Last Updated on October 18, 2022 by rudyooms
This blog will be about me showing and explaining the Intune Sync Debug PowerShell tool I wrote to fix those damn Intune MDM device CA certificate issues
I will divide this blog into multiple parts
- Installing the tool
- What issues does it fix?
- Taking a look at the Fix and other functions
- How it looks when it breaks and when we fix it
1. Installing and running the tool
I published the PowerShell tool on the PowerShell Gallery, so installing and running the tool is done within a few seconds.
If you want to install the tool just enter the install-module command and accept all messages (Nuget)
install-module intunesyncdebugtool -force
After the tool has been installed, you can start running the script by entering this command to call up on the function in it.
On a working device, we will notice that all the tests the script will perform will end up in a green message
In the next parts, we will take a closer look at the script itself and how it looks like when your device has experiencing some sync issues
2. What issues does it fix
Let me some up some of the stuff the PowerShell tool will detect and fix for you!
- Intune Certificate ended up in the Wrong store
- Intune Certificate expiration Date
- Intune Certificate Private Key missing
- Intune Certificate Missing
When it detects one of those issues it will ask you to apply to fix! I will explain the fix in part 3.
2.1 Intune Certificate ended up in the Wrong store
I guess we all know this issue by now. Some time ago I wrote a blog about how and when the Intune Certificate ends up in the “wrong” certificate Store.
In that blog, I also showed you how you could fix that issue, so I made sure the detection and remediation is also part of this PowerShell tool
2.2 Intune Certificate expiration Date
Renewing your Intune Certificate could be challenging sometimes…. I know! A week or so ago, I decided to write a blog explaining the whole technical flow behind it
In that same blog, I also mentioned another blog I wrote long ago to fix those certificates that expired
2.3 Intune Certificate is missing its private key
This issue is a funny one but also a nasty one because if the Intune Device certificate is somehow missing its private key (and yes I have seen it happening a lot) you are pretty much screwed. Luckily I also wrote a blog about that particular issue and how to deal with it
2.4 Intune Certificate Missing
Last but not least, I have seen it happening time from time that the Intune Device Certificate is missing in action. I guess we all know what happens when that certificate decided to take a long vacation.
Luckily we could still call up on the deviceenroller .exe to fix this as I mentioned in this blog below
3. Taking a look at the FIX and other functions
As we have seen in part 2, this PowerShell tool does fix some stuff. Let me show you some important parts of the tool
Let me start by showing you the fix-Certificate function first
This function will ensure it will fix your Intune certificate by launching psexec and executing an excellent encoded command. If you want to know what this encoded command contains just copy and paste it into this website to decode it Base64 Decode and Encode – Online
To save you some trouble…. That encoded command is nothing more than the fix I mentioned in part 2.4.
Besides the encoded command, it also contains some other functions to fix some missing stuff. Let me explain them a bit more!
3.2. Missing MDM-URLs
When you need to enroll your device into Intune, your user needs to be a part of the MDM scope and needs to have a proper license applied.
Sometimes when trying to enroll a device to Intune and you just added the user to the MDM scope, the MDM URLs could still be missing when you take a look at the DSREG status output.
If those MDM URLs are not configured or your user is not part of the MDM scope you could end up with a nice event mentioning the Device Credential (0x0) failed because the Mobile Device Management (MDM) is not configured (event 76)
This fix will try to find the proper TenantInfo and the corresponding MDM URLs in the registry and if it couldn’t find those URLs it will create them!
This service is quite important when your device is enrolling into Intune, without it you will end up with some weird stuff and a not working Intune enrollment.
Luckily I am going to publish a new blog next week explaining why this service is so important. Almost a coincidence, right?
If we have tried to fix the Certificate or Sync issue we still need to determine if the “Schedule #1 created by enrollment client” is running or ready. If that task isn’t running after the device has been enrolled into Intune you could end up with again some weird sync errors.
4. How it Looks when It breaks and when we fix it!
If your device has one of the issues I mentioned in the previous parts the script will detect it and will fix it.
I recorded a video showing you what happens when the Intune device certificate is gone and it needs to be fixed!
Having sync issues on your device is terrible, hopefully, those bad days are gone with the use of this magical Intune Sync debug Tool