Windows 10: Enroll certificates via InTune > Group Policy overrides MDM

Hello,


We want to deploy User Certificates via Intune. Our certification authority is active, the template is ready for issuing and a profile configuration is created.

But the enrolment failed. The error in Intune is "Group Policy overrides MDM".

The computer is not domain joined, did not receive any GPO's. The root certificate is deployed via Intune as well and is working fine.


Error messages are very difficult to find.


did any of you had any experience with this issue or with deploying certificates with Intune?


Thank you in advance for your answers!


With kind regards,


Mark Klerkx

:)

 

Company Apps enrollment certificate in the way of re-enrollment

Sir



I have been connected to our company via an MDM server and the Company Apps client on the phone. For various reasons I have had to re-enroll but is now hampered by the old certificate (eventhough it is the same certificate as currently used). Is there
any way for deleting this old certificate with out hard resetting the phone? Could enrolling to an other company gateway solve the issue? Anyway to manually delete the old certificate?

 

What's new in Microsoft Intune


What's new in Microsoft Intune

Source: https://docs.microsoft.com/en-us/int...ntune#may-2016

 

Cannot Sync Outlook email, MDM policy failures

Hi Team,

I am using Microsoft Lumia 950 for work email and calendar. My company has office 365 deployed and I had my work email, calendar and Skype for business work perfectly fine on my lumia 950. However, recently, my organization had implemented new password
requirements forcing all users to change their passwords as per the new requirements. My phone used to work perfectly fine before but after I changed my password, I kept getting a message that my work account settings are out of date on my phone. When I tried
to fix the account, it took me to the sign in page for my organization (Office 365 sign in). After authentication, I started to get a message in the outlook app when I try to sync my email which says - Oops, you can't get to this yet. Your IT Department is
ensuring that this device is up to date with all your organisation's policies and nothing happens. The message does indicate that I am signed in but I am unable to sync my email or calendar.

After a close look, I found that MDM policies that were enforced previously (Before the password change) are no longer enforced. For example, Before, the settings to remove the PIN to unlock the device was locked as that was something required for MDM enrolment.
However, now I find that I can simply change that setting and even remove the PIN and even the device encryption. It looks like the policies that were enforced got removed.

I removed my work account and tried to add it again. During this process, everything works well and I even get the message that I am all set to use company resources, email and apps. But I keep getting the same message in outlook app and am unable to sync
my email or calendar. The MDM policies also do not get applied. On some of the settings page where we change the PIN, I used to get a message that - Settings on this page are controlled by your organisation but this message has been removed and even after
removing and adding my work account I do not get this message which suggest that company policies are not being applied. However, I never get any error message indicating this during the enrolment process.

I also removed my device from Office 365 mobile devices section in hope that it will reset everything and sync my phone but that did not work. I also took help from my IT department and they keep saying to follow company procedures which I am doing but they
are unable to find the cause of the issue. I also tried installing the company portal app but the app cannot enroll my device. If, I try to enroll my device using the company app, it takes me to the work or school account section and I go through the same
process of adding my work account (I get the sign in and after authenticaion, it says please wait while we apply your company policies and enroll this device. after that I get the message that I am all set to use company resources, apps and email) but the
company portal still shows that either it cannot detect the device or it is not enrolled.

It is interesting to note that during this entire trial and error process of trying to sync my email in the outlook application, I am fully able to use Skype for Business using my company email and I am also able to successfully log in to outlook on the
web without any issues.

After several attempts, I decided to reset my phone. My thought here was that due to my prior enrolment (Which worked), maybe the device is not able to override the prior enrolment settings and apply new enrolment company policies. However, even after resetting
my phone completely, I get the same issue and same messages.

As per the latest MDM enrolment issues document on Microsoft, the device may face issues if some settings are changed in Intune by an admin. I contacted my organization and have confirmed that they have not changed any settings. They only changed the pass
word requirements. My fellow colleagues who use Android and iOS phones are not facing any issues. Their outlook app syncs email with the new password. They even did not get any message of fixing the account and their app works well even after the password
change.

I am not sure why I am facing this issue. Overall, it looks like my device is unable to apply company policies and change my PIN, encryption and other settings required for successful MDM enrolment. I also tried to have the exact settings for PIN, encryption
and sign in options which I had before but still Outlook will not sync my email and I get the same message.

I am unable to find any discussions around this topic. Below is more information about the exact message I get when I try to sync outlook -

Oops - You can't get to this yet

Your IT department is ensuring that this device is up to date with all your organization's policies. It might take a few minutes.

The following information might be useful to your administrator -

1. Access rules set by (My company name) require a compliant device

2. App Name : Accounts Control UI

3. App ID - shows a code

4. IP Address - my IP address

5. Device Identifier - Shows a code

6. Device Platform - Windows 10

7. Device State - Registered

8. Signed in as - (Shows my company email)

9. Correlation ID - Shows a code

10. Timestamp - Shows current time and date.

Any suggestions or troubleshooting steps you can provide will be very helpful. My IT department says that we can see your email registering on Intune but we cannot see your device. They informed me that they have not changed any settings which may prevent
Windows phone to enroll and sync with the company. This suggests that my device is not able to enroll and apply company policies during the MDM enrollment process even though I see my email added successfully to the work or school account section on the phone.
I have the most updated versions of windows 10 mobile, outlook app and company portal.

I am the only person in my entire organisation to use a windows phone and so my IT department is limited in helping me resolve this. Everything was working smoothly for me before they changed the password requirements but now I am unable to sync my email
and calendar. Please help.

Thank you for your help and support.

Regards,

Anurag John