First published on TechNet on Apr 13, 2018
4/13/18: Updated with a revised version of the GetExpiringDevices script at the link below.
4/13/18: Updated with instructions for Configuration Manager customers using hybrid MDM
4/17/18: Updated with additional guidance when force syncing Apple devices.
4/18/18: Updated with new instructions to determine device impact for hybrid customers.
4/19/18: Updated instructions for force syncing. Added link for PowerShell script to sync Windows devices.
4/20/18: Updated information for Android and iOS.
4/21/18: Updated with the final notice.
The older certificate has expired and almost all devices have received the new certificate in the past 45 days. If you have a device that was hidden away in a drawer for the last 45 days, had device health issues, was not unlocked for 45 days, or was blocked from receiving the reissued certificate, below you’ll find resources on how to re-enroll. Please note that the experience on a device without a new certificate will vary based on the device type:
In cases where the certificate did not update, devices will need to be unenrolled and re-enrolled:
Similar to devices, connectors - such as the Exchange or NDES connectors - that did not renew their certificate will also need to be reinstalled. Provided you have the configuration information for the connector, reinstalling the connector does not normally impact devices or users.
<original post below>
Certificates that Intune issues to establish trust with MDM managed devices and connectors, are renewed automatically every year upon connection to the Intune service. These certificates will expire on April 21, 2018. We've sent out a message center post asking you to take a one time action related to the certificate renewal to get these certificates renewed before April 21. Check if you have certificate renewal blocked for devices in your environment using the scripts in this blogpost. This post also has information on how to force sync devices and end user guidance. Please take action as soon as possible to avoid certificate expiration on April 21, 2018. You should also let your helpdesk know about this.
Sometimes, devices are in an unhealthy state or simply have not connected with the service due to battery issues, network issues and so on. When devices or service connectors are unable to connect to the Intune service, Intune cannot automatically push updated certificates to them. In this post, we’ll share a way for you to find out which devices have not auto-renewed certificates and have certificates that are close to expiration. We also have platform-specific information to manually force a sync with the Intune service for devices that are not checking in along with instructions for connectors. This can help avoid the situations below when a certificate expires:
Note that this issue does not affect customers using Intune App Protection also known as Mobile App Management (MAM).
Using Graph to check certificate expiration for devices
For Intune Standalone: We have a script that you can run with global admin credentials, to give you a list of impacted devices using Microsoft Graph. You can use this script to understand which devices are affected and take action accordingly. Alternatively, you can run the query in the script from Graph explorer. You can download this script here: https://aka.ms/Get_Expiring_Devices_script
Determining device impact for hybrid Mobile Device Management (MDM)
For Intune Hybrid: You can use a template to create a PowerBI dashboard and get a list of your devices with expiring certificates. The template is available for download here: https://aka.ms/PowerBI_template_for_hybrid
Follow these steps to determine which devices are impacted:
Please note:
Force syncing devices
To manually force a sync on devices that are in use but have not have not checked in, navigate to the Device blade in the Intune on Azure console or ask impacted end users to follow the platform-specific steps listed below.
For Windows
To trigger renewal, run this PowerShell script on a device OR you can follow these steps:
· Open up Task Scheduler
· Navigate to Task Scheduler Library -> Microsoft -> Windows -> EnterpriseMgmt -> {GUID}
· Right click the task “Schedule created by enrollment client for renewal of certificate warning” and select run.
· Wait for the task to complete (should finish in less than a minute. Right clicking the {GUID} folder and selecting refresh will refresh the view).
For Windows Phone: Leave the device on and connected to the internet for 48 hours.
For Apple
Go to All Devices. Click on Device name > Overview > More > Sync
Certificates will automatically renew on a device sync on devices that are unlocked for about 30 seconds which is how long it takes for an MDM session to complete. If a device is locked, certificate delivery from Intune will be blocked by the device. In this case, end users can log in and sync the device through the Company Portal. Also, prior to syncing, please ensure there is enough memory/storage on the device and that it has sufficient battery.
We recommend that, where possible, impacted end users are asked to log in to the Company portal to trigger a sync from the device itself. This will guarantee that the device is online and unlocked.
For Apple Device Enrollment Program (DEP), admins will have to trigger a sync by asking to unlock devices or sync when devices are in use.
For Android
Go to All Devices. Click on Device name > Overview > More > Sync
This sync will trigger renewal for devices that have certificates close to expiry. Impacted end users can be asked to upgrade to the latest version of the Company Portal, so that the Intune service can push a new certificate renewal command to the device.
For Android devices which have yet to receive renewed certificates, we recommend that end users are asked to launch the Intune Company Portal on their device, navigate to the Settings menu and select Sync. End users should leave the Intune Company Portal open until the "Syncing policy with Microsoft Intune" notification goes away, which typically occurs within 1 minute.
Certificate Renewal for Connectors
Check your connectors in the Intune on Azure console, or for hybrid MDM, the Configuration Manager console to see if they still connected to Intune. For those that are not connected, you can uninstall them and then re-install them according to the instructions in these links:
Intune Standalone: Set up the Intune on-premises Exchange Connector in Microsoft Intune Azure
Hybrid MDM: Installing and Configuring an Exchange Server Connector
Let us know if you have any questions or concerns!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.