Intune Support Tip: Devices are not renewing their MDM enrollment certificates
Published Jun 15 2020 07:30 PM 15.8K Views

Historically, we've posted about the enrollment device certificate including devices that haven't renewed (see an article from 2018 here). We've been silently renewing the certificates for months now. However, given COVID-19 work from home measures, we have extended the enrollment cert on devices that have not yet updated their certificate for iOS and Windows just in case the devices have been inaccessible. For Android devices, you'll want to have your end users update the Company Portal to version 5.0.4805.0+. If you have Android devices that haven't updated the enrollment certificate, you'll see a Message Center post (text is below). 

 

Thank you to @davefalkus who posted two scripts you can run. The All Android Devices script will show you which Android devices have the enrollment certificate expiring and the All Devices shows iOS, Windows, and Android, but typically takes longer to run. Again, the only action is if you receive the message center post, ask end users to update their Company Portal app. 

 

All Android Deviceshttps://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/ExpiringCertJ... 

 

All Deviceshttps://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/ExpiringCertJ... 

 

Here's the message center post text:

 

Intune Support Tip: Devices are not renewing their MDM enrollment certificates

The Intune service has been trying for several months to silently renew enrollment certificates used to establish trust with Mobile Device Management (MDM) managed devices. While the certificates have been offered to all devices, there is a subset of devices that are not able to receive the certificate – either because they are powered off, have device battery issues, or because of environmental conditions, such as port closures. We were able to seamlessly extend Windows and iOS enrollment certificates. Android devices can extend the certificate as well if you adopt Company Portal version 5.0.4805.0 and higher. The enrollment certificate for Android devices that do not renew will expire on July 12, 2020. Note these devices may be in various states which is why we’re providing information on the action you can take to ensure the devices are powered up and can renew the certificates before that date so that any end user impact is avoided.

 

How does this affect me?

We’re sending you this message since our records show you have Android devices that have not renewed their enrollment certificates. Here are the most common reasons why a device would not renew its certificate but still communicate with the Intune service:

  1. The device is powered off, and receiving no updates.
  2. The devices has aggressive power saving routines (in which case you can open the Company Portal app to update). 
  3. The device has not updated the Company Portal.
  4. You’ve configured a firewall which does not allow any service communication (note these devices would not be receiving policy updates as well)
  5. The device is powered on, but locked and inaccessible.
  6. The device is unhealthy and probably isn’t getting policy or app updates either. This includes a battery in a bad state so that the device can check in but can’t do much more than that.

 

When the certificate expires, the behavior will change depending on the type of Android enrollment.

  • Android Device Administrator – the device will be unenrolled from the service. App removal is not guaranteed. Personal data remains on the device.
  • Android Work Profile – the device will be unenrolled and apps and corporate data will be removed.

 

In either case, simply re-enrolling the device will return all policies and apps targeted to the device, although potentially not all corporate data depending on if it was saved locally on the device.

 

What do I need to do?

In the link provided [above - in the MC post we link to these scripts], you’ll find a script you can use to find the devices that are not renewing their enrollment certificate. Run this report, then you’ll want to take a look at the device details. Check:

  • Is the device powered on?
  • Is the device healthy?
  • Is the devices still in use, or the end user at the company?
  • Can you update the Company Portal to adopt Company Portal version 5.0.4805.0+?
  • Does the device still exist or has an end user moved to a new device?

 

Contact Intune Support if you need additional assistance.

 

Let us know what questions you have!

 

Blog Post Updates:

6/16/20: With a note that the Company Portal is rolling out. 

6/23/20: With an update that the latest Intune Company Portal for Android (5.0.4814.0) has been rolled out to the Google Play Store.

15 Comments
Copper Contributor

That's great however when going into Google Play Store to update the Company Portal app to version 5.0.4805.0 it tells me that the app is up to date and that the version is 5.0.4779.0..

Any suggestions?

Hi @Jason Stone, an update to the Intune Company Portal for Android (5.0.4814.0) was recently released to the Google Play Store. If you continue to experience any issues, please let us know!

@Jason Stone we just checked with the team - the CP is still rolling out - it had a bug which was fixed, then is rolling out. You should see it in the store shortly. The message above was adjusted to reflect that! Thank you. ^CC

Copper Contributor

Hi,

 

Thanks for this good article. 

 

for android phone can I get script to generate report from Intune to get available company portal version on devices (discovered app).

 

Thanks & Regards,

Devendra Singh 

Copper Contributor

Hi,

 

Have raised Design Change Request(DCR) ID is 132785405 9th of August last year to address an issue:

  1. Push notification to end user from Company portal app
  2. Allow administrator to monitor the certificate expiration date

Cannot see any changes.

Copper Contributor

Hello, 

 

Just to be sure, AndroidEnterprise is not affected by this right? These devices are using the Intune app and not the Company Portal.

 

Best regards

 

Wietse

Copper Contributor

Thanks for the scripts

@WietseD2020 correct, AE is not impacted. Sorry for the delay in responding! 

 

Copper Contributor

I work at a small school and most of our Surface Pro's have been powered off since early March. Now I cannot get them to Sync or get them evaluated to be in compliance. I am not sure if it has to do with the MDM certificates but I am also not sure where to start to fix this issue. 

Copper Contributor

@JWychesit Fastest thing to do is create a support ticket. You can do that from within the intune portal. They will help you real quick and can also take over your screen to check things out if needed.

 

Wietse

@Azure_Webinor, we have a few Intune PowerShell samples that may help. Hope this helps!

Hi @JWychesit, as @WietseD2020 mentioned, if this is impacting production let's get you over to our support folks for further review and investigation. You can raise a new support request from within the Intune console's Help and support blade, or any of the methods here: aka.ms/IntuneSupport.

 

We've also followed up with you over direct message to learn more about your scenario and provide additional support.

Copper Contributor

We are currently having some other issues with the Windows MDM certificate causing computers to drop out of Intune. The issue is that computer has two MDM certs, one expired MDM cert with private exportable key and one valid MDM cert without private exportable key, this causes the computer to drop out of Intune. Does anyone from MSFT know why this happens? The computer remains AAD joined but is no longer managed by MEM. Support ticket is created, but support has not been able to understand the problem (three weeks now). Environment: All AAD joined, Windows Hello, Microsoft E5  

Hi @Erik Wold, thanks for flagging and we're sorry about your recent support experience. We've followed up with you over a private message to learn more about the scenario and to provide additional assistance. Thanks!

Copper Contributor

Thank you, (not seeing any private message though).

Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: