Microsoft EPM Agent will not install.

Copper Contributor

I have configured my elevation settings and created an elevation rule:


They are assigned to a group with my test user as a member. EPM License has been assigned to the test user.


The endpoint targeted is running Windows 11 22H2 with June 5th updates:


My  elevation settings policy has been successfully applied to the endpoint.


However I am still not showing my Elevation Rules being applied:


Also inside File Explorer at c:\program files\ I am not seeing the "Microsoft EPM Agent" directory:


The endpoint is checked in and I can run other Intune related services against it successfully:



This has been days now since I began this supposed simple task of elevating an app. I have read Microsoft's Documentation along with many other's "User Experience" articles and blogs.


My app still does not have the right click menu option "Run with Elevation". I must assume this will not happen until the Microsoft EPM Agent is installed on the endpoint and the rule is successfully applied.


Any help would be appreciated.





20 Replies

After attempting to install the EPM Agent manually the logs show the follow:




Attempting to run the task in task scheduler, "Schedule created by dm client for dual enrollment to Mmpc" shows result 0x8018000B (Device not enrolled). 




Did you by any chance read my blogs about MMP-C and what happens when the device is enrolled with EPM? As manually installing the epm agent wont do anything without the device being enrolled into the microsoft managed platform - cloud

This blog explains the first few steps in detail

Of course you could also kick of the mmpc linked enrollment on your own with the use of the linked csp (do not use it in production)

What domain are you using? as I know (and mentioned in the first blog I pointed out) that there was a small issue some time ago with k12 domains (which got resolved quickly..)

Besides that... what is the dsregcmd /status output giving you ? I assume the device is adjoined succesfully and has a PRT?

Rudy, thank you for your reply.


I have read your blog, thank you for your work there.


Our domain is a .org


Here are some snippets of the dsregcmd output:




I have not forced the MMP-C enrollment. Perhaps I will attempt that next. The test device is in production but I am confident it has the required patches.


Thank you again!


I would start by checking out the devicemanagement event logs, just like I showed in one of the blogs I mentioned. As those would certainly tell you or show you an error... If i have that error code/message we can probably solve (yeah we can :) )

I am showing the following:




Could you also show the events just before this message pops up?

I assume all other intune policies are working on the haadj device? did you also tried it on a regular aadj device ?

As that message refers to an mdm enrollment message, stating the device isnt mdm enrolled... 

So could you also output the mdm urls from the dsreg you took?

I am getting the following events including one additional error:


Here is the dsregcmd MDMurl section output:


Actually I have not attempted using an AADJ device, everything in our environment will be hybrid. I have limited access to devices as I am remote. I will ask another tech to get one enrolled into AAD without local domain membership and add it to the test group.


In the event logs , just search for mmp-c it should get you to the messages just before it mentions the error you should start with something like mmp-c: device permission to select target....

I must assume you are referring to this error:



I show no 2600 Events.



The below URL is accessible and the cert does match: 



yep... and from there on there should be more like mmp-c discovery etc... .. so could you put them in chronical order.. so like something like this... as the enrollment covers some steps... 

Also wondering if in the registry software\microsoft\enrollments if there is a subkey gets created in an guid (different than on the screenshot)  with linkedenrollment and a enrollstatus








Yes there are Registry entries under Enrollments with GUIDs. I have matching GUID's referenced in scheduled tasks.


Before today I had deleted the GUIDs (ones I was allowed to delete) and forced a reenrollment on the device. This obviously did not resolve the issue.

Ahhh... okay deleted the GUIDS.... so that could explain the error as it doesnt know and coudlnt find the magementurls from the enrollment and with it getting that error.
I assume you also trashed the certs/scheduled task and all other stuff to make sure the intune/mdm enrollment was all okay. Otherwise the enrollment is bad


I just tested it in a special vm I have for testing epm/mmp-c enrollments and removing the enrollments from the registry... and yeah that gives me the same exact error :).

My advice, start over with a clean installed device and from there on take a look at what the event log tells you...

Actually the behavior has not changed. From what I can tell It is exactly the same as before I removed the Enrollments GUID entries.

I did remove the tasks that matched. New ones were created when the device reenrolled. Since then it has been reset though. I only mentioned it as something I had already tried.

Elements that may have been involved that I have since removed:
MFA. We have two different MFA solutions and sometimes they are both used depending on the situation. Both have been disabled for testing.
BitDefender Firewall. This has been disabled and Windows Firewall is the acting firewall now. Windows Firewall is basically default and working normally.
Cloudflare zero trust tunnel. This has been disabled as well.
The device has no issue accessing
The cert also matches and there are no issues there.

MDM Enrollment is showing Okay for the device:



Okay... so lets get back to the start. If you have a device that hasnt been tempered with.


-Could you show how the linkedenrollment/enrollstatus looks like in that registry key (if its 1 or 3)
-I also assume the device has no problem syncing (intune device sync)
-I also want to know if the e enterprisemgt tasks matches that registry enrollment key
-What happens in the event logs a bit more... as it looks like it doesnt accept the intune/mdm enrollment as a proper one ...

This one would give you all the logs you need
wget -outfile IntuneODCStandAlone.ps1
powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1

-You also showed a screenshot mentioning the certificate response was parsed succesfully, so I assume you also got a discovery messasge (so I know at which part of the code the process is in)




The enrollment keys match from the registry to the scheduled tasks, yes.

I cannot give you an extract of the Event logs. I can give you this screen capture. If you wish to see something specific I may be able to provide a screen capture of that.



Where will the Discovery message be?


So the mmpclocked is being set , and the enrollmentstatus refers to succeeded (by the docs... but 4 isnt the succeeded status... still working on that one :)..)


The mmpc enrollmentflag in the enrollments root, what status does that one has? (i assume 1, as that means --> needs enrollment)




Also the linkedenrollment guid points to the actual mdm/intune enrollment like shown below?



And what does the enrollmentstate looks like in the mmp-c enrollment registry key ( i guess its, still 1.. what happens when doing something stupid and changing it to 0? )


As the code responsible for the enrollment, will validate the enrollment and looks for the enrollmentstate


Could you also verify if the device has a valid microsoft device management certifiate stored in the local machine compiuter store?


And if the corrosponding task (schedule 1,2,3 are also created in the task scheduler enrollment guid that corrosponds to the new enrollment)


I see alot of red errors... I am also wondering what happens at the events just before the event 4022 (error)..



Here are all of the events happening right before the final event which happens to be the error:


































SO assuming that same device that has the issues also gave you the message that mdm enroll: provisioning succeeded, the only few steps after that one are just setting up the MMPC enrollment flag and deleting that task that is still on the device... so what happens if you just manually set that flag to 0?


Did you also have taken a look at the other questions? as they would help pinpoint in which part it breaks and that would make it easier for me to contact "someone" at ms