Mar 30 2023 01:19 AM
Hello all, I'm testing Endpoint privilege management on a few machines in a test environment. The elevation settings policy isn't deploying when "send data to microsoft" is selected, the error received mentions an "Allow Device Health Monitoring" error, but that settings is correctly deployed via configuration profiles. Also can't find any info about that in the logs.
If I deselect "send data to microsoft" then the policy is deployed successfully, but in reality the app is not installed on the target devices (so no right click options about EPM). Anyone facing the same issue, and what steps could we try to fix it?
Jun 06 2023 10:06 AM
Jun 06 2023 10:08 AM
Jun 06 2023 10:10 AM
Jun 06 2023 10:17 AM
Jun 06 2023 10:18 AM
@Rudy_Ooms_MVP This what I am seeing in the event log on the affected device:
Jun 06 2023 10:19 AM - edited Jun 06 2023 10:22 AM
THe mmpcdiscoverurl function should kick of a function getdiscoveryurl It should reach out to
https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0
Can you verify this domain is reachable? and of course if the certificate matches the names
Jun 06 2023 10:21 AM
Jun 06 2023 10:22 AM
Jun 06 2023 10:24 AM
Jun 06 2023 10:26 AM
Jun 06 2023 10:27 AM
Jun 06 2023 10:29 AM
Jun 06 2023 10:31 AM
Jun 06 2023 10:35 AM
Jun 06 2023 10:41 AM
So this are the errors you are getting in order right?
So the last one is the endpoint address uri is invalid?
Jun 06 2023 10:46 AM
Jun 06 2023 11:08 AM - edited Jun 06 2023 11:14 AM
Do you have an output of winver(version/build of windows) and the device is aadj? And can you check if enrollment.dm.microsoft.com is also reachable as that should be the URI it needs to discover (that fails)
Jun 06 2023 11:40 AM
@Rudy_Ooms_MVP and @Ztdid
I've been having the same issue for weeks now. I have an MS support case open (for weeks) but haven't gotten very far with a resolution.
Jun 06 2023 12:07 PM
Here's what I'm seeing in a constant loop, every 5 mins.
In order:
Jun 06 2023 12:21 PM - edited Jun 06 2023 01:06 PM
Mmm okay.. if someone could install fiddler on his device, enable https decyrption and watch the repsons… i am all ears!!!! (I ran fiddler as the current user with admin permissions)
Because it should show you the discovery (which succeeds as it mentions the cert pinning) but I am wondering what happens or what it mentions in the response( as it should mention the enrollment.dm part)
Feel free to reach out on teams: email address removed for privacy reasons