back to Intune. No other actions are taken.
Try again. How the IME handles failures and retries Past the start date and before the deadline, the content is downloaded and cached in preparation. The app is still Not Detected, but Applicable. Install will be pending.
Try again. How the IME handles failures and retries After the Deadline is hit, the app is installed. The content download is skipped, as it was downloaded after the Available start date.
Try again. How the IME handles failures and retries LAB Time IME win32 app failures and retries IME win32 app scheduled assignments
Invoking IME Actions Like a Boss
Invoking Intune Management Extension Actions Process and Re-process of Policy – What Options do you Have? When does the IME process policy? When the service starts Every 60 minutes Can you invoke the policy on-demand? Oh yeah! (cont.)
Invoking Intune Management Extension Actions Perform a sync from the Intune Admin Center:
Invoking Intune Management Extension Perform a sync from the Company Portal
Invoking Intune Management Extension Restart the IME Windows Service
Invoking Intune Management Extension What’s that service running anyway? Can I just run that thing? No But maybe (cont.)
Invoking Intune Management Extension Strings to the rescue! (Strings - Sysinternals Microsoft Learn) strings "C:\Program Files (x86)\Microsoft Intune Management Extension\ Microsoft.Management.Services.IntuneWindowsAgent.exe“ findstr /i sync
Invoking Intune Management Extension Perform a sync from the Start Menu (app policy only) URL Moniker: intunemanagementextension://syncapp Trigger a sync from PowerShell (app policy only)
Invoking Intune Management Extension Q: What if you wanted to invoke a policy evaluation immediately for a failed app? A: Wait 24hrs – Ain’t nobody got time for that! *Delete the app key and the GRS key from the registry*
Invoking Intune Management Extension LAB Time The Ripley Maneuver: Deleting App and GRS Registry Keys to force a quicker retry
Inventory
Inventory The IME will inventory installed applications. The results are sent to the Intune service and are visible in two endpoints
Inventory Aggregated report for all devices is under Apps Monitor Discovered Apps
Inventory The IME performs a delta inventory every 24hrs and/or when the IME service starts. A full inventory is taken every 7 days and the first time the IME is installed Remember .NET disassemblers!
Inventory The IME uses a specific WMI class to query installed software Remember .NET disassemblers! Win32 InstalledWin32Pro gram
Inventory
Inventory Inventory is saved in the registry so a delta can be performed on the next scan HKEY LOCAL MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Inventories
Digging into win32app policy event state messages LAB Time BB-W10-5 Force Delta Inventory and Full Inventory
Inventory Inventory Summary 1. New apps appear in Intune reports fairly quickly 2. It can take up to 7 days for delta changes (removes) to be reflected in Intune reports 3. Inventory is run every 24 hours 4. A full inventory is run the first time and every 7 days, a delta inventory occurs subsequent runs 5. Delete FirstTimeRun key to force a full inventory
Questions and Answers from the Crowd
Thank you for attending!