During a recent new application rollout we discovered we had an issue where our Intune managed devices had stopped communicating with Endpoint.
While the team started using Rudy Ooms excellent blogs and intunesyncdebugtool to try to resolve the issue on individual machines, we placed the requisite call to our MS Partner (Transparity) to see if we could discover the root cause.
During our call with Transparity support we discovered the issue was due to our Aruba WiFi Intune integration (historically) requiring a certificate with the Intune Device ID as the subject name, which was conflicting with Intune’s own device certificate as can be seen below.

With a little research we found that since the WiFi config was originally set up Aruba have added the option of using a URI in a SAN for integration instead of using the device id in the subject name as previously required, and Microsoft have updated their documentation to more or less say “don’t use the Intune Device ID as the subject name!”
But where does that leave anyone if their entire estate is dropping out of (or has already dropped out of) management?
Fortunately with a little bit of Powershell script using Defender for Endpoint APIs and LiveResponse it is possible to delete the remote certificates remotely at scale.
Leveraging the APIs in our environment resulted in over 150 machines coming back under management without the need to manually remediate each device.
Sample code and documentation is available on GitHub.