Forum Discussion
Endpoint privilege management, deployment unsuccessful with "device health monitoring" error
Rudy_Ooms_MVP I also was able to run the CSP using localmdm and PowerShell as per your article - I see the scheduled task for dual enrollment created but it keeps failing with 'invalid endpoint URL' and no actual installation or policy enforcement happens. Any further ideas? (I have a Windows 11 VM with 22H2 and all latest patches applied, and an Intune Data Collection policy also enabled via a separate configuration).
i would rather configure it with a csp in intune to be 100% sure it will be targetted at the proper enrollment instead of the localmdm one:
OMAURI: ./Device/Vendor/MSFT/DMClient/Provider/MS%20DM%20SERVER/LinkedEnrollment/DiscoveryEndpoint
Type: string
Value:
https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0">https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0But looking at the response you got 405... this discovery URL shouldn't be the main issue.
Your best option is to install fiddler just like i did,to find out what error it gets when it reaches out to the service
Because the error you got, was exactly the same as the k12 schools got.. so that's why i am wondering about the actual domain name (as that domain name is sent over in the request)
MMP-C Discovery failed | No valid Endpoint | EPM (call4cloud.nl)
IF you don't know how send me a pm (teams /x) to set it up
I see, I am surely can tell you that there's only one dot in the domain name.
- I mean your corporate bought domain which you use… just like email address removed for privacy reasons
- Oh, and the domain name is like abcd00000000.onmicrosoft.com
- Yeah I tried to replace it as you said, but it shows 405 status because there's no "DiscoveryEndpoint" Data with the LocURI.
-----------------
PS C:\Windows\system32> Send-localmdmrequest -OmaUri ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment
CmdId : 4
Cmd : Get
Status : 200
OmaUri : ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment
Data : Enroll/Unenroll/Priority/LastError/EnrollStatus
PS C:\Windows\system32> $test3 = @"
>> <SyncBody>
>> <Replace>
>> <CmdID>2</CmdID>
>> <Item>
>> <Target>
>> <LocURI> ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment/DiscoveryEndpoint</LocURI>
>> </Target>
>> <Data>https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0</Data>
>> </Item>
>> </Replace>
>> </SyncBody>
>> "@
PS C:\Windows\system32> send-localmdmrequest -SyncML $test3
CmdId : 5
Cmd : Replace
Status : 405
OmaUri : ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment/DiscoveryEndpoint
Data : - The first blog i mentioned in the repsonse will show you how to manaully configure it with a csp
Rudy_Ooms_MVP Hi, Thanks for the reply.
I read your blog and noticed that DiscoveryEndpoint is missing on my device.
The SyncML Cmd for Replace resoponsed 405 status.
There're EnrollState, LastError (0x803d0020), MMPLocked (1) in the LinkedEnrollment.
I was trying to set the discoveryendpoint csp by Intune custom policy but it failed because the OS is not Insider Preview.
Can you please tell me how to set the discoveryendpoint csp manually?
Many Thanks..
Hi... 1.. what is the domain name you use?
2...what happens when trying to manually configure the discoveryendpoint?
https://call4cloud.nl/2023/11/in-the-shadow-of-the-discoveryendpoint/Also this blog contains the exact steps the process goes through
MMP-C Discovery failed | No valid Endpoint | EPM (call4cloud.nl)
Rudy_Ooms_MVP I have exactly the same issue. My device can't get dual enrolled with 4022 error :Failed to enroll MMP-C for dual enrollment mode. Result: (The endpoint address URL is invalid.)..
And there's no SSL Inspection, can you please give me some advice to dual enroll it?
- Yep plus 1… as the mmpc enrollment is different then the elevation policies :)… and the device didnt even got mmpc enrolled… so i still stick to the invalid endpoint error that got fixed yesterday… i whish i could explain the error and the fix but nda all the way 🙂
- @Rudy Ooms - It *may* be a coincidence, but I have tried this in two different tenants now and nothing got installed until I updated the rules. I am using commercial tenants FYI. In any case I learnt a lot about OMA DM and Intune policy troubleshooting etc., so thanks for all the tips
FishingNotPhishingMicrosoft
I am skeptical that the actual rule contents had any effect on getting the agent installed. The contents are not inspected in this way. It's more likely that updating the rules (any update at all) triggered something that was stuck, which caused the new policy to get sent to the device. Having policy targeted to the device is what triggers the agent to be installed for the first time.- :)… that invalid endpoint wasnt bogus… believe me… k12 us school? Of course there could be also additional issues why epm wasnt deployed but that endpoint was 1 off them… which was resolved yesterday
- So folks, I think I have cracked this! My mistake was that I had created elevation rules based off Windows 10 file (regedit and PowerShell in my case), while I was targeting to Windows 11 endpoints 😞 . ONce I updated the rules with Windows 11 version of files- it took a few policy refreshes for the elevation policy as well as rules to kick in, and magically the EPM components got installed 🙂 One would think that the elevation policy would still apply even with an invalid elevation rule, but not the case until I fixed the elevation rules. All that stuff about 'invalid endpoint URL' was bogus it seems like. Other notes: I enabled diagnostics and reporting after I verified everything was working, and that too is functional now (at least no errors) although still awaiting reports since apparently there is a 24 hour delay 'by design'. Also make sure to assign the 'Intune Suite license' to the targeted users (not sure if that is impactful but logically it would make sense to do so). Good luck.
- I still have the error on all of my devices. Is there something we have to make the magic fix applicable to our domain/tenant?
- For everyone following this thread... it got fixed!! (maybe not with magic... but not allowed to tell :P)
Yep… teams :)… Wondering how your fiddler trace looks like (already got 1)
using education licences ? 🙂
- Hey Rudy. Spending some time this morning working with fiddler. I'll reach out to you shortly if you are available. We're using the default domain that gets created company.onmicrosoft.com
- Hi... just wondering but the domain name of your tenant.. does it contain some . . . . . so like rudy.call4cloud.working.onsite.nl ?
- Hehe yep... Please feel free to reach out to me so we can have a look together... As I am wondering why that error it thrown 🙂
I'm not too familiar with fiddler but I'll poke around and see what I can gather.
Update: Found your https://call4cloud.nl/2020/11/close-encounters-of-fiddler/...
Mmm okay.. if someone could install fiddler on his device, enable https decyrption and watch the repsons… i am all ears!!!! (I ran fiddler as the current user with admin permissions)
Because it should show you the discovery (which succeeds as it mentions the cert pinning) but I am wondering what happens or what it mentions in the response( as it should mention the enrollment.dm part)
Feel free to reach out on teams: email address removed for privacy reasons
Here's what I'm seeing in a constant loop, every 5 mins.
In order:
- MMP-C: Device permission to select target MMP-C environment is (false).
- MMP-C: MMP-C environment to target. URL: (https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0), Environment: (0x3).
- MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
- Failed to enroll MMP-C for dual enrollment mode. Result: (The endpoint address URL is invalid.
Rudy_Ooms_MVP and Ztdid
I've been having the same issue for weeks now. I have an MS support case open (for weeks) but haven't gotten very far with a resolution.
