question

Carlicht avatar image
0 Votes"
Carlicht asked Crystal-MSFT edited

Sync machine policy failed -Error code 6, inalid certificate

Hi all,

in a environment with SCCM 1906, we have setup Co-management and hybrid join windows 10 devices (start from 1809). We have build a collection assigned under Co-management as Pilot. Hybrid Join devices are running as described by MS under controlled enrollment. Checking dsregcmd / status everything looks fine. But when we try to run the sync machine policy on a client, we receive the Status failed and error code 6 invalid certificate.

We have no SCEP available.
Any ideas to solving this problem.

Thanks for your support.

Regards
Carsten

mem-intune-enrollment
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@Carlicht, From your description, I know the co-management is configured in our environment and we assign and set it as Pilot. On one Hybrid Azure AD joined device we check AzureAdJoined, DomainJoined and AzureAdPrt. All are Yes. Could you also confirm if the device is enrolled into Intune and check what are the Intune Managed workloads?
58393-image.png
https://docs.microsoft.com/en-us/mem/configmgr/comanage/workloads

I notice the error seems to be occurring when we run sync machine policy on Configuration manager agent. Could you go to Settings->Accounts->Access work or school, find our account, click info, click sync and see if we can sync policy from intune?

Please check the above information and if there's anything unclear, feel free to let us know.


0 Votes 0 ·
image.png (106.0 KiB)
Crystal-MSFT avatar image Crystal-MSFT Crystal-MSFT ·

@Carlicht, Hope things are doing well? if there's any update on our issue, feel free to let us know. Thanks and have a nice day!

0 Votes 0 ·
Carlicht avatar image Carlicht Crystal-MSFT ·

Hi all,
after I checked the setttings under the Work school account and press the sync button, this sync is running fine. But the "other" sync policy are not running. So this is a little bit confusing. Do you have further Idea's to check?

regards

0 Votes 0 ·

3 Answers

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

First note that 1906 is almost end of life (less than 30 days left I believe) so you need to upgrade ASAP.

Next, the sync policy capability is not part of Co-management but is part of Tenant Attach which was introduced in ConfigMgr 2002.

Thus, you need to upgrade your site for this functionality and you also need to ensure that the admin service is configured properly.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@Carlicht, After researching, I find the "Sync Machine Policy" action occurs under Microsoft Endpoint Manager tenant attach. We can see more details in the following link:
https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/troubleshoot

Please double check the "Managed by" of the device in Intune portal to see if it is co-management. If not, we have two suggestions:We can choose one.
1. Configure co-management in our environment:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients
2. Upgrade Configuration Manager to 2002 and configure tenant attach:
https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/device-sync-actions

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Carlicht avatar image
0 Votes"
Carlicht answered Crystal-MSFT commented

Hi,thanks for your update. I've double-checked and we are running ConfigMgr release 2002, and the device is managed by co-management. So I could nt understand why the different sync policies are not running, if they could. If they are only run able under Tenant Attach I could understand this. Further steps I could check?

regards

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@Carlicht, We can check if the prerequisites are met.
60843-image.png
https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/device-sync-actions

If all are met, we can look into the following link to see if there's any new finding:
https://docs.microsoft.com/en-us/mem/configmgr/tenant-attach/troubleshoot


0 Votes 0 ·
image.png (73.9 KiB)