SOLVED

Endpoint Privilege Management not deploying

Brass Contributor

Hi Everyone,

 

A while ago when EPM was on preview I have set up a rule and a group with 5 users for a quick test. It took ages to deploy to that test group but eventually, it deployed. Can't be precise how long it took because I had to work on other tasks but it was for sure more than a week.

 

I currently have a trial activated for EPM and I have about 15 users for the test however it only deploys for the 5 people from my first test when it was under preview. The rest of them doesn't get the EPM rules, they are on Windows 11 latest version AAD joined.

 

Does anyone have any idea why it doesn't deploy to the others?

 

I've tested on a Win 10 hybrid joined with all updates installed, no joy. On this machine I also tried to install KB5023773 but it says "The update is not applicable to your computer".

 

Thanks, Will.

 

9 Replies

@WilliamBonomo 

To know what is happening on the device, we need to begin at the start.

When the device is being targetted by epm rules/policies a seperate policy will be deployed to those devices to enable the linkedin enrollment (an additional aka dual enrollment will be created on the device)

 

MMP-C Discovery failed | No valid Endpoint | EPM (call4cloud.nl)

 

So my first guess would be to start there to check out if the scheduled task to enable the dual enrollment get created and what kind of errors you get in the devicemanagement event log ( this event will will tell you step by step of whats happening)

 

Inside this blog I also show the bigger pitcture of whats happening after the discovetry

MMP-C | Microsoft Management Platform Cloud (call4cloud.nl)

If you have some screenshotst from the event log in chronicle order... we can find out whats happening

@Rudy_Ooms_MVPThank you very much for getting back to me.

Thank you for the great articles as well, they are quite educative.


I didn't find any related error on the event viewer under DeviceManagement-Enterprise-Diagnostics-Provider.

I couldn't find the registry related to EPM under ...\EnterpriseDesktopAppManagement\...

 

When Fiddler is opened I can't force the synchronization, it errors and Fiddler shows and error. When I close Fiddler I can force the sync again but don't see any error on Event Viewer.

 

 

@WilliamBonomo 

 

mmm thats really odd… as there must be something being logged in those evnt logs (just like i showed in the blogs)

 

as we need to know to which point the device could get. Is the schedule for dual enrollment even created on the device in the enterprisemgt task scheduler?

Hey. No, I don't see such a schedule, unfortunately.
Mmm can you be 100% those users are targetted by the epm policies? What does the status report tells you? What happens when trying to push the linkedenrollment csp yourself (have a blog about how to)
Yes, 100%.

Triggering it manually has worked. My test PC is now on EPM.

Mmm... as if those devices are in some filter or blocked... Not sure... but some additional questions

 

1. Can you share a screenshot for the assignment of the epm policy and if the user is in the status report(health policy etc)

2. I assume (i know they arent otherwise the linkedenrollment csp would worked) those devices arent avd/cloud pc.

3. I assume (i know because the linkedenrollmet csp worked)  there isnt ssl filtering.

4. Can you post the output of winver? 

Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn

5. I assume the devices are able to sync successfully with Intune (company portal/work school acount) 

6. Those EPM policies, are those assigned to devices or users (i assume users when reading your question) if so... could you check if the users even have valid prt? dsregcmd /status in the user session

7.  Please create a support ticket ... and if so could you share it (pm or something) ...

 

@Rudy_Ooms_MVPHey. Sorry for the late reply. Been on holiday and also covering colleagues on holiday.

 

1. It doesn't show the users on the Endpoin check-in status. Only those first ones I tested in the beggning and now the one we've enrolled manually.

WilliamBonomo_1-1693995562229.png

2. Negative

3. There is but we've whitelisted the URLs as per Microsoft instructions.

4. Version 22H2 (OS Build 19045.3208)

5. Yes.

6. Tried both but will be using users. Will attach the dsregcmd result.

7. Will do.

 

 

best response confirmed by WilliamBonomo (Brass Contributor)
Solution

Just to finally close this one.

After quite a lot of back-and-forth emails and remote sessions with Microsoft support, they weren't able to solve the issue. Even after requesting a few times for escalation the same badly trained support operator was kept in place.

The funny part is that the solution came after our trial license expired, they asked us to purchase the EPM license to carry on with the troubleshooting and so we did. After assigning the licenses, EPM started to work and enroll the devices used by the users of our test group. Apparently, the trial licenses that we were using didn't work properly.

1 best response

Accepted Solutions
best response confirmed by WilliamBonomo (Brass Contributor)
Solution

Just to finally close this one.

After quite a lot of back-and-forth emails and remote sessions with Microsoft support, they weren't able to solve the issue. Even after requesting a few times for escalation the same badly trained support operator was kept in place.

The funny part is that the solution came after our trial license expired, they asked us to purchase the EPM license to carry on with the troubleshooting and so we did. After assigning the licenses, EPM started to work and enroll the devices used by the users of our test group. Apparently, the trial licenses that we were using didn't work properly.

View solution in original post