Call4Cloud

Alice and the Intune MDM Device Certificate

This blog will show you how to start troubleshooting when some features of the Company Portal aren’t working. Besides the issues we had with the Company Portal we were also experiencing syncing errors!

While troubleshooting, it really took me down into multiple rabbit holes. I am going to divide this blog into multiple parts

  1. Introduction
  2. Troubleshooting the problem
  3. Checking the Intune Certificate
  4. Solving the problem
  5. Monitoring the problem
  6. When you thought you checked everything!
  7. Syncing Error 0x80072f99

1. Introduction

In one of my last blogs, I showed you which steps you could take to implement Adminless and how to make sure the end-user experience is still great.

Almost at the same time, we got a customer specialized in electrical systems with a dedicated service team who was very interested in the make me admin solution. After a good conversation to determine if other solutions would perhaps be a better solution, we noticed the service team really needs to have the possibility to configure or install apps when they need them.

Within a few minutes, we made sure, that only the technical service group was receiving the Make Me admin app. All those users were very happy except for one, the make me admin tool was not pushed to his device.

2. Troubleshooting

First, we need to do some troubleshooting before we could determine the root cause. When an App is not automatically pushed to the device you could also configure the app as “available”. If you configure the app as available the user could manually install the application from the Company Portal app, so we asked the user to open the company app and install the app.

As shown above, the app just hangs on downloading… That’s odd because the app is not that big?. We opened the incoming folder to look if the Intune management extension was doing “something”.

C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming\”

But it was completely empty. We needed to be sure if the Make me admin app was the only one that was experiencing problems, so we tried to install another app.

This time, we received the error: “While requesting the app an error occurred“. After looking at some other information and settings in the company portal we noticed, that the compliance status was also not checked for the last 16 days. That’s odd?

We pressed the button to check if the device had still access to the company resources… but again nothing happened and nothing changed and no errors or warnings. The next step would be syncing the device, so we did.

The last sync attempt failed. Of course, we tried to sync the device from within the Intune portal, but nothing changed again. We even tried to sync the device from the account settings.

As shown above, synchronization couldn’t be started but this time we got a nice error with it :0x80190190

The next thing we did, was to check the intune mgt log. This log is very important for troubleshooting app or sync problems.

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\intunemanagementextension.log

DNS detection: A Proxy for url call failed? There were definitely no proxy servers configured. All other devices were working without any problems but to be sure there was also no proxy configured for the Intune management extension we checked the registry.

HKLM:\Microsoft\Softwre\IntuneManagementExtension\Proxies\AzureAD

As shown below… no proxy!

You could also use dsregcmd /status within the user’s session to check if there are somehow proxies configured!

Now we are 100% sure there are absolutely no proxies configured we needed to determine if the IP address is the same as on another device. We did ICMP/ping from a working device and the device with issues. Both of them showed us the same Ip address corresponding to the FQDN.

Okay, that’s strange I was expecting to get an error: hostname not found but it just resolved the same IP address. There goes my poem

Now we know it was definitely not a DNS issue, let’s check if there is a difference when we open the edge browser and browse to the FQDN (fef.amsub020.manage.microsoft.com) on those 2 devices.

3. Checking the Intune MDM certificate

Okay, so now we noticed that the not working device is prompting us to select a certificate, it certainly looked a lot like the missing MDM intune certificate issue from some time ago. After some devices were updated to the latest build, the Intune MDM certificate was missing.

The Intune MDM Device certificate is issued when your device is enrolled in the Intune Service. This certificate is used for communication with the Intune service.

Please note: This Intune certificate must NOT be mixed up with the Azure Ad Certificate (MS-Organization-Access) as shown below!

Voorbeeldweergave van image.png

Please beware, that when the Intune certificate is NOT present on the device it can’t establish a trust relationship with Intune. You will notice some problems will start to occur.

  1. It stops receiving new policies/apps or changes to existing policies
  2. There could be compliance issues because the compliant check is not working.
  3. The company portal is just totally broken

To rule out the missing Intune certificate issue we opened the Local certificate store!

As shown above, the Intune certificate was still present! But I am not done yet! Let’s continue and check out if the Microsoft Intune MDM device certificate is also matching our own enrollment

To be sure which certificate was in use, I opened the registry and compared the “issued to” with the one mentioned in the MS DM server registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\……\DMClient\MS DM Server

As shown above, the EntDMID matches the Intune MDM device certificate and inside this key, there is a “GUID” key that also matches the EnterpriseMgmt task in the task scheduler!

Okay… We are now sure that we don’t have any old and revoked Intune certificates and we are also very happy that the Intune certificate was still present but does the Intune device cert also has a matching private key?

Please take a look at this blog for more information about this “private key”

But…..wait….what? After taking a second look at the Intune MDM certificate, it is mentioning the Expiration date 10-03-2021??? That’s last month?  That could definitely be the problem.  But still, it’s very strange the user was not experiencing any other problems.

Some background information: You could also use Graph to check the device Intune Certificate expiration time

Let’s go further with our investigation.  Normally the schedule created by enrollment for renewal of certificate warning would make sure the certificate is renewed. I guess this schedule didn’t work, for some weird reason.

We tried to manually run the task even when we knew this wasn’t going to work but we needed to try.

4. Solving the problem

Let’s solve it now! We have got multiple options if we want to solve it. We went for the first option, just because we did not have the time to get more information about this issue… and time is money.

  1. Manually with possible configuration loss
  2. Automatically with no configuration loss
  3. Microsoft has its own Remediation script. (when your device is co-managed)

4.1. Manually disconnect and connect to Azure Ad join

After rebooting the device and reconnecting to Azure Ad, we could log in again. Of course, we needed to configure Hello again and other settings. We also noticed the Make me admin tool was installed almost instantly. Again we opened the certificate store to check the certificate.

A new Intune certificated was deployed and of course, the syncing problem and app installation issue was also resolved…

4.2. Automatically without configuration loss

After some reading, while creating this blog I found out, that it was also possible to solve this problem without some configuration loss. This method should work. (I did test it of course on a working device)

This PowerShell script will:

*Remove Enrollment registry keys

*Remove the Intune MDM certificate

*Remove the scheduled tasks

*Reenroll into MDM

You will need to run it as system!!!. You run PowerShell as system, by using: psexec -i -s powershell.exe

$RegistryKeys = "HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\Enrollments\Status","HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked", "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled", "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers","HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"

$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
		$_.Issuer -match "Intune MDM" 
	} | Remove-Item

$EnrollmentID = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
	
Get-ScheduledTask | Where-Object {$_.Taskpath -match $EnrollmentID} | Unregister-ScheduledTask -Confirm:$false
			
			foreach ($Key in $RegistryKeys) {
				if (Test-Path -Path $Key) {
					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
	}
			}

			Start-Sleep -Seconds 30
		
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru

4.3. Microsoft Remediation script?

Unfortunately, I did not have a real-life problem device to test if this script would also work if the intune device certificate is expired: https://aka.ms/mdm_enrollment_cert_script

But looking at the script itself, I would say yes at first sight?. To be sure, I needed to break down a test device to check it out. After removing some registry keys and the device MDM certificate I tried it out.

It’s not working because the device is not co-managed. So this option is not the one you need when your device is not co-managed.

After this error, I applied the Powershell script from option 2… and after a minute or 2 the certificate was recreated again and the device was ready to sync with Intune again.

5. Monitoring

Of course, you want to monitor this important certificate, if it’s available and certainly if it’s not expired.

You could use this script as a part of your Proactive remediation detection script

Try {
$Result = Get-ChildItem -Path cert: -Recurse | where { $_.notafter -le (get-date).AddDays(30) -AND $_.notafter -gt (get-date) -and $_.issuer -like "CN=Microsoft Intune MDM Device CA" }  | select issuer, notafter
$ID = $Result | measure-Object
If ($ID.Count -gt 0)
{
    Write-Output "Intune MDM certificate is going to expire $result"
  Exit 1001
}
Else
{
    Write-Output "Intune MDM certificate is NOT going to expire"
  Exit 0
}
}
catch
{
Write-Warning "Value Missing"
Exit 1001
}

6. Conflicting Service Plans!

When you are experiencing the 0x80190190 error and you have checked everything I told you above and it’s still not working there could be something else going on.

But this one is quite simple… luckily. Please check out if there are conflicting service licensing plans. If so resolve it and try to sync your device again!

7. Syncing Error 0x80072f99

As I told you earlier in the blog, lingering enrollments and duplicate Certificates are also not good! Here is a good real-life example!

After guiding him through all the troubleshooting steps from this blog, we noticed that there were 2 Microsoft Intune MDM devices certificates

When you have a device with multiple valid and still “working?” Intune MDM device certificates as you could have noticed in the screenshot above, you could run into other weird sync errors like Unknown Win32 Error code 0x80072f99. This error normally means that there is no private key available (ERROR_WINHTTP_CLIENT_CERT_NO_PRIVATE_KEY).

I asked him to just start removing one of the certificates and start the sync!

As shown above, when you run into the error 0x80072f99, please make sure there is only 1 MDM certificate

A little heads-up! Please make sure you export the certificate with its private key before deleting it!

Conclusion:

Sometimes an easy-looking problem will take you down into the rabbit hole. Luckily when you are at the bottom of the rabbit hole you can climb up again and solve the problem.  Lesson learned if a new problem finds your way which you never have seen before just go for it!

While troubleshooting and solving the problem you could learn a lot of new stuff. Without a working Intune device certificate, a lot of stuff will break but with multiple working certificates, things could also break.

Lajos Simicska declares war on Viktor Orban: "It's either him or me!" - The  Budapest Beacon

5 thoughts on “Alice and the Intune MDM Device Certificate

  1. Thank you, sir. The re-enroll script helped me get a machine back into MDM that had the error in company portal saying “this device is already set up in another organization”. This happened because a machine was imaged with the same name as the problem machine, then renamed and deleted from on prem AD. (we are in co-mgmt with SCCM). We then re-joined to the domain (which created a new computer object), and everything worked except for intune mdm. Thanks for the quality content!

  2. Thank you very much Rudy! Same as Max, I wasn’t able to enroll devices that were imaged with the same name and your script helped to enroll the device back to Intune. Great content !

  3. Hi Rudy,

    Your blogs and your guidance on this issue has given me a new way to troubleshoot any issue.

    Thank you so much for helping Sysadmins like me.

    Your in-depth saved a lot of my time.

    Kudos to you Rudy. 🙂

    Regards,
    Ashish Arya

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  70  =  75