The Lord of the EPM: The War of the MMP-C Enrollment

by: rudyoomsPosted on:

Last Updated on April 8, 2024 by rudyooms

This blog will show you how you could “Kickstart” your EPM enrollment on your own turf when the EPM agent is somehow not being deployed even when you have met all the requirements!

I will divide this blog into multiple parts

  1. Introduction
  2. Kickstarting it on your own!

1. Introduction

When first looking at EPM and how it triggered a Silent *MMP-C enrollment using the AAD device token I was pretty amazed. If you don’t have read that blog, please do!

I Killed My Endpoint Privilege Management Enrollment, Hung Her on a Meathook, and Now I Have a Three Picture Deal at MMP-C

*Microsoft Managed Platform – Cloud or is it Microsoft Management Platform – Cloud?

While writing that blog I also noticed some EPM Enrollment issues being mentioned in the tech community

Endpoint privilege management, deployment unsuccessful with “device health monitoring” error – Microsoft Community Hub

Those enrollment issues were simple being caused by not having all the Windows Client requirements met.

If you don’t have an up-to-date device, you can forget about deploying EPM to your device. When looking at some other enrollment issues, they were caused by errors with the Device Health Monitoring Policy (Send Elevation Data for Reporting)

If somehow this policy failed to deploy, you will end up with an error mentioning the “Allow Device Health Monitoring” and the EPM agent would not be installed

As shown above, it only shows the “Allow Device Health Monitoring” setting run into some error. Nothing more! Microsoft their advice, for now, is to change the “Send Elevation data for reporting” to NO

When taking a closer look at the device you could notice that the device management event log is mentioning the fact that it couldn’t find the file

Somehow on those devices, the DeviceHealthMonitoring registry keys were all missing in action. As shown below, in a normal working situation, the device should have this key.

If those keys are missing, you are up for a challenge! Let me help you a bit!

2. KickStart it on your own!

Kickstarting the enrollment on your own would bypass the requirements. The only requirement left would be to have a device that has the October update installed. The Declared Configuration Service needs to be active on the device!

So let’s move on to kickstart the MMPC / Linkedenrollment on your own because it is supposed t be fun!

After making sure the device was enrolled with Intune and the initial sync was done I opened a PowerShell session and elevated myself to “SYSTEM” with the use of the psexec tool.

Once elevated, I first installed the localmdm powershell module

Install-PackageProvider -Name NuGet -Force
Install-Module -Name localmdm -Force -SkipPublisherCheck

Once I installed that beautiful tool from some stranger called Niehaus, I created the same CSP I got from another great tool! The syncml tool!

With the <syncbody> in good shape, I made sure I opened a new PowerShell session with the -MTA parameters

Before we continue, we also need to make sure we are going to target the existing Intune enrollment type and not the local_management enrollment. Otherwise the localmdm enrollment will get a linkedenrollment!

To do so, we need, we first need to change the current local_management enrollmenttype 14 to something that is not in use (so for example, 114)

After making sure, the enrollment type 14, is not in use anymore, we can alter the Intune enrollmenttype to match the local_management enrollment.

As shown below, I am going to change the enrollmenttype 6, to 14

After the enrollmenttype has been changed we can fire off the PowerShell script. Within the MTA PowerShell session, I copy/pasted the sync body and fired off the send-request

$test1 = @"
<SyncBody>
	<Exec>
      <CmdID>12</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment/Enroll</LocURI>
        </Target>
      </Item>
    </Exec>
</SyncBody>
"@

send-localmdmrequest -SyncML $test1

After firing off the PowerShell command, you will need to get back the status:200

At this moment, the scheduled task to enroll the device into MMP-C will be created! With the status 200, we need to make sure that we are switching back the enrollment type to how it was previously configured; otherwise, you will end up in a world of pain and enrollment errors!

Within a few minutes, the device got enrolled into MMPC, got the Intune Enrollment linked to the Privilege Manager, and got the EPM agent installed

I was wondering if Intune had the same feeling. So I opened the Intune portal and looked up the device, only to notice every required setting was marked as “succeeded”

Conclusion

Knowing how to trigger stuff on your turf can be very useful if you want to spot every single detail. Besides getting to know the details a bit faster, you can also use it to trigger it on your own if for some reason, the EPM deployment doesn’t work

LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

33  +    =  42