This blog will be about me showing and explaining the Intune Sync Debug PowerShell tool I wrote to fix those damn Intune MDM device CA certificate issues
1. Installing and running the tool
I published the PowerShell tool on the PowerShell Gallery, so installing and running it takes only a few seconds.
If you want to install the tool just enter the install-module command and accept all messages (Nuget)
install-module intunesyncdebugtool -force
After the tool has been installed, you can start running the script by entering this command to call up on the function in it.
test-intunesyncerrors
On a working device, we will notice that all the tests the script will perform will end up in a green message
In the next parts, we will take a closer look at the script itself and how it looks like when your device has experiencing some sync issues
2. What issues does it fix
Let me share some of the stuff the PowerShell tool will detect and fix for you!
- Intune Certificate ended up in the Wrong store
- Intune Certificate expiration Date
- Intune Certificate Private Key missing
- Intune Certificate Missing
When it detects one of those issues it will ask you to apply to fix! I will explain the fix in part 3.
2.1 Intune Certificate ended up in the Wrong store
I guess we all know this issue by now. Some time ago I wrote a blog about how and when the Intune Certificate ends up in the “wrong” certificate Store.
Intune | MDM-only | Enrollment | Missing Device Certificate (call4cloud.nl)
In that blog, I also showed you how you could fix that issue, so I made sure the detection and remediation is also part of this PowerShell tool
2.2 Intune Certificate expiration Date
Renewing your Intune Certificate could be challenging sometimes…. I know! A week or so ago, I decided to write a blog explaining the whole technical flow behind it
What happens when renewing the Intune MDM Certificate (call4cloud.nl)
In that same blog, I also mentioned another blog I wrote long ago to fix those certificates that expired
Sync issues 0x80190190 and the Intune MDM device Certificate (call4cloud.nl)
2.3 Intune Certificate is missing its private key
This issue is a funny one but also a nasty one because if the Intune Device certificate is somehow missing its private key (and yes I have seen it happening a lot) you are pretty much screwed. Luckily I also wrote a blog about that particular issue and how to deal with it
Troubleshooting the Intune Device Sync error 0x80072f99 (call4cloud.nl)
2.4 Intune Certificate Missing
Luckily we could still call up on the deviceenroller .exe to fix this as I mentioned in this blog below
Enroll existing Azure Ad joined Devices into MDM | Intune (call4cloud.nl)
3. Taking a look at the FIX and other functions
As we have seen in part 2, this PowerShell tool does fix some stuff. Let me show you some important parts of the tool
- Fix-Certificate
- Fix-MDMurls
- Check-dmwapservice
- Get-schedule1
Let me start by showing you the fix-Certificate function first
3.1 Fix-Certificate
This function will ensure it will fix your Intune certificate by launching psexec and executing an excellent encoded command. If you want to know what this encoded command contains just copy and paste it into this website to decode it Base64 Decode and Encode – Online
To save you some trouble…. That encoded command is nothing more than the fix I mentioned in part 2.4.
Besides the encoded command, it also contains some other functions to fix some missing stuff. Let me explain them a bit more!
3.2. Missing MDM-URLs
When you enroll your device into Intune, your user must be in the MDM scope and have a proper license applied.
Sometimes when trying to enroll a device to Intune and you just added the user to the MDM scope, the MDM URLs could still be missing when you take a look at the DSREG status output.
If those MDM URLs are not configured or your user is not part of the MDM scope you could end up with a nice event mentioning the Device Credential (0x0) failed because the Mobile Device Management (MDM) is not configured (event 76)
This fix will try to find the proper TenantInfo and the corresponding MDM URLs in the registry, and if it can’t find them, it will create them!
3.3 Dmwappushservice
This service is quite important when your device is enrolling into Intune, without it you will end up with some weird stuff and a not working Intune enrollment.
Luckily I am going to publish a new blog next week explaining why this service is so important. Almost a coincidence, right?
3.4 Get-Schedule
If we have tried to fix the Certificate or Sync issue we still need to determine if the “Schedule #1 created by enrollment client” is running or ready. If that task isn’t running after the device has been enrolled into Intune you could end up with again some weird sync errors.
4. How it Looks when It breaks and when we fix it!
If your device has one of the issues I mentioned in the previous parts the script will detect it and will fix it.
I recorded a video showing you what happens when the Intune device certificate is gone and needs fixing!
Conclusion
Having sync issues on your device is terrible, hopefully, those bad days are gone with the use of this magical Intune Sync debug Tool