Ensuring Certificate Renewal for Devices and Connectors in Intune


4/13/18:  Updated with a revised version of the GetExpiringDevices script at the link below.

4/13/18:  Updated with instructions for Configuration Manager customers using hybrid MDM

4/17/18: Updated with additional guidance when force syncing Apple devices.

4/18/18: Updated with new instructions to determine device impact for hybrid customers.

4/19/18: Updated instructions for force syncing. Added link for PowerShell script to sync Windows devices.

4/20/18: Updated information for Android and iOS.

4/21/18: Updated with the final notice.

The older certificate has expired and almost all devices have received the new certificate in the past 45 days. If you have a device that was hidden away in a drawer for the last 45 days, had device health issues, was not unlocked for 45 days, or was blocked from receiving the reissued certificate, below you’ll find resources on how to re-enroll. Please note that the experience on a device without a new certificate will vary based on the device type:

  • For Android devices, once the certificate expires and the portal detects that it’s expired, the device does a local unenroll.
  • Knox devices, after an unenroll, will remove all apps once the certificate expires.
  • For iOS devices, once the certificate expires, the device will not be able to receive new policies, apps, NDES certificates, or any IT-driven MDM changes. Existing policies and apps will stay on the device.

In cases where the certificate did not update, devices will need to be unenrolled and re-enrolled:

Similar to devices, connectors - such as the Exchange or NDES connectors -  that did not renew their certificate will also need to be reinstalled. Provided you have the configuration information for the connector, reinstalling the connector does not normally impact devices or users.

<original post below>

Certificates that Intune issues to establish trust with MDM managed devices and connectors, are renewed automatically every year upon connection to the Intune service. These certificates will expire on April 21, 2018. We've sent out a message center post asking you to take a one time action related to the certificate renewal to get these certificates renewed before April 21. Check if you have certificate renewal blocked for devices in your environment using the scripts in this blogpost. This post also has information on how to force sync devices and end user guidance. Please take action as soon as possible to avoid certificate expiration on April 21, 2018. You should also let your helpdesk know about this.

Sometimes, devices are in an unhealthy state or simply have not connected with the service due to battery issues, network issues and so on. When devices or service connectors are unable to connect to the Intune service, Intune cannot automatically push updated certificates to them. In this post, we’ll share a way for you to find out which devices have not auto-renewed certificates and have certificates that are close to expiration. We also have platform-specific information to manually force a sync with the Intune service for devices that are not checking in along with instructions for connectors. This can help avoid the situations below when a certificate expires:

  • If a certificate for a device enrolled in Mobile Device Management (MDM) expires without being renewed, the end user will need to re-enroll into Intune.
  • In case of connectors, if Intune-issued certificates expire, an admin needs to re-enroll the connector.

Note that this issue does not affect customers using Intune App Protection also known as Mobile App Management (MAM).

Using Graph to check certificate expiration for devices

For Intune Standalone: We have a script that you can run with global admin credentials, to give you a list of impacted devices using Microsoft Graph. You can use this script to understand which devices are affected and take action accordingly. Alternatively, you can run the query in the script from Graph explorer. You can download this script here: https://aka.ms/Get_Expiring_Devices_script

Determining device impact for hybrid Mobile Device Management (MDM)

For Intune Hybrid: You can use a template to create a PowerBI dashboard and get a list of your devices with expiring certificates. The template is available for download here: https://aka.ms/PowerBI_template_for_hybrid

Follow these steps to determine which devices are impacted:

  1. Update to the latest version of Power BI Desktop.
  2. Go to the Azure portal and sign in with either global admin or Intune admin rights.
  3. Navigate to the Intune workload.
  4. Copy the Intune data warehouse URL for your tenant by going to the Intune > Overview > Set up Intune Data Warehouse.
  5. Open the Power BI template.
  6. Enter the Intune data warehouse URL and set the API version to beta and click Load.
  7. Sign in using global admin or Intune service admin credentials when prompted after selecting the Organizational Account option.
  8. The devices list will show any devices that have not renewed their certificate.  You can export the list of devices by clicking the three dots in the upper right-hand corner of the devices report and clicking "Export data".

Please note:

  • Intune Data Warehouse does not officially support hybrid customers. This is a temporary exception.
  • Support for this report will end on April 25, 2018.
  • Export from Power BI will not work if there are more than 10,000 rows in the table.
  • This report will only work with a global/Intune service admin account.
  • Data in the Intune Data Warehouse is 24 hours old, so any devices that receive the new certificate within that a 24-hour period may not be immediately reflected in the report.

Force syncing devices

To manually force a sync on devices that are in use but have not have not checked in, navigate to the Device blade in the Intune on Azure console or ask impacted end users to follow the platform-specific steps listed below.

For Windows

To trigger renewal, run this PowerShell script on a device OR  you can follow these steps:

· Open up Task Scheduler
· Navigate to Task Scheduler Library -> Microsoft -> Windows -> EnterpriseMgmt -> {GUID}
· Right click the task “Schedule created by enrollment client for renewal of certificate warning” and select run.
· Wait for the task to complete (should finish in less than a minute. Right clicking the {GUID} folder and selecting refresh will refresh the view).

For Windows Phone: Leave the device on and connected to the internet for 48 hours.

 For Apple

Go to All Devices. Click on Device name > Overview > More > Sync

Certificates will automatically renew on a device sync on devices that are unlocked for about 30 seconds which is how long it takes for an MDM session to complete. If a device is locked, certificate delivery from Intune will be blocked by the device. In this case, end users can log in and sync the device through the Company Portal. Also, prior to syncing, please ensure there is enough memory/storage on the device and that it has sufficient battery.

We recommend that, where possible, impacted end users are asked to log in to the Company portal to trigger a sync from the device itself. This will guarantee that the device is online and unlocked.

For Apple Device Enrollment Program (DEP), admins will have to trigger a sync by asking to unlock devices or sync when devices are in use.

For Android

Go to All Devices. Click on Device name > Overview > More > Sync

This sync will trigger renewal for devices that have certificates close to expiry. Impacted end users can be asked to upgrade to the latest version of the Company Portal, so that the Intune service can push a new certificate renewal command to the device.

For Android devices which have yet to receive renewed certificates, we recommend that end users are asked to launch the Intune Company Portal on their device, navigate to the Settings menu and select Sync. End users should leave the Intune Company Portal open until the "Syncing policy with Microsoft Intune" notification goes away, which typically occurs within 1 minute. 

Certificate Renewal for Connectors

Check your connectors in the Intune on Azure console, or for hybrid MDM, the Configuration Manager console to see if they still connected to Intune. For those that are not connected, you can uninstall them and then re-install them according to the instructions in these links:

Intune Standalone: Set up the Intune on-premises Exchange Connector in Microsoft Intune Azure

Hybrid MDM:  Installing and Configuring an Exchange Server Connector

Let us know if you have any questions or concerns!

Comments (6)

  1. How come this uses a completely different auth setup than all the Intune powershell samples provided at:

    https://github.com/microsoftgraph/powershell-intune-samples

    There should be some consistency there, I can auth to Graph just fine using the samples on Git (and am using those samples as a basis for my production scripts now) yet this script bombs out and can’t even detect the Azure Powershell modules that are indeed installed. I can fix the script provided, but if it weren’t setup completely different from the samples many of us are using to automate our tenants this would be unnecessary.

    1. Hello, we’ve updated the script to fix the issue with detecting Azure PowerShell modules. Please let us know if it works for you now.

  2. Benji.King7 says:

    When running the script I keep receiving the following error. Doesn’t make sense.. i’ve already logged in using Connect-AzureAD?

    “AzureAD Powershell module not installed…
    Install by running ‘Install-Module AzureAD’ or ‘Install-Module AzureADPreview’ from an elevated PowerShell prompt
    Script can’t continue…”

    1. We tested this out and recommend running the script as is to get the token, without running Connect-Azure AD first.
      You can also check what version of the Azure AD module is returned when ‘Get-Module -Name “AzureAD” -ListAvailable’ runs in the script. This is the version the script is running. You may be hitting an error if this doesn’t return anything. Hope this helps!

  3. perlind says:

    Is there any guidance available where to start looking if we can see that certificates are not renewed (even after a sync) when running a hybrid? Any logfiles of special interest for example?

    1. We are seeing some Android devices having issues with certificate renewals. We are working on an updated hybrid view to help remove devices that have renewed the certificate, but ConfigMgr didn’t get the message.

Skip to main content