EPM Deployment error 2147749902

So, I was trying to implement Endpoint Privilege Management (EPM) and faced deployment error 2147749902.

Firstly, I searched Google and found nothing. I complained to my friend Rudy Ooms that his blog didn’t contain the error or fix. This guy has covered almost everything about Intune but it turned out his blog didn’t mention the error code. You can find the blog here.

But, after applying the fix from his blog my issue still wasn’t solved. The fix was to disable diagnostics:

Basic Troubleshooting

So, I went investigating again and Rudy pointed me to the DeviceManagement-Enterprise-Diagnostics-Provider event log.

It showed me this log:

The EPM agent couldn’t be installed because of system policy… Hmmmm.

I talked about this with Rudy and we both said WDAC! (App Control for Business). I have WDAC enabled because I want to give it a try.

My WDAC config states that everything from the managed installer (Win32Apps) and Microsoft Signed application is allowed.

Also, the codeintegrity log, the event log that logs WDAC, didn’t show that the installer was blocked! Twitter came to the rescue and said that it logs to the Applocker log because it’s an MSI:

(She also created an awesome PS Module)

You expect that the EPM agent installs with zero problems but it turns out it doesn’t. I allow all Microsoft Apps to be in my WDAC configuration. I grabbed the agent installer from the folder:

C:\Windows\System32\config\systemprofile\AppData\Local\mdm\{GUID}.msi

Next, I tried to grab the signature via the WDAC wizard and add a supplemental policy for the publisher:


This didn’t work.

After that, I tried exporting the event log and tried to create a supplemental policy. The Wizard doesn’t recognize the log:

Even though the log holds all the information:

The WDACConfig PowerShell Module

Lastly, I tried this method. Use MDE advanced hunting to create a WDAC Config.

First on Mac, it doesn’t work: (unfortunately, no complaint)

Tried it on Windows also:

To create the policy you need to use this command:

Edit-WDACConfig

This worked! Thanks to Violet Hansen and her module WDACConfig. This module found an extra publisher for this file. Something that the WDAC wizard didn’t show. That made it hard to fix.

I have added the EPM supplemental policy to Github.

You need to edit it and add your base policy GUID:

Lastly, I configured double policies that don’t work that well. Please read about it in Microsoft Docs.

Other posts

Schedule PowerShell Script Intune

Leave a Comment