Latest version of Intune Management Extension fails to install causing Win32 (intunewin) and Powershell scripts to fail during Windows 10 enrollments

Microsoft EM+S and Intune
1

Symptoms;

  • PowerShell scripts or Win32 apps assigned to the groups that the user or device belongs do not deploy
  • Enrollment Status Page timesout during Autopilot deployments

After troubleshooting what we thought were configuration related issues we identified the lastest release of IntuneWindowsAgent.msi does not install during enrollment and in turn causes issues with
Win32 application (intunewin) and Powershell script deployment.

So far we have only seen the new agent (1.28.201.0) when enrolling into North America 0501, we also confirmed 3 other tenants in NA and APAC and found they still deployed the older agent version (1.27.202.0)

The following agent fails with status code 60 = EnforcementFailed.

https://naprodimedatasec.azureedge.net/IntuneWindowsAgent.msi

HKEY_LOCAL_MACHINE\software\microsoft\enterprisedesktopappmanagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\e9710797-1fa1-48d2-9d79-fdd5b5e7996f
“DownloadInstall”=“InProgress”
“ProductCode”=“e9710797-1fa1-48d2-9d79-fdd5b5e7996f”
“ProductVersion”=“1.28.201.0”
“Status”=DWORD:0000003c (60)

Where the previous version returns 70 = EnforcementCompleted

https://naprodimedatapri.azureedge.net/IntuneWindowsAgent.msi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\093ea47b-ef2c-4f46-a022-6f57a50e39a2
“DownloadInstall”=“InProgress”
“ProductCode”=“093ea47b-ef2c-4f46-a022-6f57a50e39a2”
“ProductVersion”=“1.27.202.0”
“Status”=dword:00000046 (70)

You can easily inspect the above registry values during a failed install by pressing Shift+F10 to display a command prompt, running regedit and navigating to the above path.
The same information is contained in the registry file exported by the MDM Diagnostics Tool with the following command;

MdmDiagnosticsTool.exe -area Autopilot -cab C:\autopilot.cab

More work will be required to determine the exact cause of the issue and a job has been raised with Microsoft. Hopefully they can resolve this issue quickly as I suspect this will cause some headaches for existing tenants in NA and even more if they continue to release to the rest of the world.

It is also a shame that the agent does not follow the same release schedule as Intune and go through more stringent testing;

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America
  • Day 4+: Intune for Government

Useful Links;

2 Likes