Certificates that Intune issues to establish trust with MDM managed devices and connectors are renewed automatically upon connection to the Intune service.
Sometimes, devices are in an unhealthy state or simply have not connected with the service due to battery issues, network issues and so on. When devices or service connectors are unable to connect to the Intune service, Intune cannot automatically push updated certificates to them. In this post, we’ll share a way for you to find out which devices have not auto-renewed certificates and have certificates that are close to expiration. We also have platform-specific information to manually force a sync with the Intune service for devices that are not checking in along with instructions for connectors. This can help avoid the situations below when a certificate expires:
- If a certificate for a device enrolled in Mobile Device Management (MDM) expires without being renewed, the end user will need to re-enroll into Intune.
- In case of connectors, if Intune-issued certificates expire, an admin needs to re-enroll the connector.
Note that this issue does not affect customers using Intune App Protection also known as Mobile App Management (MAM).
Using Graph to check certificate expiration for devices
We have a script that you can run with global admin credentials, to give you a list of impacted devices using Microsoft Graph. You can use this script to understand which devices are affected and take action accordingly. Alternatively, you can run the query in the script from Graph explorer.
You can download this script here: https://aka.ms/Get_Expiring_Devices_script
Force syncing devices
To manually force a sync on devices that are in use but have not have not checked in, navigate to the Device blade in the Intune on Azure console .
For Windows
Go to All Devices. Click on Device name > Overview > More > Sync
To manually trigger renewal, you can also follow these steps:
· Open up Task Scheduler
· Navigate to Task Scheduler Library -> Microsoft -> Windows -> EnterpriseMgmt -> {GUID}
· Right click the task “Schedule created by enrollment client for renewal of certificate warning” and select run.
· Wait for the task to complete (should finish in less than a minute. Right clicking the {GUID} folder and selecting refresh will refresh the view).
For Apple
Go to All Devices. Click on Device name > Overview > More > Sync
Certificates will automatically renew on a device sync on devices that are unlocked for about 30 seconds which is how long it takes for an MDM session to complete. If a device is locked, certificate delivery from Intune will be blocked by the device.
For Android
Go to All Devices. Click on Device name > Overview > More > Sync
This sync will trigger renewal for devices that have certificates close to expiry. Impacted end users can be asked to upgrade to the latest version of the Company Portal, so that the Intune service can push a new certificate renewal command to the device.
Certificate Renewal for Connectors
Check your connectors in the Intune on Azure console to see if they still connected to Intune. For those that are not connected, you can uninstall them and then re-install them according to the instructions in this link: Set up the Intune on-premises Exchange Connector in Microsoft Intune Azure
Let us know if you have any questions or concerns!