In this final section of my blogseries about EPM, we will look at troubleshooting EPM and which tools you can use to do that. When configuring new policies, it is important to know which parameters to use. After you have applied the policy, it is also important that you can see if it is working properly.
Applied policies
When you configure and apply a policy with, it is important that you can see that it has actually been applied. Especially if you have to make multiple changes to get something working, it is important that the last change has been applied before testing. To test these things and more, there is a set of EPM cmdlets that you can import into PowerShell. These cmdlets allow you to see what EPM policies have been received, applied and more.
Import cmdlets
First, the PowerShell cmdlets must be imported.
- Open PowerShell with admin privileges.
- Go to the EPM tools folder (C:\Program Files\Microsoft EPM Agent\EpmTools)
- Import the EPM agent cmdlets by entering
import-module .\EpmCmdlets.dll
ClientSettings
In one of the previous posts, we configured the client settings policy below.
By using the command:
Get-Policies -PolicyType ClientSettings -Verbose | Format-Table -AutoSize
You can validate whether the EPM client settings policy is loaded. The policy is divided into three parts: EnableTPM, Defaultbehaviour and Telemetrylevel. These correspond to the settings in the Client settings policy.
ElevationRules
The same as for the client settings policy we can also do for the elevation rules policy. We configured the policy below.
By using the command:
Get-Policies -PolicyType Elevationrules -Verbose | Format-Table -AutoSize
You can validate whether the EPM elevation rules policy and which rules are loaded.
In addition, it is also possible to see from the exefilename or certificatepayload whether a rule is present. In this case, I am looking to see if there is a rule for the file “cmd.exe”. This command also shows all the settings configured for this file.
Get-ElevationRules -Target cmd.exe -Lookup FileName -Verbose
Conflicting policies
If you have multiple policies configured, they may overlap. In this example, I have configured two client settings policies. One policy enables EPM and the other disables it.
Running the Get-clientsettings command analyzes all policies and shows you which client settings are used by the EPM Agent. If there is a conflict it is shown (see arrow) and then the settings that are being used are shown.
Get-ClientSettings -Verbose
Conflicting rules
If a device receives two elevation rules targeting the same application, both rules are consumed on the device. When EPM goes to resolve rules that apply to an elevation, it uses the following logic:
- Rules deployed to a user take precedence over rules deployed to a device.
- Rules with a hash defined are always deemed the most specific rule.
- If more than one rule applies (with no hash defined), the rule with the most defined attributes wins (most specific).
- If applying the above logic results in more than one rule, the following order determines the elevation behavior: User Confirmed, Support Approved (once available), and then Automatic.
(Source: Microsoft)
Elevations performed by EPM agent
Every elevated access you perform is logged in the EPM service log. This makes this log very useful if you want to configure a new rule or run into a problem with an existing rule. The service log can be found in C:\Program Files\Microsoft EPM Agent\Logs. By the way, at this location you can find more log files related to EPM.
When you start an exe with elevated access you will see in the log the following things happen.
- Processing client reques
- Retrieving (client) settings
- Check if EPM is enabled
- Check if there is a rule for the filename
- User justification
- Start process with elevated token using virtual account token
When troubleshooting, the fourth part is especially important. You can use this to see if the rule you configured is being applied. You can mimic this process with the PowerShell command “Get-ElevationRules -Target cmd.exe -Lookup FileName -Verbose.”
What is good to know is that you can remotely download the EPM Agent log files. You can do this through Intune. Select the device from which you want to receive the log files and select “collect diagnostics.”
Wait for the data to be collected and download it. When you open the zip file you will see at (66) Progamfiles_Microsoft_EPM_Agent_Logs. This folder contains the contents of the client computer’s EPM Logs folder.
Considerations
In general, EPM is a nice solution for many situations allowing you to reduce the number of local administrators. What you should keep in mind is that at this moment EPM is still in development. This means that not all functionality announced at Ignite 2022 is available yet. In addition, some of the issues below may prevent it from being applicable in your environment.
- Only exe files are supported.
- Elevated Child processes are currently not supported. (1)
- Long delays in reporting in the Intune portal, not always accurate.
- The need to start an process with “run with elevated access” to elevate
- No automatic elevation for matching executables.
- No support for Windows ARM (2)
- Currently no support for adhoc elevation support. (1)
(1) Will be added later this year around the summer.
(2) Will be added around end of the year.
Hopefully this blog series on EPM can help you make a good decision. Keep a close eye on Microsoft’s documentation and announcements. If you have any questions or comments please let us know in the comments.