cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Endpoint privilege management, deployment unsuccessful with "device health monitoring" error

MaxMorsia
Brass Contributor

‎Mar 30 2023 01:19 AM

‎Mar 30 2023 01:19 AM

Endpoint privilege management, deployment unsuccessful with "device health monitoring" error

Hello all, I'm testing Endpoint privilege management on a few machines in a test environment. The elevation settings policy isn't deploying when "send data to microsoft" is selected, the error received mentions an "Allow Device Health Monitoring" error, but that settings is correctly deployed via configuration profiles. Also can't find any info about that in the logs.

If I deselect "send data to microsoft" then the policy is deployed successfully, but in reality the app is not installed on the target devices (so no right click options about EPM). Anyone facing the same issue, and what steps could we try to fix it?

Labels:
23.1K Views
0 Likes
81 Replies
Reply
81 Replies
Mehboob Ahmad

‎Jun 06 2023 10:06 AM

‎Jun 06 2023 10:06 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

I am using Hyper-V on Windows 10 as a host for the VM - where woud I go to turn SSL inspection off?
0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 10:08 AM

‎Jun 06 2023 10:08 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Did you also looked in de device configuration policy event log, there should be somethint mentioned in it… i am going to find out what that error means (its obvious of course but lets take a look in the code)
0 Likes
Reply
Ztdid

‎Jun 06 2023 10:10 AM

‎Jun 06 2023 10:10 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

DualEnrollMmpcUsingAADCredential failed) HRESULT:(The endpoint address URL is invalid.) Function Name: (MmpcDiscoveryUrl) HRESULT:(The endpoint address URL is invalid.)
0 Likes
Reply
Ztdid

‎Jun 06 2023 10:17 AM

‎Jun 06 2023 10:17 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Event 4022 Failed to enroll MMP-C for dual enrollment mode. Result: (The endpoint address URL is invalid.).
0 Likes
Reply
Mehboob Ahmad

‎Jun 06 2023 10:18 AM

‎Jun 06 2023 10:18 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

@Rudy_Ooms_MVP This what I am seeing in the event log on the affected device: 

Preview file
83 KB
0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 10:19 AM - edited ‎Jun 06 2023 10:22 AM

‎Jun 06 2023 10:19 AM - edited ‎Jun 06 2023 10:22 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

THe mmpcdiscoverurl function should kick of a function getdiscoveryurl It should reach out to

https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0
Can you verify this domain is reachable? and of course if the certificate matches the names

0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 10:21 AM

‎Jun 06 2023 10:21 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

nothing usefull before that error? or what is the last message you notice before it gives you that error
0 Likes
Reply
Ztdid

‎Jun 06 2023 10:22 AM

‎Jun 06 2023 10:22 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

MMP-C: Device permission to select target MMP-C environment is (false).
Event 2600
0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 10:26 AM

‎Jun 06 2023 10:26 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

if the link is https open it in a browser if you need to ping it
ping discovery.dm.microsoft.com
0 Likes
Reply
Mehboob Ahmad

‎Jun 06 2023 10:27 AM

‎Jun 06 2023 10:27 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

The two entries preceding are:
MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
MMP-C: MMP-C environment to target. URL: (https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0), Environment: (0x3).
0 Likes
Reply
Ztdid

‎Jun 06 2023 10:29 AM

‎Jun 06 2023 10:29 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

when i ping it I get destination host unreachable, https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0 will not open in the browser, I have a VM that I tested in another tenant and EPM works fine in the other tenant but not the tenant i'm currently using.
0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 10:31 AM

‎Jun 06 2023 10:31 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

mmm if that page doesnt open (should give you a blank page... compare it with a device that works..) and the ping discovery.dm.microsoft.com gives you that error... it should give you something like this
Reply from 40.114.229.17: Destination host unreachable.
(compare it with the device that works)

DNS ?
0 Likes
Reply
Ztdid

‎Jun 06 2023 10:35 AM

‎Jun 06 2023 10:35 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Pinging pedmdiscoveryna01.westus2.cloudapp.azure.com [20.80.187.73] with 32 bytes of data:
Reply from 20.80.187.73: Destination host unreachable.
Reply from 20.80.187.73: Destination host unreachable.
Reply from 20.80.187.73: Destination host unreachable.
Reply from 20.80.187.73: Destination host unreachable.
0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 10:41 AM

‎Jun 06 2023 10:41 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

@Ztdid 

So this are the errors you are getting in order right?

Rudy_Ooms_MVP_0-1686073207018.png

 

So the last one is the  endpoint address uri is invalid?

0 Likes
Reply
Ztdid

‎Jun 06 2023 10:46 AM

‎Jun 06 2023 10:46 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Thats correct I'm getting all three of those errors in that order.
0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 11:08 AM - edited ‎Jun 06 2023 11:14 AM

‎Jun 06 2023 11:08 AM - edited ‎Jun 06 2023 11:14 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Do you have an output of winver(version/build of windows) and the device is aadj? And can you check if enrollment.dm.microsoft.com is also reachable as that should be the URI it needs to discover (that fails)

 

0 Likes
Reply
Edgar_Izaguirre

‎Jun 06 2023 11:40 AM

‎Jun 06 2023 11:40 AM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

@Rudy_Ooms_MVP and @Ztdid 

 

I've been having the same issue for weeks now. I have an MS support case open (for weeks) but haven't gotten very far with a resolution. 

0 Likes
Reply
Edgar_Izaguirre

‎Jun 06 2023 12:07 PM

‎Jun 06 2023 12:07 PM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Here's what I'm seeing in a constant loop, every 5 mins.

 

In order:

 

  •  MMP-C: Device permission to select target MMP-C environment is (false).

 

 

  • MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.

 

  • Failed to enroll MMP-C for dual enrollment mode. Result: (The endpoint address URL is invalid.

 

Winver.png

0 Likes
Reply
Rudy_Ooms_MVP

‎Jun 06 2023 12:21 PM - edited ‎Jun 06 2023 01:06 PM

‎Jun 06 2023 12:21 PM - edited ‎Jun 06 2023 01:06 PM

Re: Endpoint privilege management, deployment unsuccessful with "device health monitoring"

Mmm okay.. if someone could install fiddler on his device, enable https decyrption and watch the repsons… i am all ears!!!! (I ran fiddler as the current user with admin permissions)

Because it should show you the discovery (which succeeds as it mentions the cert pinning)  but I am wondering what happens or what it mentions in the response( as it should mention the enrollment.dm part) 

 

Feel free to reach out on teams: email address removed for privacy reasons 

 

Rudy_Ooms_MVP_0-1686081758981.png

 

0 Likes
Reply