Forum Discussion

Jason378's avatar
Jason378
Copper Contributor
Jul 27, 2023

Microsoft EPM Agent will not install.

I have configured my elevation settings and created an elevation rule: They are assigned to a group with my test user as a member. EPM License has been assigned to the test user.   The endpo...
Intune
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Aug 01, 2023

Okay... so lets get back to the start. If you have a device that hasnt been tempered with.

 

-Could you show how the linkedenrollment/enrollstatus looks like in that registry key (if its 1 or 3)
-I also assume the device has no problem syncing (intune device sync)
-I also want to know if the e enterprisemgt tasks matches that registry enrollment key
-What happens in the event logs a bit more... as it looks like it doesnt accept the intune/mdm enrollment as a proper one ...


This one would give you all the logs you need
wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1
powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1


-You also showed a screenshot mentioning the certificate response was parsed succesfully, so I assume you also got a discovery messasge (so I know at which part of the code the process is in)

Jason378's avatar
Jason378
Copper Contributor
Aug 08, 2023

Rudy_Ooms_MVP 

 

The enrollment keys match from the registry to the scheduled tasks, yes.

I cannot give you an extract of the Event logs. I can give you this screen capture. If you wish to see something specific I may be able to provide a screen capture of that.

 

Where will the Discovery message be?

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 11, 2023
    Also feel free to reach out to me on twitter or linkedin or teams to have some fast communication... as I am really intrigued by the error you got
  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 09, 2023

    Jason378 

     

    SO assuming that same device that has the issues also gave you the message that mdm enroll: provisioning succeeded, the only few steps after that one are just setting up the MMPC enrollment flag and deleting that task that is still on the device... so what happens if you just manually set that flag to 0?

     

    Did you also have taken a look at the other questions? as they would help pinpoint in which part it breaks and that would make it easier for me to contact "someone" at ms

  • Jason378's avatar
    Jason378
    Copper Contributor
    Aug 09, 2023

    Here are all of the events happening right before the final event which happens to be the error:

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Aug 08, 2023

    Jason378 

    So the mmpclocked is being set , and the enrollmentstatus refers to succeeded (by the docs... but 4 isnt the succeeded status... still working on that one :)..)

     

    The mmpc enrollmentflag in the enrollments root, what status does that one has? (i assume 1, as that means --> needs enrollment)

     

     

    Also the linkedenrollment guid points to the actual mdm/intune enrollment like shown below?

     

    And what does the enrollmentstate looks like in the mmp-c enrollment registry key ( i guess its, still 1.. what happens when doing something stupid and changing it to 0? )

    As the code responsible for the enrollment, will validate the enrollment and looks for the enrollmentstate

     

    Could you also verify if the device has a valid microsoft device management certifiate stored in the local machine compiuter store?

    And if the corrosponding task (schedule 1,2,3 are also created in the task scheduler enrollment guid that corrosponds to the new enrollment)

     

    I see alot of red errors... I am also wondering what happens at the events just before the event 4022 (error)..