Last Updated on April 14, 2023 by rudyooms

This blog will show you how to start troubleshooting when some features of the Company Portal aren’t working. Besides the issues we had with the Company Portal, we were also experiencing syncing errors!

While troubleshooting, it really took me down multiple rabbit holes. I am going to divide this blog into multiple parts

1. Introduction
2. Troubleshooting the problem
3. Checking the Intune Certificate
4. Certificate Renewal Flow
5. Solving the problem
6. Monitoring the problem
7. Troubleshooting Intune Device Certificate Issues

1. Introduction

In one of my last blogs, I showed you which steps you could take to implement Adminless and how to make sure the end-user experience is still great.

Almost at the same time, we got a customer specialized in electrical systems with a dedicated service team who was very interested in the make me admin solution. After a good conversation to determine if other solutions would perhaps be better solutions, we noticed the service team really needs to have the possibility to configure or install apps when they need them.

Within a few minutes, we made sure, that only the technical service group was receiving the Make Me admin app. All those users were very happy except for one, the make me admin tool was not pushed to his device.

2. Troubleshooting

First, we need to do some troubleshooting before we could determine the root cause. When an App is not automatically pushed to the device you could also configure the app as “available”. If you configure the app as available the user could manually install the application from the Company Portal app, so we asked the user to open the company app and install the app.

As shown above, the app just hangs on downloading… That’s odd because the app is not that big?. We opened the incoming folder to look if the Intune management extension was doing “something”.

“C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming\”

But it was completely empty. We needed to be sure if the Make me admin app was the only one that was experiencing problems, so we tried to install another app.

This time, we received the error: “While requesting the app an error occurred“. After looking at some other information and settings in the company portal we noticed, that the compliance status was also not checked for the last 16 days. That’s odd?

We pressed the button to check if the device had still access to the company resources… but again nothing happened and nothing changed and no errors or warnings. The next step would be syncing the device, so we did.

The last sync attempt failed. Of course, we tried to sync the device from within the Intune portal, but nothing changed again. We even tried to sync the device from the account settings.

As shown above, synchronization couldn’t be started but this time we got a nice error with it:0x80190190 AKA Invalid Request (400)

The next thing we did, was to check the intune mgt log. This log is very important for troubleshooting app or sync problems.

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\intunemanagementextension.log

DNS detection: A Proxy for url call failed? There were definitely no proxy servers configured. All other devices were working without any problems but to be sure there was also no proxy configured for the Intune management extension we checked the registry.

HKLM:\Microsoft\Softwre\IntuneManagementExtension\Proxies\AzureAD

As shown below… no proxy!

You could also use dsregcmd /status within the user’s session to check if there are somehow proxies configured!

Now we are 100% sure there are absolutely no proxies configured we needed to determine if the IP address is the same as on another device. We did ICMP/ping from a working device and the device with issues. Both of them showed us the same Ip address corresponding to the FQDN.

Okay, that’s strange I was expecting to get an error: hostname not found but it just resolved the same IP address. There goes my poem…

Now we know it was definitely not a DNS issue, let’s check if there is a difference when we open the edge browser and browse to the FQDN (fef.amsub020.manage.microsoft.com) on those 2 devices.

3. Checking the Intune MDM certificate

Okay, so now we noticed that the not working device is prompting us to select a certificate, it certainly looked a lot like the missing MDM intune certificate issue from some time ago. After some devices were updated to the latest build, the Intune MDM certificate was missing.

The Intune MDM Device certificate is issued when your device is enrolled in the Intune Service. This certificate is used for communication with the Intune service.

Please note: This Intune certificate must NOT be mixed up with the Azure Ad Certificate (MS-Organization-Access) as shown below!

Please beware, that when the Intune certificate is NOT present on the device it can’t establish a trust relationship with Intune. You will notice some problems will start to occur.

1. It stops receiving new policies/apps or changes to existing policies
2. There could be compliance issues because the compliance check is not working.
3. The company portal is just totally broken

To rule out the missing Intune certificate issue we opened the Local certificate store!

As shown above, the Intune certificate was still present! But I am not done yet! Let’s continue and check out if the Microsoft Intune MDM device certificate is also matching our own enrollment

To be sure which certificate was in use, I opened the registry and compared the “issued to” with the one mentioned in the MS DM server registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\……\DMClient\MS DM Server

As shown above, the EntDMID matches the Intune MDM device certificate and inside this key, there is a “GUID” key that also matches the EnterpriseMgmt task in the task scheduler!

Okay… We are now sure that we don’t have any old and revoked Intune certificates and we are also very happy that the Intune certificate was still present but does the Intune device cert also has a matching private key?

Please take a look at this blog for more information about this “private key”

But…..wait….what? After taking a second look at the Intune MDM certificate, it is mentioning the Expiration date 10-03-2021??? That’s last month?  That could definitely be the problem.  But still, it’s very strange the user was not experiencing any other problems.

Some background information: You could also use Graph to check the device Intune Certificate expiration time

Let’s go further with our investigation.  Normally the schedule created by enrollment for renewal of certificate warning would make sure the certificate is renewed. I guess this schedule didn’t work, for some weird reason.

We tried to manually run the task even when we knew this wasn’t going to work but we needed to try. Before I continue I will show you some more information about this “Schedule Created by enrollment client for renewal of certificate warning”

4. Certificate Renewal Flow

When you are interested in how the Intune Device Certificate is renewed and what could break during that process, this blog should explain to you all the details that there out there! Hope you enjoy it

What happens when renewing the Intune MDM Certificate (call4cloud.nl)

5. Solving the problem

Now we have seen the certificate renewal process, let’s solve it now! We have got multiple options if we want to solve it. We went for the first option, just because we did not have the time to get more information about this issue… and time is money.

Please Note: Before trying to solve it, please make sure you aren’t blocking personal devices in the Intune Device Enrollment Restrictions.

Otherwise, you could end up with error 71 mentioning that the MDM-Server doesn’t support this platform (DeviceManagement-Enterprise-Diagnostics-Provider) This error is also known by the famous error code 0x80180014

• Manually with possible configuration loss
• Automatically with no configuration loss
• Microsoft has its own Remediation script. (when your device is co-managed)

5.1. Manually disconnect and connect to Azure Ad join

After rebooting the device and reconnecting to Azure Ad, we could log in again. Of course, we needed to configure Hello again and other settings. We also noticed the Make me admin tool was installed almost instantly. Again we opened the certificate store to check the certificate.

A new Intune certificated was deployed and of course, the syncing problem and app installation issue was also resolved…

5.2. Automatically without configuration loss

After some reading, while creating this blog I found out, that it was also possible to solve this problem without some configuration loss. This method should work. (I did test it of course on a working device)

This PowerShell script will:

*Remove Enrollment registry keys

*Remove the Intune MDM certificate

*Remove the scheduled tasks

*Reenroll into MDM

You will need to run it as system!!!. You run PowerShell as system, by using: psexec -i -s powershell.exe

$RegistryKeys = "HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\Enrollments\Status","HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked", "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled", "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers","HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"

$EnrollmentID = Get-ScheduledTask -taskname 'PushLaunch' -ErrorAction SilentlyContinue | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf

		foreach ($Key in $RegistryKeys) {
				if (Test-Path -Path $Key) {
					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
	}
}
$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
		$_.Issuer -match "Intune MDM" 
	} | Remove-Item
if ($EnrollmentID -ne $null) { 
	foreach ($enrollment in $enrollmentid){
			Get-ScheduledTask | Where-Object {$_.Taskpath -match $Enrollment} | Unregister-ScheduledTask -Confirm:$false
			$scheduleObject = New-Object -ComObject schedule.service
			$scheduleObject.connect()
			$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
			$rootFolder.DeleteFolder($Enrollment,$null)
} 
} 

#####IF EPM ENROLLED#### Unblock this 
#$EnrollmentIDMDM = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
#		foreach ($Key in $RegistryKeys) {
#				if (Test-Path -Path $Key) {
#					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentIDMDM} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
#	}
#}
#if ($EnrollmentIDMDM -ne $null) { 
#	foreach ($enrollment in $enrollmentidMDM){
#			Get-ScheduledTask | Where-Object {$_.Taskpath -match $Enrollment} | Unregister-ScheduledTask -Confirm:$false
#			$scheduleObject = New-Object -ComObject schedule.service
#			$scheduleObject.connect()
#			$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
#			$rootFolder.DeleteFolder($Enrollment,$null)
#} 
#$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
#		$_.Issuer -match "Microsoft Device Management Device CA" 
#	} | Remove-Item
#}	
Start-Sleep -Seconds 5
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru

Please note: When you don’t delete all of the stuff that I mentioned you will end up with some weird behavior mentioning that there are no more endpoints available from the endpoint mapper 0x800706D9

So please make sure everything is removed before starting the enrollment using the deviceenroller again!

5.3. Microsoft Remediation script?

Unfortunately, I did not have a real-life problem device to test if this script would also work if the intune device certificate is expired: https://aka.ms/mdm_enrollment_cert_script

But looking at the script itself, I would say yes at first sight?. To be sure, I needed to break down a test device to check it out. After removing some registry keys and the device MDM certificate I tried it out.

It’s not working because the device is not co-managed. So this option is not the one you need when your device is not co-managed.

After this error, I applied the Powershell script from option 2… and after a minute or 2 the certificate was recreated again and the device was ready to sync with Intune again.

6. Monitoring

Of course, you want to monitor this important certificate, if it’s available, and certainly, if it’s not expired.

You could use this script as a part of your Proactive remediation detection script

Try {
$Result = Get-ChildItem -Path cert: -Recurse | where { $_.notafter -le (get-date).AddDays(30) -AND $_.notafter -gt (get-date) -and $_.issuer -like "CN=Microsoft Intune MDM Device CA" }  | select issuer, notafter
$ID = $Result | measure-Object
If ($ID.Count -gt 0)
{
    Write-Output "Intune MDM certificate is going to expire $result"
  Exit 1001
}
Else
{
    Write-Output "Intune MDM certificate is NOT going to expire"
  Exit 0
}
}
catch
{
Write-Warning "Value Missing"
Exit 1001
}

7. Troubleshooting Intune Device Certificate Issues

I removed this part from this blog and dedicated a unique blog to it. It will show you all the steps you could take when you need to troubleshoot 0x80072f99 and 0x80090029 errors

Conclusion:

Sometimes an easy-looking problem will take you down into the rabbit hole. Luckily when you are at the bottom of the rabbit hole you can climb up again and solve the problem.  Lesson learned if a new problem finds your way that you never have seen before just go for it!

While troubleshooting and solving the problem you could learn a lot of new stuff. Without a working Intune device certificate, a lot of stuff will break but with multiple working certificates, things could also break.