didn't find cert in both store - in IntuneManagementExtension

Contributor

Hello 

 

I am trying to troubleshoot why a win32 App will not install on a computer with Intune.

 

In IntuneManagementExtension - I get the error 

 

Didn't find cert in both store, retry 30 IntuneManagementExtension 11 (0x000B)

Then
[Policy] Failed to get device id,

[DiscoveryService] Failed to get device id IntuneManagementExtension  5 (0x0005)

 

Any suggestions would be appreciated.

 

Dave

8 Replies
Can you run an dsregcmd /status in a cmd and check if the DeviceAuthStatus is success and if the device is aad joined.
Thanks for your response. I ran the above command - DeviceAuthStatus : SUCCESS under Device Details section

Hello - I followed https://call4cloud.nl/2021/04/alice-and-the-device-certificate/

There is a section about the MDM Certificate. I checked and i can't find the MDM intune certificate. I can see the InTune Root certificate in the Trusted Root but no MDM Certificate there and not in the Personal Certificated either...
Mmm no intune cert , no intune sync… :) i guess you need to try that fix i mentioned … did you also read that other blog?
Hello - I followed all the tips in https://call4cloud.nl/2022/07/the-incredibly-strange-device-who-stopped-syncing-and-became-certifica...

I ran the powershell command.
All ran with no errors

From Enrollments.txt

"DMPCertThumbPrint"="3BE76D943D9C32F3F62CE52101BXXXXXXXXXXXXX"
"RootCertThumbPrint"="9EA77BA6D30BB2AB2DECE2DFDC24XXXXXXXXXXXXX"
"IntermediateCertThumbPrint"="A4BF3999AB9C5B07BFE9F85353CXXXXXXXXXXXXX"
"CurKeyContainer"="ConfigMgrEnrollment0"
"ProviderID"="MS DM Server"
"RenewTimestamp"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"RenewStatus"=dword:00000000
"RenewErrorCode"=dword:00000000

I tried to compare this with the DMPCertThumbPrint in the Set MdmDeviceCertificate part in the IME LOG.

I have 3 logs in the \Programdata\Microsoft\IntuneManagementExtension\Logs directory
- AgentExecutor.log
- IntuneManagementExtension.log
- Sensor.log
I have searched through all of these, but there is no entry for MdmDeviceCertificate .


I looked thru the IntuneManagementExtension.log
The following message is repeated
Find 0 MDM certificates.]LOG
Didn't find cert in both store
So I assume there is no MDM certificate

I looked in the Log_1.log file
Tried to find the section from your post "Getting certificate" However, It was not in my file

Looked in the Windows-Crypto-NCrypt%4Operational.evtx file
There were many errors
I assume because there is no MDM certificate

Looked in the _Microsoft_SystemCertificates.txt file, but there are no MDM certificated here.

So, I am at a loss. I do not know why there is no MDM certificate. Maybe I missed something in my set up ?

How did you enroll the devicr? What happens with a cleaned installed device that is aad joined from the oobe?

It should aad join and enroll into intune (if mdm scope/cnames/licensing etc is configured properly)

 

I am guessing you enrolled an existing aadj device to intune by using the settings / accounts/ enroll into mdm only?

Download psexec, run a powershell session as system with it (-i -s)
And launch this script

$certificate = Get-ChildItem -Path Cert:\Currentuser\My\

$password= "secret" | ConvertTo-SecureString -AsPlainText -Force
Export-PfxCertificate -Cert $certificate -FilePath c:\intune.pfx -Password $password

$password= "secret" | ConvertTo-SecureString -AsPlainText -Force
Import-PfxCertificate -Exportable -Password $password -CertStoreLocation Cert:\LocalMachine\My -FilePath c:\intune.pfx