May 30 2022 02:02 AM
Looking for some assistance regarding the 'PushLaunch' & 'PushRenewal' tasks.
For some reason, both of these task's seem to disappear from our client machines.
All our devices are Hybrid AAD Joined & are co-managed.
From what I've been able to gather, people who have encountered this issue before have had the 'dmwappushservice' disabled.
This is currently set on our devices to "Automatic (Delayed Start, Trigger Start)"
Is this normal behaviour?
Thanks,
Jamie
May 30 2022 02:52 AM - edited May 30 2022 02:53 AM
I would expect PushLaunch (and PushRenewal) to be present.
Is WNS (Windows Push Notification Service) running? If not, start that service and perform a check-in / sync.
If it was already running, check if the tasks are only removed when GPOs kick in (by only AAD-joining the device, for instance).
May 30 2022 02:55 AM - edited May 30 2022 03:00 AM
EDIT: NielsSchefffers beat me to answering the question first, while i was writing a reply.. 🙂 . Reminds me of the blog I still need to publish about those nice services that could be gone missing in action
That would be indeed the right configuration for that service. I am assuming its also started just like the WNS service :).
Normally when those services are running those IntuneMGT tasks would be there.. I am also assuming the gpo to enroll the devices in Intune is configured.
If so, what happens when recreating them?
Begin{
$RegKey ="HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\"
$RegKey1 ="HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
$ScheduleName ="Schedule created by enrollment client for automatically enrolling in MDM from AAD"
$Date = Get-Date -Format "yyyy-MM-dd"
$Time = (Get-date).AddMinutes(5).ToString("HH:mm:ss")
$ST = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<URI>\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD</URI>
<SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<TimeTrigger>
<Repetition>
<Interval>PT5M</Interval>
<Duration>P1D</Duration>
<StopAtDurationEnd>true</StopAtDurationEnd>
</Repetition>
<StartBoundary>$($Date)T$($Time)</StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>%windir%\system32\deviceenroller.exe</Command>
<Arguments>/c /AutoEnrollMDM</Arguments>
</Exec>
</Actions>
</Task>
"@
}
Process
{
New-Item -Path $RegKey -Name MDM
New-ItemProperty -Path $RegKey1 -Name AutoEnrollMDM -Value 1
(Register-ScheduledTask -XML $ST -TaskName $ScheduleName -Force) | Out-null
}
May 30 2022 03:05 AM
@Jamie_McNamara @Rudy_Ooms_MVP @NielsScheffers
I would have expected it to be present as well, it's not hidden, just missing.
Can confirm that WNS is running and always has been.
That was my next port of call, add a device to an OU where no GPO's are applied and apply them one at a time to see what the cause is.
I've looked into our AV and there is nothing logged here to indicate that it is the culprit.
I just wanted to check if this behaviour is expected or someone knows what the potential cause could be before I head down the manual GPO route.
To confirm, the only tasks missing are the 'PushLaunch' & 'PushRenewal'
May 30 2022 03:13 AM
May 30 2022 03:17 AM - edited May 30 2022 03:28 AM
It is & valid until 2023, Device can still sync to Intune via the sync button under school & work accounts. and updates in the dashboard.
Waiting to see if the sync function initiated from Intune updates or not.
Edit: Sync from Intune portal doesn't seem to work, I'm going to assume that is due to these task's missing.
Sync initiated from the device works fine, updates last check-in on the dashboard.
May 30 2022 07:45 AM
@Jamie_McNamara That's a correct assumption. The "PushLaunch"-task is executed when the Sync is pushed from Intune. It calls "deviceenroller.exe" with some parameters, which then starts the "Schedule to run OMADMClient by client"-task, which then starts "omadmclient.exe" with some parameters.
Unfortunately, I haven't gotten very far in troubleshooting this behavior (except that I've now accidentally deleted the task on my own machine, in stead of my VM ). I did notice a difference between these tasks and all the other tasks in there: the "PushLaunch"- and "PushRenewal"-tasks are actually visible without an elevated session, which would indicate they're user-based.
Disclaimer: apparently, no one really ever documented what "deviceenroller.exe" does (or at least, I can't find it), so what I write here is based on my own observation and the sparse information found online.
May 30 2022 09:08 AM
May 30 2022 11:47 PM
Oct 05 2022 06:59 AM
Oct 05 2022 07:03 AM
Oct 05 2022 08:03 AM - edited Oct 05 2022 09:19 AM
Manually triggering a "sync" from the Company Portal app or going the long way via Settings will update the sync time correctly in the admin portal. The sync time in the admin portal will normally show as last check in time during the normal 8hr sync interval as well.
I can also kick off the scheduled task "login schedule created by enrollment client" and that will show the updated sync time in the admin portal also.
Can you be more specific on what cert to look for on my windows device? On another note, We had another Intune Enrolled device show these scheduled tasks were present but syncing from the admin portal still wasn't working. Are there any services that need to be running all the time that could impact this? I know the dmwappushservice was disabled by GPO at one point in time but that has been corrected and now shows as Automatic (Triggered Start).
I pulled up my Windows Autopilot Intune enrolled device via the Graph Explorer and shows my "managementCertificateExpirationDate" expires on 7-19-2023 so I'm good there.
Oct 06 2022 08:44 AM
Aug 23 2023 03:14 PM - edited Aug 23 2023 03:21 PM
Has anyone had any luck at getting these 2 scheduled tasks back? Or is there another way we can remotely kick off a Sync?
Aug 24 2023 12:48 AM