Wednesday, April 13, 2016

Issue in ConfigMgr Current Branch (1602) with Intune subscription

When using ConfigMgr in hybrid mode (with Intune integration) both fat clients and mobile devices can be managed within the same console. When you have an Intune subscription in-place within ConfigMgr Current Branch (1602) all seems okay, but when changing the subscription to another one you may experience a problem. In that situation enrollment on devices isn't working anymore.

Case is, within ConfigMgr a certificate is present named: SC_Online_Issuing. This certificate is used by ConfigMgr to communicate with the Intune subscription connected. Problem is, when changing the Intune subscription, the certificate will not be updated (because of an permission issue), causing issues on the new subscription. The message displayed is: Windows does not have enough information to verify this certificate.

Let's have a look at some logfiles and steps to work to a solution.

When changing the Intune subscription, have a look in dmpdownloader.log. It mentions:-ERROR: FastDownload Exception: [Microsoft.Management.Services.Common.SecurityTokenValidationException: An error has occurred - Operation ID (for customer support):
-Certmgr has not installed certificate yet, sleep for 1 minutes. Check whether the site has Intune subscription.


Have a look in dmpuploader.log too. It mentions:-WARNING: Cannot find a suitable certificate.
-ERROR: Exception occurred while calling REST UserAuth Location service The Dmp Connector failed to read the connector certificate.
-ERROR: StartUpload exception: [Failed to read any connector certificate]


I did a lot to solve the issue, but none was leading to a solution:
-Restart the Primary Site server;
-Intune subscription re-installation;
-Service Connection point re-installation;
-Check SC_Online_Issuing certificate;
-Check a lot of websites and logfiles.


After multiple hours off troubleshooting I did solve it this way:
-Remove SC_Online_Issuing certificate
-Restart the following SCCM services: AI_UPDATE_SERVICE_POINT, SMS_DMP_DOWNLOADER, SMS_DMP_UPLOADER
-Check dmpdownloader.log and dmpuploader.log (WARNING: Cannot find a suitable certificate)
-Remove Intune subscription & Service Connection Point
-Check SMS_OUTGOING_CONTENT_MANAGER, SMS_DMP_UPLOADER, SMS_CLOUD_USERSYNC, SMS_DMP_DOWNLOADER
-Restart the Primary Site server
-Add the Intune subscription again
-Install the Service Connection Point again
-Check if the certificate is present again


After that the new Intune subscription was working fine again, and enrollment was possible. The following message will be displayed in dmpuploader.log now:
-Found connector certificate with subject 'CN='

-Retreive cloud service version
-Account Action invoker thread is starting
-FastUpload thread is starting
-On Prem devfice notification thread is starting
-Ping cloud


Very happy that it works again, but feels like a big issue in ConfigMgr Current Branch! When changing the Intune subscription again, the issue will be back, and all steps must be taken again.

Source which points me to the solution: blog.hosebei.ch

This is the resolution from microsoft!
Go to Administration > Cloud Services > Right Click on the Intune Subscription > and configure Platforms. Click on Windows Phone 8.1 uncheck, then apply the change, then recheck.
Source: http://apppackagetips.blogspot.nl/2016/05/windows-phone-81-will-not-enroll-to.html

13 comments:

  1. cool post! That hepled me! Thnx

    ReplyDelete
  2. Do you have to re-enroll all the mobile devices after following the procedure?

    ReplyDelete
    Replies
    1. Not known to me, because there were no devices enrolled during the issue..

      Delete
    2. strange thing is, even with this error i can enroll IOS devices fine, windows devices however fail to enroll.

      posted here also : https://social.technet.microsoft.com/Forums/en-US/baa4965b-ed25-426f-9351-ed64e2c376c9/windows-mobile-devices-will-not-register-after-updating-to-15111602?forum=ConfigMgrMDM

      Delete
  3. hi mate, i have this issue and followed your steps, the cert was recreated but the cert issue remains "not enough info to verify " any ideas?

    ReplyDelete
    Replies
    1. Bad luck for you. It's a nasty issue if you ask me..

      Microsoft have repaired the issue now, so expect a solution soon.

      Delete
  4. i have this exact same issue, i have followed your process twice yet i still get " Windows does not have enough information to verify this certificate." when the new certificate is created.

    I added the site system role with the local computer account which is a LOCAL admin on my sccm server.

    any ideas ?

    ReplyDelete
    Replies
    1. Maybe the message "Windows does not have enough information to verify this certificate" is displayed by default?

      Do you have the message "Found connector certificate with subject CN=" in dmpuploader.log already?

      Delete
    2. Yes that is showing correctly

      is your certificate still showing "Windows does not have enough information to verify this certificate" ?

      my only issue is windows phones will not enroll, they get stuck after trying to do workplace join. IOS is working fine.

      Delete
    3. Did Windows phone enrollment working before this issue? Did you create a CNAME record too?

      Delete
  5. Microsoft have repaired the issue now, so expect a solution soon: http://henkhoogendoorn.blogspot.nl/2016/05/configmgr-issues-and-improvements.html

    ReplyDelete
  6. Does this process need re-enrolling devices.

    ReplyDelete