We recently had a case escalation and wanted to provide a few more details on a Windows 10 certificate issue. Windows has documented the behavior and resolution. There’s been additional blog posts describing this scenario by several of our MVP’s. In this post, we’ll add on a script we developed to detect whether or not the Intune Mobile Device Management (MDM) enrollment certificate is on a co-managed Windows device and provide a few recommendations for how to resolve.
Let’s start with what devices could be affected:
From the Windows KB article – “System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be impacted if they have already installed any Latest cumulative update (LCU) released September 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source which does not have an LCU released October 13, 2020 or later integrated.”
Impacted devices running Windows 10, version 1909 may continue to make repeated calls to the Intune service (which could result in additional network traffic and/or battery drain for laptops). KB4598229 should be applied as soon as possible to these devices. Windows 10, version 2004 and later are not impacted by the repeated Intune service calls issue. Once KB4598229 is applied, a reboot is required to apply the fix.
NOTE: The application of KB4598229 does not remove the need to continue to detect and remediate devices that have lost their Intune MDM cert (as well as other required certs).
We see impact when managed devices are upgraded using outdated bundles or media through an update management tool such as Windows Server Update Services (WSUS) or Configuration Manager. This might also happen when using outdated physical media or ISO images that do not have the latest updates integrated.
From a device perspective, here’s what you’ll see:
The MDM enrollment certificate is no longer on the Windows device. Once this certificate is not on the device, it can’t establish the trust needed to get policy from Intune.
The Windows 10 device may no longer have corporate Wi-Fi, VPN, or other certificate-based authentication policies.
End users may report they are unable to access sites that they typically had access to (and there’s no other compliance policy or issue affecting their access).
You may notice a high volume of traffic in the Intune Management Extension logs.
What you can do to determine impact:
The sample script linked below is specifically developed for Intune co-managed devices and can be deployed to find those Windows 10 devices that don’t have the MDM enrollment certificate. We’ve tested this script in our internal environment and also worked with a customer to run the detection portion of the script. Please keep in mind the script is unsupported. If we make any changes to it, we’ll update this post.
Again, as shared above this script will only work on Intune co-managed devices – those that have the ConfigMgr client installed and are enrolled into Intune. As described in what devices could be affected, there are a number of other scenarios that could be affected depending on your update path.
How you can mitigate impact:
You have a few different options, depending on your preferred approach:
If you have already encountered this issue on your device, you can mitigate it within the uninstall window by going back to your previous version of Windows using the instructions here. Windows has documented this as the preferred approach in their KB article.
The sample script we shared above includes optional remediation logic for co-managed devices. One important end-user caveat though, if you use this remediation logic, the following message will appear in the Windows 10 notification center when the device is unenrolled before it is re-enrolled:
This is a standard your device is being unenrolled message which is what the script automates. Once re-enrolled, though, policy will return apps and settings.
The detection logic in the script only returns the devices missing the MDM enrollment certificate.
You can run the script in detection only mode vs. remediation:
Running mdmcertcheckandremediate.ps1 without any parameters is detection mode only.
Running mdmcertcheckandremediate.ps1 -Remediate 1 is detect and remediate.
If you are a co-managed customer, the remediation process of re-enrolling the device to Intune is done by the Configuration Manager client (ccmexec) based on the co-management policy targeted. The ConfigMgr client uses existing co-management enrollment process if the domain joined device remains in Azure AD-joined state or enrollment is retried as soon as the device re-joins to Azure AD. Co-management enrollment is retried when ccmexec starts up and also during scheduled co-management enrollment process scheduled every day.
Again, keep us posted if you have any feedback by responding on this post or tagging @IntuneSuppTeam out on Twitter!
December 8, 2020 - Updated the script link to a newer version. The updated script detects if the Mobile Device Management (MDM) enrollment cert is missing for device-based MDM enrollment. The script now also verifies that impacted device is joined or re-joined to Azure AD, before remediation.
January 20, 2021 - Impacted devices running Windows 10, version 1909 may continue to make repeated calls to the Intune service (which could result in additional network traffic and/or battery drain for laptops). KB4598229 should be applied as soon as possible to these devices.