Intune MDM certificates not renewing on Windows devices

Question

Intune MDM certificates not renewing on Windows devices

Elisa V 1

Hi everyone,

we’re currently facing a major issue with Intune MDM certificate renewal on Windows devices.

Since around November 2024, all our enrolled devices stopped renewing their MDM certificates, and this is happening across multiple tenants that we manage as a (small) MSP. Right now, we have 60+ devices with expired certificates and about 150 more expiring in the next few months.

The only way to get a valid certificate again is a full device wipe and re-enrollment, which obviously isn’t a scalable solution.

Environments details:

All devices running Windows 11 (various builds: 23H2, 24H2, 25H2)

All Entra ID Joined (no hybrid)

Both Autopilot-enrolled and manually enrolled devices affected

Devices are in daily use, report as compliant and synced in Intune

Certificates expired silently with no alerts or visible warnings

All primary users have Business Premium licenses

What we’ve tried:

Unenroll + re-enroll → fails: device remains Entra ID Joined but MDM = None

Everything suggested by in these articles:

https://call4cloud.nl/intune-mdm-device-certificate-expired-0x80190190/

https://call4cloud.nl/intune-mdm-certificate-recovery/

https://call4cloud.nl/intune-device-certificate-renewed-renewal/

https://call4cloud.nl/intune-mdm-certificate-recovery/

If we try to run the renewal task manually, Event Viewer shows Event ID 3006 (Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin):“Current time (…) is earlier than last renew time plus wait period (…), skip renew.”

We've opened multiple tickets with Microsoft Support but no root cause or workaround provided yet, except for factory reset, which generates a new valid certificate.

Has anyone else experienced this issue or found a way to force certificate renewal without a full wipe? Any input or shared experience would be really appreciated.

Thanks, Elisa

   Hi everyone,     

   we’re currently facing a major issue with **Intune MDM certificate renewal** on Windows devices.     

   Since around **November 2024**, all our enrolled devices **stopped renewing their MDM certificates**, and this is happening **across multiple tenants**  that we manage as a (small) MSP. Right now, we have 60+ devices with  expired certificates and about 150 more expiring in the next few months.     

   The only way to get a valid certificate again is a **full device wipe and re-enrollment**, which obviously isn’t a scalable solution.     

   Environments details:     

   All devices running **Windows 11** (various builds: 23H2, 24H2, 25H2)     

   All **Entra ID Joined** (no hybrid)     

   Both **Autopilot-enrolled** and **manually enrolled** devices affected     

   Devices are in daily use, report as **compliant and synced** in Intune     

   **Certificates expired silently** with no alerts or visible warnings     

   All primary users have Business Premium licenses     

   **What we’ve tried:**     

   **Unenroll + re-enroll** → fails: device remains Entra ID Joined but MDM = *None*     

   Everything suggested by in these articles:     

   [https://call4cloud.nl/intune-mdm-device-certificate-expired-0x80190190/](https://call4cloud.nl/intune-mdm-device-certificate-expired-0x80190190/)     

   [https://call4cloud.nl/intune-mdm-certificate-recovery/](https://call4cloud.nl/intune-mdm-certificate-recovery/)     

   [https://call4cloud.nl/intune-device-certificate-renewed-renewal/](https://call4cloud.nl/intune-device-certificate-renewed-renewal/)     

   [https://call4cloud.nl/intune-mdm-certificate-recovery/](https://call4cloud.nl/intune-mdm-certificate-recovery/)     

   If we try to run the renewal task manually, Event Viewer shows **Event ID 3006** (Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin):“***Current time (…) is earlier than last renew time plus wait period (…), skip renew.***”     

   We've opened multiple tickets with Microsoft Support but no root  cause or workaround provided yet, except for factory reset, which  generates a new valid certificate.     

   Has anyone else experienced this issue or found a way to force  certificate renewal without a full wipe? Any input or shared experience  would be really appreciated.     

   Thanks,

Elisa

2 answers

Your answer

Answer 1

--- UPDATE – November 21, 2025: Root cause & fix found! ---

Rudy Ooms managed to identify the root cause. The Intune certificate renewal process attempts to initialize all Key Storage Providers (KSPs) on the system. On all our affected devices, a third-party KSP was installed (in our case, Bit4id, included with digital signature software). This caused the renewal process to fail.

To check KSPs installed on the system from Powershell:

certutil -csplist | Select-String 'Provider Name'

Microsoft has now released a fix that bypasses third-party KSPs and only uses the Microsoft KSP associated with the MDM certificate. The fix is included in the following Windows Updates:

Windows 11 23H2: Install update KB5068865 (November 2025) → fixes the issue automatically, after installing and rebooting, even devices with expired certificates get a new certificate.
Windows 11 24H2 / 25H2: Install update KB5068861 (November 2025) → however, certificates don't renew automatically yet. Microsoft appears to be rolling out the fix gradually. For urgent cases (certificates expiring soon), Rudy has developed a manual workaround to force certificate renewal.

Microsoft is expected to complete the rollout by December 2025.

Rudy will publish detailed articles about the issue and the solution on his blog.

Huge thanks to Rudy Ooms for the INCREDIBLE troubleshooting work!!!

Elisa

JR0617 0 Reputation points

2025-12-03T01:13:13.2733333+00:00

Hi Elisa,

Out of curiosity what problem led you to investigating the certificate issue? We're currently experiencing insane delays between a user clicking install on an app, it "syncing to get ready to download," and then it actually installing. Something like 7zip takes about 6 hours to actually get installed.

Premier Support is stumped but I noticed we have a similar issue you're describing with the certificates.
Elisa V 1 Reputation point

2025-12-03T08:13:44.35+00:00

Hi JR,

We first noticed the issue when it became impossible to deploy apps via Intune to some devices — whether marked as required or made available through the Company Portal. There were no error messages; the apps simply remained stuck in a perpetual “installing” or “loading” state.

After some investigation, we found that the affected devices all had expired intune certificates, while those with valid certificates experienced no issues — apps installed right away.

Answer 2

Elisa V 1

Detailed article about this issue written by Rudy Ooms: https://patchmypc.com/uncategorized/the-intune-mdm-device-certificate-ksp-renewal-bug-why-23h2-devices-stopped-renewing/

Share via

Intune MDM certificates not renewing on Windows devices

2 answers

Your answer