Intune Sync Debug Tool: The Last Royal Treasure

Patch My Pc | install & update thousands of apps

This blog will be about me showing and explaining the Intune Sync Debug PowerShell tool I wrote to fix those damn Intune MDM device CA certificate issues

1. Installing and running the tool

I published the PowerShell tool on the PowerShell Gallery, so installing and running it takes only a few seconds.

Intune Sync Debug Tool kit download

If you want to install the tool just enter the install-module command and accept all messages (Nuget)

install-module intunesyncdebugtool -force

After the tool has been installed, you can start running the script by entering this command to call up on the function in it.

test-intunesyncerrors

On a working device, we will notice that all the tests the script will perform will end up in a green message

running the intune sync debug tool kit

In the next parts, we will take a closer look at the script itself and how it looks like when your device has experiencing some sync issues

2. What issues does it fix

Let me share some of the stuff the PowerShell tool will detect and fix for you!

  • Intune Certificate ended up in the Wrong store
  • Intune Certificate expiration Date
  • Intune Certificate Private Key missing
  • Intune Certificate Missing

When it detects one of those issues it will ask you to apply to fix! I will explain the fix in part 3.

2.1 Intune Certificate ended up in the Wrong store

I guess we all know this issue by now. Some time ago I wrote a blog about how and when the Intune Certificate ends up in the “wrong” certificate Store.

Intune | MDM-only | Enrollment | Missing Device Certificate (call4cloud.nl)

In that blog, I also showed you how you could fix that issue, so I made sure the detection and remediation is also part of this PowerShell tool

Afbeelding met tekst  Automatisch gegenereerde beschrijving

2.2 Intune Certificate expiration Date

Renewing your Intune Certificate could be challenging sometimes…. I know! A week or so ago, I decided to write a blog explaining the whole technical flow behind it

What happens when renewing the Intune MDM Certificate (call4cloud.nl)

In that same blog, I also mentioned another blog I wrote long ago to fix those certificates that expired

Sync issues 0x80190190 and the Intune MDM device Certificate (call4cloud.nl)

Afbeelding met tekst  Automatisch gegenereerde beschrijving

2.3 Intune Certificate is missing its private key

This issue is a funny one but also a nasty one because if the Intune Device certificate is somehow missing its private key (and yes I have seen it happening a lot) you are pretty much screwed. Luckily I also wrote a blog about that particular issue and how to deal with it

Troubleshooting the Intune Device Sync error 0x80072f99 (call4cloud.nl)

Afbeelding met tekst  Automatisch gegenereerde beschrijving

2.4 Intune Certificate Missing

Luckily we could still call up on the deviceenroller .exe to fix this as I mentioned in this blog below

Enroll existing Azure Ad joined Devices into MDM | Intune (call4cloud.nl)

3. Taking a look at the FIX and other functions

As we have seen in part 2, this PowerShell tool does fix some stuff. Let me show you some important parts of the tool

  • Fix-Certificate
  • Fix-MDMurls
  • Check-dmwapservice
  • Get-schedule1

Let me start by showing you the fix-Certificate function first

3.1 Fix-Certificate

This function will ensure it will fix your Intune certificate by launching psexec and executing an excellent encoded command. If you want to know what this encoded command contains just copy and paste it into this website to decode it Base64 Decode and Encode – Online

To save you some trouble…. That encoded command is nothing more than the fix I mentioned in part 2.4.

Besides the encoded command, it also contains some other functions to fix some missing stuff. Let me explain them a bit more!

3.2. Missing MDM-URLs

When you enroll your device into Intune, your user must be in the MDM scope and have a proper license applied.

Sometimes when trying to enroll a device to Intune and you just added the user to the MDM scope, the MDM URLs could still be missing when you take a look at the DSREG status output.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

If those MDM URLs are not configured or your user is not part of the MDM scope you could end up with a nice event mentioning the Device Credential (0x0) failed because the Mobile Device Management (MDM) is not configured (event 76)

Afbeelding met tekst  Automatisch gegenereerde beschrijving

This fix will try to find the proper TenantInfo and the corresponding MDM URLs in the registry, and if it can’t find them, it will create them!

Afbeelding met tekst  Automatisch gegenereerde beschrijving

3.3 Dmwappushservice

This service is quite important when your device is enrolling into Intune, without it you will end up with some weird stuff and a not working Intune enrollment.

Luckily I am going to publish a new blog next week explaining why this service is so important. Almost a coincidence, right?

Afbeelding met tekst  Automatisch gegenereerde beschrijving

3.4 Get-Schedule

If we have tried to fix the Certificate or Sync issue we still need to determine if the “Schedule #1 created by enrollment client” is running or ready. If that task isn’t running after the device has been enrolled into Intune you could end up with again some weird sync errors.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

4. How it Looks when It breaks and when we fix it!

If your device has one of the issues I mentioned in the previous parts the script will detect it and will fix it.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

I recorded a video showing you what happens when the Intune device certificate is gone and needs fixing!

Conclusion

Having sync issues on your device is terrible, hopefully, those bad days are gone with the use of this magical Intune Sync debug Tool

IntuneSyncDebugTool – YouTube

16 thoughts on “Intune Sync Debug Tool: The Last Royal Treasure

  1. Hi Rudy, great tool, i tested on a Notebook with some issues, this is the result.

    Determing if the certificate mentioned in the SSLClientCertreference is also configured in the Enrollments part of the registry
    Intune Device Certificate is not configured in the Registry Enrollments

    Determing if the certificate subject is also configured in the EntDMID key
    I have some shitty news! The EntDMID key is not configured, you probably need to reboot the device and run the test again

    1. Hi… Its kinda weird that the device doesn’t have the SSL client cert reference configured. When taking a look at that registry key, could you determine if its there ? (the same with the entdmid)

      1. I had the same issue and what’s happening is when line 317 sets the variable for $GUID, sometimes it finds and stores 2 GUIDs. Then line 327 is running Get-ItemProperty -Path “HKLM:SOFTWARE\Microsoft\Enrollments\$guid\DMClient\MS DM Server” and plugging in two GUIDs into that string.

        This results in an error like this:

        Cannot find path ‘HKLM:\SOFTWARE\Microsoft\Enrollments\16D8DC3B-08F6-4050-99ED-507BB8A6CDFC
        F4D6AAB1-6372-4BCF-A66F-CCD2C5F05088\DMClient\MS DM Server’ because it does not exist.

  2. Hi Rudy,
    great tool
    I got an error. Do I need to create a file or something “MDMDiagReport.html”
    _____________________________________
    Hold on a moment… Initializing a sync and checking the MDM logs for sync errors!

    Report location folder C:\Users\AVI~1.ACH\AppData\Local\Temp\diag\
    Select-String : Cannot find path ‘C:\Users\AVI~1.ACH\AppData\Local\Temp\diag\MDMDiagReport.html’ because it does not
    exist.
    At C:\Program Files\WindowsPowerShell\Modules\intunesyncdebugtool\1.0.0.7\intunesyncdebugtool.psm1:188 char:16
    + … eckmdmlog = Select-String -Path $env:TEMP\diag\MDMDiagReport.html -Pa …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\Users\AVI~1….DiagReport.html:String) [Select-String], ItemNotFound
    Exception
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SelectStringCommand

    \ Avi A.

    1. What happens you manually try to execute this on the device: Start-Process MdmDiagnosticsTool.exe -Wait -ArgumentList “-out $env:TEMP\diag\” -NoNewWindow

  3. this command is not running in my autopilot PC.

    test-intunesyncerrors

    4:23 PM PS C:\Windows\system32> test-intunesyncerrors
    test-intunesyncerrors : The ‘test-intunesyncerrors’ command was found in the module ‘intunesyncdebugtool’, but the
    module could not be loaded. For more information, run ‘Import-Module intunesyncdebugtool’.
    At line:1 char:1
    + test-intunesyncerrors
    + ~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (test-intunesyncerrors:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

  4. Hi Rudy, first thank you. I ran into this issue during my hybrid-join pilot and was able to get my user to sync again.

    With that said, do you have a version of the fix that doesn’t include the beer jokes 😀 I would like for my service desk to use this tool if they encounter devices that are failing to sync but the beer stuff may throw some folks off.

  5. Would there be a way to edit this with an automated version (no prompts)? We want to deploy the script using an RMM, as well as for new machines we setup?

  6. Great idea! However I seem to be getting an error where it is detecting that the device is not enrolled inside of Intune when I am absolutely certain that it is. Is there something I’m doing wrong

  7. this has been a lifesaver for us! in the spirit of automating, is there anyway to run the test-intunesyncerrors command w/out the are you sure prompt?

  8. Great article and script!
    We noticed clients not receiving a renew certificate, but under the hood I think the sync is failing.
    On mulitple clients we can see this in the IntuneManagementExtension.log:

    For clients which fail to sync or do not get certificates we cannot see this log-item anymore:

    I’m thinking that the URL checkin.dm.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses is the problem, we already have an open a ticket with Microsoft from April.

    After running your script I can see following:

    manage.microsoft.com is indeed I think the right URL, is this something that is fixed with your script?
    If so maybe we can automate the proces.
    But I’d like to find the root cause, certainly if there is a setting somewhere under the hood.
    Do you have any advice?

    1. if you could reach out to me on teams ,we can take a closer look at what is happening. As alot alos depends on how those devices were enrolled. The checkin url should be the issue… as i assume you enabled the intune suite?

Leave a Reply

Your email address will not be published. Required fields are marked *

28  +    =  37

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.