Intune management service not getting installed

Gaurav Ranjan 1 Reputation point
2021-07-23T14:48:17.887+00:00

I have my device auto-enrolled to Intune through SCCM configuration policy. All workloads are shifted to Pilot intune. The purpose of the enrollment is to manage devices for bitlocker through intune. the policies are getting applied. My requirement is to first decrypt the devices as we are opting to get devices encrypted with algorithm "XTS AES 256" so we have to first decrypt all devices with algorithm other than XTS AES 256. I have created a Powershell script to decrypt the drive which is deployed to user group. I read that the Intune extension Management service is automatically installed when a Powershell script or win32_app is assigned to a user or device.
But the script is not getting executed and I find out that IME (Intune management extension" service is not installed on the devices. In the event logs (Admin) for "DeviceManagement-Enterprise-Diagnostic-Provider", I found the below error:-

MDM ConfigurationManager: Command failure status. Configuration Source ID: (4AC86151-9C54-4A78-8F4C-C831B7CC051F), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

In the intune extension manager log, i found the below error:-

Failed to open registry key 'Software\Microsoft\IntuneManagementExtension\Policies\00000000-0000-0000-0000-000000000000'. Value 'ResultLastFullSyncTimeUtc', not set to '07/23/2021 14:35:04'

LogonUser failed with error code : 1008
AAD User check is failed, exception is System.ComponentModel.Win32Exception (0x80004005): An attempt was made to reference a token that does not exist
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.ImpersonateHelper.<DoActionWithImpersonation>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.DiscoveryService.<IsAADUserInternal>d

there is no registry entry for IntuneExtensionManager at location "HKLM\Software\Microsoft".

I need urgent help as we are not progressing on the UAT.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,176 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,306 Reputation points Microsoft Employee
    2021-07-23T16:11:11.773+00:00

    The error message about the FakePolicy is expected and ignorable -- it's a type of self-check and completely unrelated to the IME.

    As for the IME log, the log wouldn't exist at all if the IME wasn't installed, but nothing of value regarding troubleshooting can be said from a single log line.

    The 'AAD User check is failed' error is telling though and points to the true issue here which is related to AAD auth. Assuming these devices are intended to be hybrid Azure AD Domain joined, you need to troubleshoot this: https://video2.skills-academy.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

    For urgent issues though, you need to open a support case.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.