Forum Discussion

KaHoe's avatar
KaHoe
Copper Contributor
Sep 29, 2023

EPM deployed, no policies on device

Good morning.

 

I am playing around with EPM. Trial license. A test device (Surface 4 running Win 11 Pro / Enterprise 22H2 all Updates). EPM Service is visible in Task Manager, EPM Agent Folder is under Program Files. So the device seems onboarded.

 

I created two policies.

Settings activates Diagnostics, EPM and sets default elevation to require user confirmation.

Rules sets two rules for Powershell ISE and Wireguard executables. Only filehash is set. Both are on automatic elevation including child processes.

 

 

Policy folder on my device is empty. Yes I got "Run with elevated permissions", but on both executables it ends with the no permissions error code.

 

Well I have seen the posts regarding EDM not deploying. I think it has deployed because of the folders and the EPM service running. Any ideas why my device is not pulling the policies?

I have tried both... assigning the policies to a user and the device itself.

 

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi KaHoe,

    you can try the following steps:

    1. Check the EPM agent log for errors.
    2. Manually sync the EPM agent.
    3. Restart the EPM agent service.
    4. Redeploy the EPM policies.
    5. Make sure that the policies are assigned to the correct device or user group.
    6. Make sure that the policies are published.
    7. Check the device's network connectivity.
    8. Make sure that the EPM agent is up to date.
    9. Make sure that the EPM agent is configured to use the correct Intune service URL.
    10. Try restarting the device.


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)



  • So..... the epm agent is deployed to your device... so we can rule out issues with the dual/linked enrollment that the device should have gotten in the first place. The "policies" from the EPM agent are declared configurations documents... those rely on the declared configuration service (dcsvc.dll) so I would start looking at that service first and if you can spot the declarative docs in the registry \microsoft\declaredconfiguration

    I have written some blogs about this stuff.. so feel free to reach out to me as I truly know how this stuff should work and also could break 🙂

    https://call4cloud.nl/category/windc/

Resources