This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
Here's the text from the latest Message Center 207726 (MC) post.
Updated 3/25/2020 - Our PowerShell and Graph expert Dave Falkus recommended we put the script out in GitHub to make it easier to consume. So we've deleted the script posted in the blog and instead just linked to it here:
Text from MC207726
Intune recently shared a known issue in MC203629, whereby about 1% of devices Intune enrolled with iOS 13+ do not return the token needed to allow a passcode reset. Apple has now addressed the bug in 13.3.1 and higher, however, simply updating to 13.3.1 cannot fix already-enrolled devices. Devices without a password reset token will need to update to 13.3.1, then unenroll and reenroll in the service.
How does this affect me?
Your end users will only run into this if they enrolled into Intune with iOS 13+, forget their passcode, and need to reset their passcode. If the owner of the device never needs to remove or reset the passcode using Intune, there’s no issue. If the passcode for a device is lost and you have no method outside Intune to recover it, the device will have to be factory reset and enrolled again. Devices that got into this state were typically ones that had a user alias change or had a user account disabled and then re-enabled. When they went to enroll, they did not receive the token needed to allow a passcode reset. Therefore, Intune cannot reset the passcode on these devices, either through Microsoft Endpoint Manager Intune admin UI under Remove passcode setting or by the end user Reset Passcode setting at https://portal.manage.microsoft.com.
What action do I need to take?
- Run the PowerShell script below. This will give you the list of affected devices.
- Make sure your end user of the affected device has a backup of their data from the device (typically through iCloud or another backup offer).
- Update the impacted devices to 13.3.1, then unenroll and reenroll the device.
- Rerun the PowerShell script. If the device still shows there, then you’ll want to completely wipe the device then reenroll.
- If the device is still on the report when you re-run it, the device is not in a good state. Apple recommends wiping without restoring a backup and then reenrolling again.
- Any devices still on the report after trying in this state after enrolling multiple times will need a ticket with Apple to investigate further.
Three things to know before you use this script:
- The script generates a zip file you will manually unzip.
- The file name is logged on the console.
Write-host "Downloaded to local disk as $fileName in your current folder"
- The csv file includes macOS devices, which do not have this token. We'll work on updating the script to remove macOS. Alternatively, don't worry about the macOS devices that may be returned by the script.
Again, the script is now posted here: