When using ConfigMgr in hybrid mode (with Intune integration) both fat clients and mobile devices can be managed within the same console. When you have an Intune subscription in-place within ConfigMgr Current Branch (1602) all seems okay, but when changing the subscription to another one you may experience a problem. In that situation enrollment on devices isn't working anymore.
Case is, within ConfigMgr a certificate is present named: SC_Online_Issuing. This certificate is used by ConfigMgr to communicate with the Intune subscription connected. Problem is, when changing the Intune subscription, the certificate will not be updated (because of an permission issue), causing issues on the new subscription. The message displayed is: Windows does not have enough information to verify this certificate.
Let's have a look at some logfiles and steps to work to a solution.
When changing the Intune subscription, have a look in dmpdownloader.log. It mentions:-ERROR: FastDownload Exception: [Microsoft.Management.Services.Common.SecurityTokenValidationException: An error has occurred - Operation ID (for customer support):
-Certmgr has not installed certificate yet, sleep for 1 minutes. Check whether the site has Intune subscription.
Have a look in dmpuploader.log too. It mentions:-WARNING: Cannot find a suitable certificate.
-ERROR: Exception occurred while calling REST UserAuth Location service The Dmp Connector failed to read the connector certificate.
-ERROR: StartUpload exception: [Failed to read any connector certificate]
I did a lot to solve the issue, but none was leading to a solution:
-Restart the Primary Site server;
-Intune subscription re-installation;
-Service Connection point re-installation;
-Check SC_Online_Issuing certificate;
-Check a lot of websites and logfiles.
After multiple hours off troubleshooting I did solve it this way:
-Remove SC_Online_Issuing certificate
-Restart the following SCCM services: AI_UPDATE_SERVICE_POINT, SMS_DMP_DOWNLOADER, SMS_DMP_UPLOADER
-Check dmpdownloader.log and dmpuploader.log (WARNING: Cannot find a suitable certificate)
-Remove Intune subscription & Service Connection Point
-Check SMS_OUTGOING_CONTENT_MANAGER, SMS_DMP_UPLOADER, SMS_CLOUD_USERSYNC, SMS_DMP_DOWNLOADER
-Restart the Primary Site server
-Add the Intune subscription again
-Install the Service Connection Point again
-Check if the certificate is present again
After that the new Intune subscription was working fine again, and enrollment was possible. The following message will be displayed in dmpuploader.log now:
-Found connector certificate with subject 'CN='
-Retreive cloud service version
-Account Action invoker thread is starting
-FastUpload thread is starting
-On Prem devfice notification thread is starting
Very happy that it works again, but feels like a big issue in ConfigMgr Current Branch! When changing the Intune subscription again, the issue will be back, and all steps must be taken again.
Source which points me to the solution: blog.hosebei.ch
This is the resolution from microsoft!
Go to Administration > Cloud Services > Right Click on the Intune Subscription > and configure Platforms. Click on Windows Phone 8.1 uncheck, then apply the change, then recheck.