Intune Support Tip: Devices are not renewing their MDM enrollment certificates

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

Historically, we've posted about the enrollment device certificate including devices that haven't renewed (see an article from 2018 here). We've been silently renewing the certificates for months now. However, given COVID-19 work from home measures, we have extended the enrollment cert on devices that have not yet updated their certificate for iOS and Windows just in case the devices have been inaccessible. For Android devices, you'll want to have your end users update the Company Portal to version 5.0.4805.0+. If you have Android devices that haven't updated the enrollment certificate, you'll see a Message Center post (text is below). 

 

Thank you to @davefalkus who posted two scripts you can run. The All Android Devices script will show you which Android devices have the enrollment certificate expiring and the All Devices shows iOS, Windows, and Android, but typically takes longer to run. Again, the only action is if you receive the message center post, ask end users to update their Company Portal app. 

 

All Android Deviceshttps://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/ExpiringCertJuly2020_Android.ps1 

 

All Deviceshttps://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/ExpiringCertJuly2020_All.ps1 

 

Here's the message center post text:

 

Intune Support Tip: Devices are not renewing their MDM enrollment certificates

The Intune service has been trying for several months to silently renew enrollment certificates used to establish trust with Mobile Device Management (MDM) managed devices. While the certificates have been offered to all devices, there is a subset of devices that are not able to receive the certificate – either because they are powered off, have device battery issues, or because of environmental conditions, such as port closures. We were able to seamlessly extend Windows and iOS enrollment certificates. Android devices can extend the certificate as well if you adopt Company Portal version 5.0.4805.0 and higher. The enrollment certificate for Android devices that do not renew will expire on July 12, 2020. Note these devices may be in various states which is why we’re providing information on the action you can take to ensure the devices are powered up and can renew the certificates before that date so that any end user impact is avoided.

 

How does this affect me?

We’re sending you this message since our records show you have Android devices that have not renewed their enrollment certificates. Here are the most common reasons why a device would not renew its certificate but still communicate with the Intune service:

  1. The device is powered off, and receiving no updates.
  2. The devices has aggressive power saving routines (in which case you can open the Company Portal app to update). 
  3. The device has not updated the Company Portal.
  4. You’ve configured a firewall which does not allow any service communication (note these devices would not be receiving policy updates as well)
  5. The device is powered on, but locked and inaccessible.
  6. The device is unhealthy and probably isn’t getting policy or app updates either. This includes a battery in a bad state so that the device can check in but can’t do much more than that.

 

When the certificate expires, the behavior will change depending on the type of Android enrollment.

  • Android Device Administrator – the device will be unenrolled from the service. App removal is not guaranteed. Personal data remains on the device.
  • Android Work Profile – the device will be unenrolled and apps and corporate data will be removed.

 

In either case, simply re-enrolling the device will return all policies and apps targeted to the device, although potentially not all corporate data depending on if it was saved locally on the device.

 

What do I need to do?

In the link provided [above - in the MC post we link to these scripts], you’ll find a script you can use to find the devices that are not renewing their enrollment certificate. Run this report, then you’ll want to take a look at the device details. Check:

  • Is the device powered on?
  • Is the device healthy?
  • Is the devices still in use, or the end user at the company?
  • Can you update the Company Portal to adopt Company Portal version 5.0.4805.0+?
  • Does the device still exist or has an end user moved to a new device?

 

Contact Intune Support if you need additional assistance.

 

Let us know what questions you have!

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.