Call4Cloud | MMP-C | Autopilot | Device Preparation

Easy Riders, Intune Bulls: How the Defender for Endpoint, Live Response, and Rock ‘N’ Roll PowerShell Script Recovered the Intune Certificate

Patch My Pc | install & update thousands of apps

We talked about this in our MMSMOA session, but I still needed to write something about it…..so here we go! This blog will be “again” about issues with the Intune Certificate but this time I am going to show you how Defender For Endpoints (MDE) could save your ass when the device is no longer able to communicate with the Intune Service

1. Introduction

In one of my older blogs, I showed you how to deal with Expired, Duplicate, Lingering, or even a nonexistent, removed, or deleted Intune MDM Certificate.

Sync issues 0x80190190 and the Intune MDM device Certificate (call4cloud.nl)

In the blog above I provided you with a PowerShell script to fix the sync issue by removing the old lingering stuff and certificates from the device but what if you don’t have direct access to the device?

So how are we going to deliver this PowerShell script? With Intune? Nope! Delivering PowerShell scripts with Intune isn’t an option anymore because the Intune certificate is missing in action. So we need to come up with a new solution

2. Prerequisites

Before I show you the easy way to fix it, we need to examine some prerequisites to make this work. Let’s look at them one by one.

1. Defender Licensing

As shown below, when you don’t have an additional RMM tool in place, you will need to be licensed for Microsoft Defender for Endpoint (MDE)

So, if you have a nice Microsoft E5 license, you are good to go!

2. Enrolled Devices

Besides the licensing requirement, your devices also need to be enrolled into Defender for Endpoint but that sounds obvious, right?

3. Live Response

If we want to deploy a PowerShell script to the device we need to make sure that we don’t forget to enable “Live Response”

configuring defender live response to fix the Intune certificate on the device

3. How To Fix it

With “all” the prereqs met, let’s take a look at how we are going to fix it. To do so you need to open the Defender for Endpoint portal and click on the “Assets/ Devices” button

Press on the device in question that has the missing or broken Intune Certificate

The device tab will open and will show you a lot of options. We are going to press the nice 3 dots right on top and going to select “Initiate Live Response Session”

In the next screen, we will notice a nice “Command Console“. Before we can do anything we still need to upload a file (PowerShell script) to the Library

In this screen, you need to select the PowerShell script to fix it.

As shown above, I selected the “FixCertV2.ps1” PowerShell script. Here is the content of this file

$RegistryKeys = "HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\Enrollments\Status","HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked", "HKLM:\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled", "HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers","HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Logger", "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions"

$EnrollmentID = Get-ScheduledTask -taskname 'PushLaunch' -ErrorAction SilentlyContinue | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf

		foreach ($Key in $RegistryKeys) {
				if (Test-Path -Path $Key) {
					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentID} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
	}
}
$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
		$_.Issuer -match "Intune MDM" 
	} | Remove-Item
if ($EnrollmentID -ne $null) { 
	foreach ($enrollment in $enrollmentid){
			Get-ScheduledTask | Where-Object {$_.Taskpath -match $Enrollment} | Unregister-ScheduledTask -Confirm:$false
			$scheduleObject = New-Object -ComObject schedule.service
			$scheduleObject.connect()
			$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
			$rootFolder.DeleteFolder($Enrollment,$null)
} 
} 

$EnrollmentIDMDM = Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt*"} | Select-Object -ExpandProperty TaskPath -Unique | Where-Object {$_ -like "*-*-*"} | Split-Path -Leaf
		foreach ($Key in $RegistryKeys) {
				if (Test-Path -Path $Key) {
					get-ChildItem -Path $Key | Where-Object {$_.Name -match $EnrollmentIDMDM} | Remove-Item -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
	}
}
if ($EnrollmentIDMDM -ne $null) { 
	foreach ($enrollment in $enrollmentidMDM){
			Get-ScheduledTask | Where-Object {$_.Taskpath -match $Enrollment} | Unregister-ScheduledTask -Confirm:$false
			$scheduleObject = New-Object -ComObject schedule.service
			$scheduleObject.connect()
			$rootFolder = $scheduleObject.GetFolder("\Microsoft\Windows\EnterpriseMgmt")
			$rootFolder.DeleteFolder($Enrollment,$null)
} 
$IntuneCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
		$_.Issuer -match "Microsoft Device Management Device CA" 
	} | Remove-Item
}	
Start-Sleep -Seconds 5
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru

Please Note: I also added the Microsoft Device Management Device CA Certificate to it… If you don’t use EPM you can remove it.

With the PowerShell script uploaded, you can now execute it. You can do so by using: “run FixCertV2.ps1”

4. The Results

In the video below, I have a device with sync issues and a missing Intune MDM device certificate. In the background, I will kick off the PowerShell script with Defender for Endpoint and Live Response.

Fix missing Intune Certificate with MDE – YouTube

Todo: If you have multiple devices that are giving you the same issue, you can also create an app registration to execute the same script using Live Response on multiple devices

Conclusion

Having sync issues is pretty bad, if it’s not DNS it is probably your Intune Certificate that is giving you the sync issues. With MDE you can remotely fix those sync issues! isn’t that nice?

Leave a Reply

Your email address will not be published. Required fields are marked *

  −  2  =  7

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.