Historically, we've posted about the enrollment device certificate including devices that haven't renewed (see an article from 2018 here). We've been silently renewing the certificates for months now. However, given COVID-19 work from home measures, we have extended the enrollment cert on devices that have not yet updated their certificate for iOS and Windows just in case the devices have been inaccessible. For Android devices, you'll want to have your end users update the Company Portal to version 5.0.4805.0+. If you have Android devices that haven't updated the enrollment certificate, you'll see a Message Center post (text is below).
Thank you to @davefalkus who posted two scripts you can run. The All Android Devices script will show you which Android devices have the enrollment certificate expiring and the All Devices shows iOS, Windows, and Android, but typically takes longer to run. Again, the only action is if you receive the message center post, ask end users to update their Company Portal app.
All Android Devices - https://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/ExpiringCertJ...
All Devices - https://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/ExpiringCertJ...
Here's the message center post text:
Intune Support Tip: Devices are not renewing their MDM enrollment certificates
The Intune service has been trying for several months to silently renew enrollment certificates used to establish trust with Mobile Device Management (MDM) managed devices. While the certificates have been offered to all devices, there is a subset of devices that are not able to receive the certificate – either because they are powered off, have device battery issues, or because of environmental conditions, such as port closures. We were able to seamlessly extend Windows and iOS enrollment certificates. Android devices can extend the certificate as well if you adopt Company Portal version 5.0.4805.0 and higher. The enrollment certificate for Android devices that do not renew will expire on July 12, 2020. Note these devices may be in various states which is why we’re providing information on the action you can take to ensure the devices are powered up and can renew the certificates before that date so that any end user impact is avoided.
How does this affect me?
We’re sending you this message since our records show you have Android devices that have not renewed their enrollment certificates. Here are the most common reasons why a device would not renew its certificate but still communicate with the Intune service:
When the certificate expires, the behavior will change depending on the type of Android enrollment.
In either case, simply re-enrolling the device will return all policies and apps targeted to the device, although potentially not all corporate data depending on if it was saved locally on the device.
What do I need to do?
In the link provided [above - in the MC post we link to these scripts], you’ll find a script you can use to find the devices that are not renewing their enrollment certificate. Run this report, then you’ll want to take a look at the device details. Check:
Contact Intune Support if you need additional assistance.
Let us know what questions you have!
Blog Post Updates:
6/16/20: With a note that the Company Portal is rolling out.
6/23/20: With an update that the latest Intune Company Portal for Android (5.0.4814.0) has been rolled out to the Google Play Store.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.