Updated 01/20/2021
We recently had a case escalation and wanted to provide a few more details on a Windows 10 certificate issue. Windows has documented the behavior and resolution. There’s been additional blog posts describing this scenario by several of our MVP’s. In this post, we’ll add on a script we developed to detect whether or not the Intune Mobile Device Management (MDM) enrollment certificate is on a co-managed Windows device and provide a few recommendations for how to resolve.
Let’s start with what devices could be affected:
From the Windows KB article – “System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be impacted if they have already installed any Latest cumulative update (LCU) released September 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source which does not have an LCU released October 13, 2020 or later integrated.”
Impacted devices running Windows 10, version 1909 may continue to make repeated calls to the Intune service (which could result in additional network traffic and/or battery drain for laptops). KB4598229 should be applied as soon as possible to these devices. Windows 10, version 2004 and later are not impacted by the repeated Intune service calls issue. Once KB4598229 is applied, a reboot is required to apply the fix.
NOTE: The application of KB4598229 does not remove the need to continue to detect and remediate devices that have lost their Intune MDM cert (as well as other required certs).
We see impact when managed devices are upgraded using outdated bundles or media through an update management tool such as Windows Server Update Services (WSUS) or Configuration Manager. This might also happen when using outdated physical media or ISO images that do not have the latest updates integrated.
From a device perspective, here’s what you’ll see:
What you can do to determine impact:
The sample script linked below is specifically developed for Intune co-managed devices and can be deployed to find those Windows 10 devices that don’t have the MDM enrollment certificate. We’ve tested this script in our internal environment and also worked with a customer to run the detection portion of the script. Please keep in mind the script is unsupported. If we make any changes to it, we’ll update this post.
You can download the script here (updated 12/8/2020) - https://aka.ms/mdm_enrollment_cert_script
Again, as shared above this script will only work on Intune co-managed devices – those that have the ConfigMgr client installed and are enrolled into Intune. As described in what devices could be affected, there are a number of other scenarios that could be affected depending on your update path.
How you can mitigate impact:
You have a few different options, depending on your preferred approach:
This is a standard your device is being unenrolled message which is what the script automates. Once re-enrolled, though, policy will return apps and settings.
Other information:
Again, keep us posted if you have any feedback by responding on this post or tagging @IntuneSuppTeam out on Twitter!
Post updated:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.