Imagine you’re managing many devices ( I mean a lot!) through Intune, ensuring everything runs perfectly. Suddenly, all your devices stop syncing and don’t get the latest applications and policies deployed: the essential Intune device certificate goes missing or has issues with its private key. Panic sets in, and you’re left searching for a solution. Enter the Certificate Recovery CSP, a hidden gem within the Windows Device Attestation flow.
Device Attestation | MDM Hardening | Intune | Windows Attestation (patchmypc.com)
Potential Sync Issues and Solutions
When your devices stop syncing with Intune, you might encounter sync issues with error codes like:
- 0x80072f99
- 0x80072f0c
- 0x80072F9A
- 0x80190190
These errors often indicate problems with the device certificate. AllowRecovery, part of the Recovery CSP (DmClient), can be the key to recovering from these issues. The AllowRecovery CSP can automatically recover missing or corrupted (and even expired) certificates, ensuring your devices stay connected with the Intune Service.
How the Certificate Recovery Feature works!
This Recovery CSP works behind the scenes and is ready to do its job when it detects issues with the Intune MDM certificate. With AllowRecovery enabled (Enabled by default nowadays), your device can automatically initiate a recovery process if the TPM protects the private keys of the Intune Certificate.
Because AllowRecovery is part of the MDM hardening, this setting has already been pushed to all devices worldwide! You can spot it in the registry by unfolding the enrollments registry key. When AllowRecovery is enabled, a DWORD IsrecoveryAllowed should be given a value of 1.
This MDM Recovery feature automatically restores the missing certificate when certificate issues are detected. We can spot it when looking at the event log, which is shown below. MDM Recovery Conditions Detected. Was this triggered by the server.
There is no need for manual intervention or complex troubleshooting steps, just a perfect, almost magical recovery that brings your device back to full functionality. As shown below, the AllowRecovery Feature was able to recover the MDM device Token.
Think of AllowRecovery as your invisible safety net, ready to catch and resolve certificate issues before they become major headaches. Enabling this CSP can save you time, reduce stress, and ensure that your Intune-managed devices remain secure and operational. Next time you encounter a certificate problem, remember how the AllowRecovery CSP works silently in the background (code) to keep your devices running smoothly.
Let’s find out how it looks when there are issues with the Intune certificate.
Demo: How AllowRecovery CSP Works
Enable AllowRecovery CSP: We could use a configuration profile in Intune to enable the AllowRecovery setting on your devices. However, as Microsoft pushed this setting to all your devices, you don’t need to do anything! But it’s still amazing to see how it works. As shown below, I will delete the Intune MDM device certificate and trigger a sync with Intune. In a normal situation without the allow recovery CSP being configured, we should no longer be able to sync our device anymore. Shall we look at what happens WITH the allowed recovery CSP being configured?
As shown in the video, when the Intune Certificate is deleted, the Recovery of the Certificate will be initiated automatically the moment our device syncs with Intune.
Conclusion
Unexpected issues can disrupt your operations in the dynamic world of device management. The Recovery CSP is a reliable ally that resolves certificate-related problems and prevents sync errors. Enabling this CSP equips your devices with a perfect recovery mechanism.