I have configured my elevation settings and created an elevation rule:
They are assigned to a group with my test user as a member. EPM License has been assigned to the test user.
The endpoint targeted is running Windows 11 22H2 with June 5th updates:
My elevation settings policy has been successfully applied to the endpoint.
However I am still not showing my Elevation Rules being applied:
Also inside File Explorer at c:\program files\ I am not seeing the "Microsoft EPM Agent" directory:
The endpoint is checked in and I can run other Intune related services against it successfully:
This has been days now since I began this supposed simple task of elevating an app. I have read Microsoft's Documentation along with many other's "User Experience" articles and blogs.
My app still does not have the right click menu option "Run with Elevation". I must assume this will not happen until the Microsoft EPM Agent is installed on the endpoint and the rule is successfully applied.
Any help would be appreciated.
Jason
Attempting to run the task in task scheduler, "Schedule created by dm client for dual enrollment to Mmpc" shows result 0x8018000B (Device not enrolled).
Rudy, thank you for your reply.
I have read your blog, thank you for your work there.
Our domain is a .org
Here are some snippets of the dsregcmd output:
I have not forced the MMP-C enrollment. Perhaps I will attempt that next. The test device is in production but I am confident it has the required patches.
Thank you again!
Jason
I am getting the following events including one additional error:
Here is the dsregcmd MDMurl section output:
Actually I have not attempted using an AADJ device, everything in our environment will be hybrid. I have limited access to devices as I am remote. I will ask another tech to get one enrolled into AAD without local domain membership and add it to the test group.
I must assume you are referring to this error:
I show no 2600 Events.
The below URL is accessible and the cert does match:
https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0
yep... and from there on there should be more like mmp-c discovery etc... .. so could you put them in chronical order.. so like something like this... as the enrollment covers some steps...
Also wondering if in the registry software\microsoft\enrollments if there is a subkey gets created in an guid (different than on the screenshot) with linkedenrollment and a enrollstatus
Yes there are Registry entries under Enrollments with GUIDs. I have matching GUID's referenced in scheduled tasks.
Before today I had deleted the GUIDs (ones I was allowed to delete) and forced a reenrollment on the device. This obviously did not resolve the issue.
Actually the behavior has not changed. From what I can tell It is exactly the same as before I removed the Enrollments GUID entries.
I did remove the tasks that matched. New ones were created when the device reenrolled. Since then it has been reset though. I only mentioned it as something I had already tried.
Elements that may have been involved that I have since removed:
MFA. We have two different MFA solutions and sometimes they are both used depending on the situation. Both have been disabled for testing.
BitDefender Firewall. This has been disabled and Windows Firewall is the acting firewall now. Windows Firewall is basically default and working normally.
Cloudflare zero trust tunnel. This has been disabled as well.
The device has no issue accessing https://discovery.dm.microsoft.com/EnrollmentConfiguration?api-version=1.0
The cert also matches and there are no issues there.
MDM Enrollment is showing Okay for the device:
The enrollment keys match from the registry to the scheduled tasks, yes.
I cannot give you an extract of the Event logs. I can give you this screen capture. If you wish to see something specific I may be able to provide a screen capture of that.
Where will the Discovery message be?
So the mmpclocked is being set , and the enrollmentstatus refers to succeeded (by the docs... but 4 isnt the succeeded status... still working on that one :)..)
The mmpc enrollmentflag in the enrollments root, what status does that one has? (i assume 1, as that means --> needs enrollment)
Also the linkedenrollment guid points to the actual mdm/intune enrollment like shown below?
And what does the enrollmentstate looks like in the mmp-c enrollment registry key ( i guess its, still 1.. what happens when doing something stupid and changing it to 0? )
As the code responsible for the enrollment, will validate the enrollment and looks for the enrollmentstate
Could you also verify if the device has a valid microsoft device management certifiate stored in the local machine compiuter store?
And if the corrosponding task (schedule 1,2,3 are also created in the task scheduler enrollment guid that corrosponds to the new enrollment)
I see alot of red errors... I am also wondering what happens at the events just before the event 4022 (error)..
Here are all of the events happening right before the final event which happens to be the error:
