Alice and the Device Certificate

Alice and the Device Certificate

This blog will show you how to start troubleshooting when some features of the company portal aren’t working anymore. Some features that stopped working were: App installations and syncing problems. While troubleshooting, it really took me down into the rabbit hole.

In one of my last blogs, I showed you which steps you could take to implement Adminless and how to make sure the end-user experience is still great.

Dude, Where’s my Admin? – Call4Cloud

Almost at the same time, we got a customer specialized in electrical systems with a dedicated service team who was very interested in the make me admin solution. After a good conversation to determine if other solutions would perhaps be a better solution, we noticed the service team really needs to have the possibility to configure or install apps when they need them.

Within a few minutes we made sure, only the technical service group was receiving the Make Me admin app. All those users were very happy except one, the make me admin tool was not pushed to his device.

I am going to divide this blog into 3 parts

  1. Troubleshooting the problem
  2. Solving the problem
  3. Monitoring the problem

1.    Troubleshooting

First, we need to do some troubleshooting before we could determine the root cause. When an App is not automatically pushed to the device you could also configure the app as “available”. If you configure the app as available the user could manually install the application from the company app, so we asked the user to open the company app and install the app.

As shown above, the app hangs on downloading… That’s odd because the app is not that big. We opened the incoming folder to look if the Intune management extension was doing “something”.

“C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming\”

But it was completely empty. We needed to be sure if the Make me admin app was the only one that was experiencing problems, so we tried to install another app.

This time, we received the error: While requesting the app an error occurred. After looking at some other information and settings in the company portal we noticed, compliance status was also not checked for the last 16 days. That’s odd

We pressed the button to check if the device had still access to the company resources… but again nothing happened and nothing changed and no errors or warnings. The next step would be syncing the device, so we did.

The last sync attempt failed. Of course, we tried to sync the device from within the Intune portal, but nothing changed again. We even tried to sync the device from the account settings.

Again, a new nice error:0x80190190

I did remember an issue when the dmwappushservice (WAP Push Message Routing Service) was disabled or was missing. This service is required for the device to be able to sync with Intune

Windows 10 devices can’t sync with Intune after enrollment – Intune | Microsoft Docs

Security guidelines for system services in Windows Server 2016 | Microsoft Docs

So I checked the service, as shown below the service was not missing and it was configured to start automatically.

The next thing we did, was checking the intune mgt log. This log is very important for troubleshooting app or sync problems.

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\intunemanagementextension.log

DNS detection: A Proxy for url call failed? There were definitely no proxy servers configured. All other devices were working without any problems but to be sure there was also no proxy configured for the Intune management extension we checked the registry. As shown below… no proxy!

Or use dsregcmd /status within the user’s session.

Now we are 100% sure there are no proxies configured we needed to determine if the IP address is the same as on another device. We did ICMP/ping from a working device and the device with issues. Both of them showed us the same Ip address corresponding to the FQDN.

Okay, that’s strange I was expecting to get an error: hostname not found but it just resolved the same IP address. There goes my poem…

Now we know it was definitely no DNS issue, let’s check if there is a difference when we open the edge browser and browse to the FQDN on 2 devices.

We noticed the not working device, which prompted us to select a certificate? It certainly looked a lot like the missing MDM intune certificate issue from some time ago. After some devices were updated to the latest build, the intune certificate was missing.

The MDM certificate is issued when your device is enrolled in the Intune Service. This certificate is used for communication with the Intune service. When this certificate is not on the device it can’t establish a trust relationship with Intune. You will notice some problems will start to occur.

  1. It stops receiving new policies/apps or changes to existing policies
  2. There could be compliance issues because the compliant check is not working.
  3. The company portal is broken

To be sure we checked if the Intune certificate was present..

Yes, we were very happy the Intune certificate was still present but wait…. Expiration date 10-03-2021??? That’s last month?  That could definitely be the problem.  But still, it’s very strange the user was not experiencing any other problems.

Some background information: You could also use graph to check the device intune certificate expiration time

Let’s go further with our investigation.  Normally the schedule created by enrollment for renewal of certificate warning would make sure the certificate is renewed. I guess this schedule didn’t work, for some weird reason.

We tried to manually run the task even when we knew this wasn’t going to work but we needed to try.

2.    Solving

Let’s solve it now! We have got 3 options if we want to solve it. We went for the first option, just because we did not have the time to get more information about this issue… and time is money.

  1. Manually with possible some configuration loss
  2. Automatically with no configuration loss
  3. Microsoft its own Remediation script. (when your device is co-managed)

1.Manually disconnect and connect to Azure Ad join

After rebooting the device and reconnecting to Azure Ad, we could log in again. Of course, we needed to configure Hello again and other settings. We also noticed the Make me admin tool was installed almost instantly. Again we opened the certificate store to check the certificate.

A new Intune certificated was deployed and of course, the syncing problem and app installation issue was also resolved…

2.Automatically without configuration loss

After some reading, while creating this blog I found out, it was also possible to solve this problem without some configuration loss. This method should work. (I did test it of course on a working device)

This powershell script will:

*Remove Enrollment registry keys

*Remove the Intune MDM certificate

*Remove the scheduled tasks

*Reenroll into MDM

You will need to run it as system (psexec -I -s powershell.exe)

$RegistryKeys = "HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\Enrollments\Status","HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked", "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled", "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers","HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"

$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
		$_.Issuer -match "Intune MDM" 
	} | Remove-Item

$EnrollmentID = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
	
Get-ScheduledTask | Where-Object {$_.Taskpath -match $EnrollmentID} | Unregister-ScheduledTask -Confirm:$false
			
			foreach ($Key in $RegistryKeys) {
				if (Test-Path -Path $Key) {
					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
	}
			}

			Start-Sleep -Seconds 30
		
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru

3 Microsoft Remediation script?

Unfortunately I did not had a real life problem device to test if this script would also work if the intune device certificate is expired: https://aka.ms/mdm_enrollment_cert_script

But looking at the script itself, I would say yes at first sight?. To be sure, I needed to break down a test device to check it out. After removing some registry keys and the device MDM certificate I tried it out.

It’s not working because the device is not co-managed. So this option is not the one you need when your device is not co-managed.

After this error, I applied the Powershell script from option 2… and after a minute or 2 the certificate was recreated again and the device was ready to sync with Intune again.

3.Monitoring

Of course, you want to monitor this important certificate, if it’s available and certainly if it’s not expired.

You could use this script as a part of your Proactive remediation detection script

Try {
$Result = Get-ChildItem -Path cert: -Recurse | where { $_.notafter -le (get-date).AddDays(30) -AND $_.notafter -gt (get-date) -and $_.issuer -like "CN=Microsoft Intune MDM Device CA" }  | select issuer, notafter
$ID = $Result | measure-Object
If ($ID.Count -gt 0)
{
    Write-Output "Intune MDM certificate is going to expire $result"
  Exit 1001
}
Else
{
    Write-Output "Intune MDM certificate is NOT going to expire"
  Exit 0
}
}
catch
{
Write-Warning "Value Missing"
Exit 1001
}

If I have some free time next week, I will create the whole remediation script with the toast notification for the end-user.

Conclusion:

Sometimes an easy looking problem will take you down into the rabbit hole.

Luckily when you are at the bottom of the rabbit hole you can climb up again and solve the problem.  Lesson learned if a new problem finds your way which you never have seen before just go for it!

While troubleshooting and solving the problem you could learn a lot of new stuff. Without a working Intune device certificate, a lot of stuff will break.

To sum up what you need to check when your device stops communicating with Intune

*Check the Intune mgt log

*Check if you can ping/access and reach the URL’s

*Check the WAP Push Message Routing Service

*Check the MDM certificate

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  19  =  26