Enterprise Mgmt " Scheduled Task's Missing"

New Contributor

Looking for some assistance regarding the 'PushLaunch' & 'PushRenewal' tasks.

 

For some reason, both of these task's seem to disappear from our client machines.

All our devices are Hybrid AAD Joined & are co-managed.

 

From what I've been able to gather, people who have encountered this issue before have had the 'dmwappushservice' disabled.

 

This is currently set on our devices to "Automatic (Delayed Start, Trigger Start)"

 

Is this normal behaviour?

 

Thanks,

Jamie

13 Replies

I would expect PushLaunch (and PushRenewal) to be present.

 

Is WNS (Windows Push Notification Service) running? If not, start that service and perform a check-in / sync.

 

NielsScheffers_0-1653904351747.png

If it was already running, check if the tasks are only removed when GPOs kick in (by only AAD-joining the device, for instance).

EDIT: NielsSchefffers beat me to answering the question first, while i was writing a reply..  :)  . Reminds me of the blog I still need to publish about those nice services that could be gone missing in action

 

That would be indeed the right configuration for that service. I am assuming its also started just like the WNS service :).
Normally when those services are running those IntuneMGT tasks would be there..  I am also assuming the gpo to enroll the devices in Intune is configured.

 

If so, what happens when recreating them?

Begin{

$RegKey ="HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\"
$RegKey1 ="HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
$ScheduleName ="Schedule created by enrollment client for automatically enrolling in MDM from AAD"
$Date = Get-Date -Format "yyyy-MM-dd"
$Time = (Get-date).AddMinutes(5).ToString("HH:mm:ss")

$ST = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<URI>\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD</URI>
<SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<TimeTrigger>
<Repetition>
<Interval>PT5M</Interval>
<Duration>P1D</Duration>
<StopAtDurationEnd>true</StopAtDurationEnd>
</Repetition>
<StartBoundary>$($Date)T$($Time)</StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>%windir%\system32\deviceenroller.exe</Command>
<Arguments>/c /AutoEnrollMDM</Arguments>
</Exec>
</Actions>
</Task>

"@

}
Process
{

New-Item -Path $RegKey -Name MDM
New-ItemProperty -Path $RegKey1 -Name AutoEnrollMDM -Value 1

(Register-ScheduledTask -XML $ST -TaskName $ScheduleName -Force) | Out-null

}

@Jamie_McNamara @Rudy_Ooms_MVP @NielsScheffers 

 

I would have expected it to be present as well, it's not hidden, just missing.

 

Can confirm that WNS is running and always has been.


That was my next port of call, add a device to an OU where no GPO's are applied and apply them one at a time to see what the cause is.

 

I've looked into our AV and there is nothing logged here to indicate that it is the culprit.

 

I just wanted to check if this behaviour is expected or someone knows what the potential cause could be before I head down the manual GPO route.

 

To confirm, the only tasks missing are the 'PushLaunch' & 'PushRenewal'Capture.PNG

Mmm ... could you confirm if the intune device cert is still on the device?
https://call4cloud.nl/2021/04/alice-and-the-device-certificate/

It is & valid until 2023, Device can still sync to Intune via the sync button under school & work accounts. and updates in the dashboard.

Waiting to see if the sync function initiated from Intune updates or not.

 

Edit: Sync from Intune portal doesn't seem to work, I'm going to assume that is due to these task's missing.

 

Sync initiated from the device works fine, updates last check-in on the dashboard.

@Jamie_McNamara That's a correct assumption. The "PushLaunch"-task is executed when the Sync is pushed from Intune. It calls "deviceenroller.exe" with some parameters, which then starts the "Schedule to run OMADMClient by client"-task, which then starts "omadmclient.exe" with some parameters. 

 

Unfortunately, I haven't gotten very far in troubleshooting this behavior (except that I've now accidentally deleted the task on my own machine, in stead of my VM :facepalm:). I did notice a difference between these tasks and all the other tasks in there: the "PushLaunch"- and "PushRenewal"-tasks are actually visible without an elevated session, which would indicate they're user-based. 

 

Disclaimer: apparently, no one really ever documented what "deviceenroller.exe" does (or at least, I can't find it), so what I write here is based on my own observation and the sparse information found online.

Sounds like a future blog :)
I haven't had the opportunity to test the GPO theory out, hopefully get to it some time this week, I'll update this post with my findings.

Thanks for all the help so far from both of you.
Haha yeah there's a string "RescheduleUserTasks" in the binary (close to other CLI-parameters, like "WscStartupAlert") but I couldn't get it to do anything (yet).
Hello,
I'm seeing the same scheduled tasks missing in our prod environment, where we have a test environment those scheduled tasks are present. Has there been any updates to this and what causes the PushLaunch and PushRenewal to be missing???
Is the device still enrolled into intune? Does it still have the intune device cert? What happens when triggering a sync from the device

Manually triggering a "sync" from the Company Portal app or going the long way via Settings will update the sync time correctly in the admin portal. The sync time in the admin portal will normally show as last check in time during the normal 8hr sync interval as well.
I can also kick off the scheduled task "login schedule created by enrollment client" and that will show the updated sync time in the admin portal also.
Can you be more specific on what cert to look for on my windows device? On another note, We had another Intune Enrolled device show these scheduled tasks were present but syncing from the admin portal still wasn't working.  Are there any services that need to be running all the time that could impact this?  I know the dmwappushservice was disabled by GPO at one point in time but that has been corrected and now shows as Automatic (Triggered Start).

I pulled up my Windows Autopilot Intune enrolled device via the Graph Explorer and shows my "managementCertificateExpirationDate" expires on 7-19-2023 so I'm good there.

Another note, these devices are co-managed with SCCM. I'm thinking that has something to do with it. We had one device that was able to Sync until the SCCM client was installed. After that got installed, clicking the sync button no longer worked.