Blog Post

Intune Customer Success
4 MIN READ

Intune MDM enrollment certificate not present after updating to a newer version of Windows

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Dec 04, 2020

Updated 01/20/2021

 

We recently had a case escalation and wanted to provide a few more details on a Windows 10 certificate issue. Windows has documented the behavior and resolution. There’s been additional blog posts describing this scenario by several of our MVP’s. In this post, we’ll add on a script we developed to detect whether or not the Intune Mobile Device Management (MDM) enrollment certificate is on a co-managed Windows device and provide a few recommendations for how to resolve.

 

Let’s start with what devices could be affected:

From the Windows KB article – “System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be impacted if they have already installed any Latest cumulative update (LCU) released September 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source which does not have an LCU released October 13, 2020 or later integrated.”

 

Impacted devices running Windows 10, version 1909 may continue to make repeated calls to the Intune service (which could result in additional network traffic and/or battery drain for laptops). KB4598229 should be applied as soon as possible to these devices. Windows 10, version 2004 and later are not impacted by the repeated Intune service calls issue. Once KB4598229 is applied, a reboot is required to apply the fix.

 

NOTE: The application of KB4598229 does not remove the need to continue to detect and remediate devices that have lost their Intune MDM cert (as well as other required certs).

 

We see impact when managed devices are upgraded using outdated bundles or media through an update management tool such as Windows Server Update Services (WSUS) or Configuration Manager. This might also happen when using outdated physical media or ISO images that do not have the latest updates integrated.

 

From a device perspective, here’s what you’ll see:

  • The MDM enrollment certificate is no longer on the Windows device. Once this certificate is not on the device, it can’t establish the trust needed to get policy from Intune.
  • The Windows 10 device may no longer have corporate Wi-Fi, VPN, or other certificate-based authentication policies.
  • End users may report they are unable to access sites that they typically had access to (and there’s no other compliance policy or issue affecting their access).
  • You may notice a high volume of traffic in the Intune Management Extension logs.

 

What you can do to determine impact:

The sample script linked below is specifically developed for Intune co-managed devices and can be deployed to find those Windows 10 devices that don’t have the MDM enrollment certificate. We’ve tested this script in our internal environment and also worked with a customer to run the detection portion of the script. Please keep in mind the script is unsupported. If we make any changes to it, we’ll update this post.

 

You can download the script here (updated 12/8/2020) -  https://aka.ms/mdm_enrollment_cert_script 

 

Again, as shared above this script will only work on Intune co-managed devices – those that have the ConfigMgr client installed and are enrolled into Intune. As described in what devices could be affected, there are a number of other scenarios that could be affected depending on your update path.

 

How you can mitigate impact:

You have a few different options, depending on your preferred approach:

  • If you have already encountered this issue on your device, you can mitigate it within the uninstall window by going back to your previous version of Windows using the instructions here.  Windows has documented this as the preferred approach in their KB article.
  • The sample script we shared above includes optional remediation logic for co-managed devices. One important end-user caveat though, if you use this remediation logic, the following message will appear in the Windows 10 notification center when the device is unenrolled before it is re-enrolled:

 

This is a standard your device is being unenrolled message which is what the script automates. Once re-enrolled, though, policy will return apps and settings.

 

Other information:

  1. The detection logic in the script only returns the devices missing the MDM enrollment certificate.
  2. You can run the script in detection only mode vs. remediation:
    1. Running mdmcertcheckandremediate.ps1 without any parameters is detection mode only.
    2. Running mdmcertcheckandremediate.ps1 -Remediate 1 is detect and remediate.
  3. If you are a co-managed customer, the remediation process of re-enrolling the device to Intune is done by the Configuration Manager client (ccmexec) based on the co-management policy targeted. The ConfigMgr client uses existing co-management enrollment process if the domain joined device remains in Azure AD-joined state or enrollment is retried as soon as the device re-joins to Azure AD. Co-management enrollment is retried when ccmexec starts up and also during scheduled co-management enrollment process scheduled every day.

 

Again, keep us posted if you have any feedback by responding on this post or tagging @IntuneSuppTeam out on Twitter!

 

Post updated:

  • December 8, 2020 - Updated the script link to a newer version. The updated script detects if the Mobile Device Management (MDM) enrollment cert is missing for device-based MDM enrollment. The script now also verifies that impacted device is joined or re-joined to Azure AD, before remediation.
  • January 20, 2021 - Impacted devices running Windows 10, version 1909 may continue to make repeated calls to the Intune service (which could result in additional network traffic and/or battery drain for laptops). KB4598229 should be applied as soon as possible to these devices.
Updated Dec 19, 2023
Version 6.0

7 Comments

  • Jerome Wink's avatar
    Jerome Wink
    Copper Contributor
    Jan 11, 2022

    Intune_Support_Team we are attempting to use the mdmcertcheckandremediate.ps1 script as an Configuration Endpoint Manger Check and Remediate action in a Configuration Item.  Running into a large issue.  The script uses a SUPER chatty output.  I have attempted to squelch the outputs and convert them to simple integer values for passing between check and remediate and have that MOSTLY completely except for one lingering TRUE that I get as output that is mucking up my report.  

     

    Any chance you could release a fork specifically laid out to work well as a compliance script with simpler returns?

     

    Also, while diving through the script I found that these three functions (about 200 lines) are never called, so do they do anything?  Seems like a lot of cert stuff that was stated as added but aren't running?

        IsEnrollmentIdInRegistry

        IsCertInstalledForEnrollmentId
        CheckEnrollResult
     
    We need to remediate over 1000 machines.  In manual testing the script does the task perfectly.  The issue at hand is how can we deploy this?
     
  • Wageck's avatar
    Wageck
    Copper Contributor
    Feb 18, 2021

    Hi can you please check the Intune Support Ticket we are feeling lost in the support ticket and we have exactly this problem 

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Silver Contributor
    Jan 21, 2021

    Hi AlexS007, thanks for the comment, lets get you over to our support folks for further investigation and review into logs. Please open a support request from within the Intune admin console, or any of the methods here. Once created, feel free direct message us with your support case number so we can have an eye on the case. Thanks!

  • AlexS007's avatar
    AlexS007
    Copper Contributor
    Jan 21, 2021

    I'm trying to use your script in a Configuration Baseline in SCCM to remediate the issue, but getting error 0x80070001 Incorrect function. When I run it manually it works. I would appreciate any help 

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Silver Contributor
    Jan 08, 2021

    bmcsb I asked the engineer that developed the script an he shared: Powershell script uses Windows APIs to register. It is the same API, GPO uses. From the output, device should be successfully enrolled and gotten a new MDM cert. No-restart required. After enrolled, MDM client will follow the standard device check-in process. 

    So, I will put a couple of case notes in your script and request escalation further. Thanks!

  • bmcsb's avatar
    bmcsb
    Copper Contributor
    Jan 08, 2021

    Intune_Support_Team - We are facing this issue with our hybrid AAD Windows 10 joined devices after the bad patch. I should note, these devices are not "co-managed", but rather only Hybrid AAD joined and auto-enrolled with Intune via GPO. Currently have a MS Premier support ticket open, but not making progress (Case #:23576199).  Below is the output on impacted machine, first by running the script in detection mode, and then remediation. The end result returns "[Success] Device is now MDM enrolled.". However, we never see the device check-in with Intune. The last check-in time remains the date that Windows was rolled back to previous version after the bad patch was installed. 

     

    Is there a restart required or some other step to force the device to start communicating with Intune again? Does the device need to be removed from Endpoint Manager, prior to running the script?

     

    PS .\mdmcertcheckandremediate.ps1
    [Error] Device is MDM enrolled but enrollment certificate is missing.
    PS .\mdmcertcheckandremediate.ps1 -Remediate 1
    Call unregister device for enrollment Id: 4066705F-6B0C-41E1-AB1B-6D7CC499XXXX
    Unregister completed, start to register MDM Using AAD device credentials.
    True
    Register MDM completed.
    [Success] Device is now MDM enrolled.