Forum Discussion

Jason378's avatar
Jason378
Copper Contributor
Jul 27, 2023

Microsoft EPM Agent will not install.

I have configured my elevation settings and created an elevation rule: They are assigned to a group with my test user as a member. EPM License has been assigned to the test user.   The endpo...
Intune
Jason378's avatar
Jason378
Copper Contributor
Aug 01, 2023

 

Yes there are Registry entries under Enrollments with GUIDs. I have matching GUID's referenced in scheduled tasks.

 

Before today I had deleted the GUIDs (ones I was allowed to delete) and forced a reenrollment on the device. This obviously did not resolve the issue.

Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Aug 01, 2023

Ahhh... okay deleted the GUIDS.... so that could explain the error as it doesnt know and coudlnt find the magementurls from the enrollment and with it getting that error.
I assume you also trashed the certs/scheduled task and all other stuff to make sure the intune/mdm enrollment was all okay. Otherwise the enrollment is bad

 

I just tested it in a special vm I have for testing epm/mmp-c enrollments and removing the enrollments from the registry... and yeah that gives me the same exact error :).


My advice, start over with a clean installed device and from there on take a look at what the event log tells you...

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 11, 2023
    Also feel free to reach out to me on twitter or linkedin or teams to have some fast communication... as I am really intrigued by the error you got
  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 10, 2023

    Jason378 

     

    SO assuming that same device that has the issues also gave you the message that mdm enroll: provisioning succeeded, the only few steps after that one are just setting up the MMPC enrollment flag and deleting that task that is still on the device... so what happens if you just manually set that flag to 0?

     

    Did you also have taken a look at the other questions? as they would help pinpoint in which part it breaks and that would make it easier for me to contact "someone" at ms

  • Jason378's avatar
    Jason378
    Copper Contributor
    Aug 09, 2023

    Here are all of the events happening right before the final event which happens to be the error:

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 09, 2023

    Jason378 

    So the mmpclocked is being set , and the enrollmentstatus refers to succeeded (by the docs... but 4 isnt the succeeded status... still working on that one :)..)

     

    The mmpc enrollmentflag in the enrollments root, what status does that one has? (i assume 1, as that means --> needs enrollment)

     

     

    Also the linkedenrollment guid points to the actual mdm/intune enrollment like shown below?

     

    And what does the enrollmentstate looks like in the mmp-c enrollment registry key ( i guess its, still 1.. what happens when doing something stupid and changing it to 0? )

    As the code responsible for the enrollment, will validate the enrollment and looks for the enrollmentstate

     

    Could you also verify if the device has a valid microsoft device management certifiate stored in the local machine compiuter store?

    And if the corrosponding task (schedule 1,2,3 are also created in the task scheduler enrollment guid that corrosponds to the new enrollment)

     

    I see alot of red errors... I am also wondering what happens at the events just before the event 4022 (error)..

     

     

  • Jason378's avatar
    Jason378
    Copper Contributor
    Aug 08, 2023

    Rudy_Ooms_MVP 

     

    The enrollment keys match from the registry to the scheduled tasks, yes.

    I cannot give you an extract of the Event logs. I can give you this screen capture. If you wish to see something specific I may be able to provide a screen capture of that.

     

    Where will the Discovery message be?

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 01, 2023

    Okay... so lets get back to the start. If you have a device that hasnt been tempered with.

     

    -Could you show how the linkedenrollment/enrollstatus looks like in that registry key (if its 1 or 3)
    -I also assume the device has no problem syncing (intune device sync)
    -I also want to know if the e enterprisemgt tasks matches that registry enrollment key
    -What happens in the event logs a bit more... as it looks like it doesnt accept the intune/mdm enrollment as a proper one ...


    This one would give you all the logs you need
    wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1
    powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1


    -You also showed a screenshot mentioning the certificate response was parsed succesfully, so I assume you also got a discovery messasge (so I know at which part of the code the process is in)

  • Jason378's avatar
    Jason378
    Copper Contributor
    Aug 01, 2023

    Actually the behavior has not changed. From what I can tell It is exactly the same as before I removed the Enrollments GUID entries.

    I did remove the tasks that matched. New ones were created when the device reenrolled. Since then it has been reset though. I only mentioned it as something I had already tried.

    Elements that may have been involved that I have since removed:
    MFA. We have two different MFA solutions and sometimes they are both used depending on the situation. Both have been disabled for testing.
    BitDefender Firewall. This has been disabled and Windows Firewall is the acting firewall now. Windows Firewall is basically default and working normally.
    Cloudflare zero trust tunnel. This has been disabled as well.
    The device has no issue accessing https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0
    The cert also matches and there are no issues there.

    MDM Enrollment is showing Okay for the device:

     

Resources