Share via

PEM Policies are not being deployed to AVD devices in a personal hostpool.

JP 0 Reputation points
2025-07-01T18:20:59.5966667+00:00

Hi,

We have tried to assigned a variety of different PEM policies to our AVD machines, but none have been successful. We have a Entra environment, that was formerly a hybrid environment and think it may have something to do with that. We still see segments of our domain in weird places, for example when we run gpresult /r it shows our on-prem domain.

One example is we configured a PEM policy to allow the end users to run CMD as administrator. We assigned it to all users, all devices, a group, every which possible way and it never gets deployed. Something is preventing most PEM policies from being deployed to our AVD hostpool. The research I have done says it should work on personal pools, which is what we have. It however HAS deployed to a personal laptop that is on prem... But only a single device out of 35...

This is what leads me to believe it may have something to do with our former hybrid environment and group policies. However, I even added the windows policy to allow MDM to override GPO and that is being deployed proper. But still no effect to the PEM polcies... I did get a EPM global block policy to work. But I cant get any of the allows to be deployed.

Microsoft Security | Intune | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 2,695 Reputation points Microsoft Employee
    2025-11-25T14:27:19.2966667+00:00
    1. If your AVD VMs were previously domain-joined or synced via Entra Connect, legacy on-prem GPOs can still apply and override Intune/PEM settings.
    2. Even after enabling MDM Wins Over GP, this only works for CSP-backed settings, not all PEM actions.
    3. PEM policies require correct Entra ID group targeting and device management type validation.
    4. If the device is tagged incorrectly or not in the right group, the policy won’t deploy
    5. PEM “allow” actions (e.g., run CMD as admin) are supported on personal host pools, but require:

    For further troubleshooting refer to : https://v4.hkg1.meaqua.org/en-us/windows/client-management/mdm-diagnose-enrollment

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.