Browsed by
Tag: Intune

Selective Wipe is not working on Azure AD Joined device

Selective Wipe is not working on Azure AD Joined device

In our business I get frequently the question why it’s not possible to do a selective wipe on Azure AD Joined devices. For many of my customers this is an issue because a Windows 10 Mobile is Azure AD Joined when a Work account is added to the mobile device.  Let me describe the case.

Azure AD Join and MDM auto enrollment are enabled with Intune and Azure AD Premium. When a Windows 10 Mobile is started for the first time (OOBE) it is possible to “Sign in with a work account” to join Azure AD and auto enroll in Intune. ( When a Windows Mobile device is configured this way Single Sign On works for Mail, Calendar, Edge and the Business Store, which is great. But when the Selective Wipe option is initiated from Intune it does nothing with the MDM registered device. Only a Full Wipe works.

On a personal device when adding a work/school account (Settings > Accounts > Your email and accounts > Add work or school account) it has the same behavior.

When first registering a device in Intune (Settings > Accounts > Work Access > Enroll into Device Management) and then add a Work/School account it is possible to do a selective wipe. In this scenario Single Sign On for Mail, Calender and the Business Store doesn’t work.

Above picture is the message when initiating a retire/wipe of a device.

This issue is by design, I know, however multiple customers would like a great user experience (Single Sign On) and the ability to have the management capabilities such as Selective Wipe. I would be very nice to add the possibility to do a selective wipe on Azure AD Joined devices. Many of our customers are ask for this feature because when a personal device is enrolled a full wipe is necessary to unroll the device in Intune.


Please vote up the User Voice Request –

Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

In an Intune / SCCM hybrid configuration with certificate deployment based on Network Device Enrollment Service (NDES) there are some issues. Installing the NDES environment can be done according to the blog of Pieter Wigleven. After this setup the deployment of the certificates did not work entirely. The configuration looks correct but on the mobile devices there are no certificates deployed. To troubleshoot this we’ve setup a Windows 10 desktop and did a MDM enrollment with the Intune / SCCM environment. Why enroll a desktop with MDM? This is because for troubleshooting we’ve more options to find errors, settings and logs in the event viewer, registry and more.

On the Windows 10 desktop we received an error in the event viewer. The error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).” was found.


After this error we look into the config from front to end. First looking into the config in SCCM. We’ve added a Root CA for deployment. This one is deployed to the clients correctly. When opening this in SCCM we see a Certificate Thumbprint, keep this in mind.


We added also a SCEP profile and within this SCEP profile we select the created Root CA.


After this steps we try to deploy this certificates to the device. The Root CA was deployed correctly but the SCEP certificate was not created on the device. What we see is an error on the device. Event id 32 gives the error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).”


On the Windows client we dive into the registry to find the settings which are applied for NDES. We open the registry to find the following key for the NDES policy “HKCU\SOFTWARE\Microsoft\SCEP\MS DM Server\ModelName_ScopeID_ID_ConfigurationPolicy_ID\Install”.


In this registry key the values for NDES server, Root CA Thumbprint and more are displayed. We see that the Root CA Thumbprint does not match the one used with the Root Certificate which is deployed with the Certificate Profile in SCCM. This Root CA Thumbprint is coming from the NDES Server. When looking into the Policy Module installation on the NDES server we discover the same thumbprint as on the client.


In this configuration we had two different Root Certificates and we used the wrong one with the installation of the NDES Policy Module of SCCM. To update the Root Certiciate in teh PolicyModule we did an uninstall of the SCCM PolicyModule for NDES on the NDES Server and reinstall it with the correct settings.

After re-enroll a mobile device there is another error on the client. Event id 32 with error “SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code 0x87d00905).” appears.


And on the same time on the NDES Server we received the event id 29 with error “The password in the certificate request can not be verified. It may have been used already. Obtain a new password to submit with this request.“.


After searching for a while we found a solution for this issue. This issue is related to the settings on the NDES server. In the registry a value is not updated.


In the registry string HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy the value for NDESCertThumbprint has not been updated automatically. This to be done manually. After setting up the correct thumbprint and resetting the IIS Service the certificate deployment is working correctly. Now it’s possible to request a certificate from a mobile device. This certificate can now be used for VPN profiles to connect to the company environment. .

Happy reading and till next time.


UPDATED: Intune WiFi profile for Windows Mobile generate error “0x87D1FDE8: Remediation failed” in the Console

UPDATED: Intune WiFi profile for Windows Mobile generate error “0x87D1FDE8: Remediation failed” in the Console

Last week I’ve did an implementation of Microsoft Intune for managing mobile devices. In this setup I’ve configured several settings including a WiFi profile with Pre-Shared key. The WiFi profile generates a strange error in the Intune Console but it is working on the managed Windows 10 Mobile devices.

First of all i’ve created a .xml file which we can import as custom OMA URI. The .xml file for the WiFi profile with Pre-Shared key is created on a full Windows Machine. This can be done by adding the WiFi connection with the correct settings in the “Network and Sharing Center”. Use the “Set up a new connection or network” and create a new WiFi network manually.


Afer this has been done the xml find with the correct settings can be copied from the Windows  Machine and used in the Intune environment. The location for this xml file is “C:\programdata\Microsoft\Wlansvc\Profiles\Interfaces\SOME-GUID\”. With this file we create a custom policy with a custom OMA URI to add the settings for the WiFi profile. snip_20160718101526 snip_20160718101432

The settings are deployed to an user group and the settings are applied on the device of the user. The WiFi profile is added on the device and it’s working great but in the Intune console there appears an error.


One error is correct because I’ve setup device encryption and this device is not encrypted yet. The other error is a little bit strange.  It’s about the deployment of the WiFi profile. This WiFi profile is applied correctly on the device.


The error “0x87D1FDE8: Remediation failed” indicates that the settings in Intune are not matching with the settings on the device. On the device there are no errors related to the WiFi settings. The problem look like a incorrect hash value in the OMA URI. My colleague Ronny de Jong describes this in a blog post on technet. After double checking, this value is not the problem.

Because there are no events or errors on the device and the Intune console is only reporting an “0x87D1FDE8: Remediation failed” error with no further information we’ve create a support ticket with Microsoft Support. If there is an update about this issue I will update this blog post. Hopefully there will be an update soon.



Yesterday I received a conformation that there is a fix for this issue. This fix is marked to be deployed in a future update. Sadly, most of the update specificities have not been released to public knowledge. When there is a date when this fix will be deployed to the Intune environment I will update this post.

The validation for the update will take time and as a result it will take a while until it’s deployed to the live Intune tenants.

So keep you posted about this strange issue.

Intune/SCCM NDES Certificate deployment not working on IOS devices

Intune/SCCM NDES Certificate deployment not working on IOS devices

I’ve deployed a NDES environment integrated with a hybrid Microsoft Intune and Configuration Manager configuration. In this environment certificate deployment to Android and Windows Phone/Mobile is working fine. But for IOS devices it’s not working.

When we dive into this problem we see errors in the CRP.log.

IOS Cert 3

With this error “key usage in CSR 160 and challenge 224 do not match” we know there is something with the certificate template on the CA Server.


I’ve found te solution on the Coretech Blog ->

After changing the Certificate property for the Key Usage Extension the problem was solved. Below the screenshots for the Certificate Template properties.

Force URL to open in Managed Browser with Intune / SCCM hybrid

Force URL to open in Managed Browser with Intune / SCCM hybrid

I’ve received a question how to force an URL to open in the Managed Browser. In the Intune Standalone configuration this is already possible for a while. But it’s also possible with the Intune hybrid configuration with Configuration Manager (SCCM). In this blogpost I will take you through the steps how to do this.

First of all we’ve to create an Application. In the SCCM console go to the Software Library and open Application Management and create an Application.


In the next window select “Web Application” and fill the “Location” with an URL. The format for this is not the normal http://<path to web app> but this must be http-intunemam://<path to web app> (http can also be https   ).


After this the application can be created with the defaults.

When the application is created deploy the application to an User Collection. When a Phone is enrolled and the Web Application is available you can install it from the company portal. When opening the Company Portal on the phone it looks like:


Screenshot_2016-07-21-10-56-02Install the Web Application and after this is done the Web Clip is available. For IOS it is available on your main screen. For Android you have to add the Web Widget on your screen to open the Web Applications. On an Android device it looks like:


When open this Web Application there is a message that the app is managed by your company.


When selecting “OK” the webpage will be opened in the Managed Browser.


Opening an Web Application (URL) is possible with Intune Standalone and also with Intune and SCCM in hybrid mode. This is working for Android and for IOS devices. In this short blogpost I’ve taken you through the steps how to do this.

The information about creating a Web Application and force it to the Managed Browser was shared on this Technet Article: