This blog will be about me showing and explaining the Intune Sync Debug PowerShell tool I wrote to fix those damn Intune MDM device CA certificate issues
1. Installing and running the tool
I published the PowerShell tool on the PowerShell Gallery, so installing and running it takes only a few seconds.
If you want to install the tool just enter the install-module command and accept all messages (Nuget)
install-module intunesyncdebugtool -force
After the tool has been installed, you can start running the script by entering this command to call up on the function in it.
test-intunesyncerrors
On a working device, we will notice that all the tests the script will perform will end up in a green message
In the next parts, we will take a closer look at the script itself and how it looks like when your device has experiencing some sync issues
2. What issues does it fix
Let me share some of the stuff the PowerShell tool will detect and fix for you!
- Intune Certificate ended up in the Wrong store
- Intune Certificate expiration Date
- Intune Certificate Private Key missing
- Intune Certificate Missing
When it detects one of those issues it will ask you to apply to fix! I will explain the fix in part 3.
2.1 Intune Certificate ended up in the Wrong store
I guess we all know this issue by now. Some time ago I wrote a blog about how and when the Intune Certificate ends up in the “wrong” certificate Store.
Intune | MDM-only | Enrollment | Missing Device Certificate (call4cloud.nl)
In that blog, I also showed you how you could fix that issue, so I made sure the detection and remediation is also part of this PowerShell tool
2.2 Intune Certificate expiration Date
Renewing your Intune Certificate could be challenging sometimes…. I know! A week or so ago, I decided to write a blog explaining the whole technical flow behind it
What happens when renewing the Intune MDM Certificate (call4cloud.nl)
In that same blog, I also mentioned another blog I wrote long ago to fix those certificates that expired
Sync issues 0x80190190 and the Intune MDM device Certificate (call4cloud.nl)
2.3 Intune Certificate is missing its private key
This issue is a funny one but also a nasty one because if the Intune Device certificate is somehow missing its private key (and yes I have seen it happening a lot) you are pretty much screwed. Luckily I also wrote a blog about that particular issue and how to deal with it
Troubleshooting the Intune Device Sync error 0x80072f99 (call4cloud.nl)
2.4 Intune Certificate Missing
Luckily we could still call up on the deviceenroller .exe to fix this as I mentioned in this blog below
Enroll existing Azure Ad joined Devices into MDM | Intune (call4cloud.nl)
3. Taking a look at the FIX and other functions
As we have seen in part 2, this PowerShell tool does fix some stuff. Let me show you some important parts of the tool
- Fix-Certificate
- Fix-MDMurls
- Check-dmwapservice
- Get-schedule1
Let me start by showing you the fix-Certificate function first
3.1 Fix-Certificate
This function will ensure it will fix your Intune certificate by launching psexec and executing an excellent encoded command. If you want to know what this encoded command contains just copy and paste it into this website to decode it Base64 Decode and Encode – Online
To save you some trouble…. That encoded command is nothing more than the fix I mentioned in part 2.4.
Besides the encoded command, it also contains some other functions to fix some missing stuff. Let me explain them a bit more!
3.2. Missing MDM-URLs
When you enroll your device into Intune, your user must be in the MDM scope and have a proper license applied.
Sometimes when trying to enroll a device to Intune and you just added the user to the MDM scope, the MDM URLs could still be missing when you take a look at the DSREG status output.
If those MDM URLs are not configured or your user is not part of the MDM scope you could end up with a nice event mentioning the Device Credential (0x0) failed because the Mobile Device Management (MDM) is not configured (event 76)
This fix will try to find the proper TenantInfo and the corresponding MDM URLs in the registry, and if it can’t find them, it will create them!
3.3 Dmwappushservice
This service is quite important when your device is enrolling into Intune, without it you will end up with some weird stuff and a not working Intune enrollment.
Luckily I am going to publish a new blog next week explaining why this service is so important. Almost a coincidence, right?
3.4 Get-Schedule
If we have tried to fix the Certificate or Sync issue we still need to determine if the “Schedule #1 created by enrollment client” is running or ready. If that task isn’t running after the device has been enrolled into Intune you could end up with again some weird sync errors.
4. How it Looks when It breaks and when we fix it!
If your device has one of the issues I mentioned in the previous parts the script will detect it and will fix it.
I recorded a video showing you what happens when the Intune device certificate is gone and needs fixing!
Conclusion
Having sync issues on your device is terrible, hopefully, those bad days are gone with the use of this magical Intune Sync debug Tool
Hi Rudy, great tool, i tested on a Notebook with some issues, this is the result.
Determing if the certificate mentioned in the SSLClientCertreference is also configured in the Enrollments part of the registry
Intune Device Certificate is not configured in the Registry Enrollments
Determing if the certificate subject is also configured in the EntDMID key
I have some shitty news! The EntDMID key is not configured, you probably need to reboot the device and run the test again
Hi… Its kinda weird that the device doesn’t have the SSL client cert reference configured. When taking a look at that registry key, could you determine if its there ? (the same with the entdmid)
I had the same issue and what’s happening is when line 317 sets the variable for $GUID, sometimes it finds and stores 2 GUIDs. Then line 327 is running Get-ItemProperty -Path “HKLM:SOFTWARE\Microsoft\Enrollments\$guid\DMClient\MS DM Server” and plugging in two GUIDs into that string.
This results in an error like this:
Cannot find path ‘HKLM:\SOFTWARE\Microsoft\Enrollments\16D8DC3B-08F6-4050-99ED-507BB8A6CDFC
F4D6AAB1-6372-4BCF-A66F-CCD2C5F05088\DMClient\MS DM Server’ because it does not exist.
Looking at it now… just published a new version
Hi Rudy,
great tool
I got an error. Do I need to create a file or something “MDMDiagReport.html”
_____________________________________
Hold on a moment… Initializing a sync and checking the MDM logs for sync errors!
Report location folder C:\Users\AVI~1.ACH\AppData\Local\Temp\diag\
Select-String : Cannot find path ‘C:\Users\AVI~1.ACH\AppData\Local\Temp\diag\MDMDiagReport.html’ because it does not
exist.
At C:\Program Files\WindowsPowerShell\Modules\intunesyncdebugtool\1.0.0.7\intunesyncdebugtool.psm1:188 char:16
+ … eckmdmlog = Select-String -Path $env:TEMP\diag\MDMDiagReport.html -Pa …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\AVI~1….DiagReport.html:String) [Select-String], ItemNotFound
Exception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SelectStringCommand
\ Avi A.
What happens you manually try to execute this on the device: Start-Process MdmDiagnosticsTool.exe -Wait -ArgumentList “-out $env:TEMP\diag\” -NoNewWindow
this command is not running in my autopilot PC.
test-intunesyncerrors
4:23 PM PS C:\Windows\system32> test-intunesyncerrors
test-intunesyncerrors : The ‘test-intunesyncerrors’ command was found in the module ‘intunesyncdebugtool’, but the
module could not be loaded. For more information, run ‘Import-Module intunesyncdebugtool’.
At line:1 char:1
+ test-intunesyncerrors
+ ~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo         : ObjectNotFound: (test-intunesyncerrors:String) [], CommandNotFoundException
   + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
Hi, Did you changed the powershell its executionpolicy to make sure you can execute this module?
Hi Rudy, first thank you. I ran into this issue during my hybrid-join pilot and was able to get my user to sync again.
With that said, do you have a version of the fix that doesn’t include the beer jokes 😀 I would like for my service desk to use this tool if they encounter devices that are failing to sync but the beer stuff may throw some folks off.
Rudy, you are a legend. That is all 🙂
Is there a version of this that could be run silently?
Would there be a way to edit this with an automated version (no prompts)? We want to deploy the script using an RMM, as well as for new machines we setup?
Great idea! However I seem to be getting an error where it is detecting that the device is not enrolled inside of Intune when I am absolutely certain that it is. Is there something I’m doing wrong
this has been a lifesaver for us! in the spirit of automating, is there anyway to run the test-intunesyncerrors command w/out the are you sure prompt?
Great article and script!
We noticed clients not receiving a renew certificate, but under the hood I think the sync is failing.
On mulitple clients we can see this in the IntuneManagementExtension.log:
For clients which fail to sync or do not get certificates we cannot see this log-item anymore:
I’m thinking that the URL checkin.dm.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/Certificate/ServiceAddresses is the problem, we already have an open a ticket with Microsoft from April.
After running your script I can see following:
manage.microsoft.com is indeed I think the right URL, is this something that is fixed with your script?
If so maybe we can automate the proces.
But I’d like to find the root cause, certainly if there is a setting somewhere under the hood.
Do you have any advice?
if you could reach out to me on teams ,we can take a closer look at what is happening. As alot alos depends on how those devices were enrolled. The checkin url should be the issue… as i assume you enabled the intune suite?