Troubleshoot Windows MDM device sync issues with external certificates


This will cover topics on debugging the issues related to the failure of the Windows MDM client.


This covers things that are specific to certificates issued by a certificate authority that is not a well-known CA. Such certificates are not automatically trusted by Windows MDM devices as the CA server's certificate will not be present in the trust store on the device. There may be many other reasons for sync to fail and the first step is to look at the event viewer logs to identify the reason and subsequently look at ZENworks server logs.


This topic covers the sync failures caused by certificate-related issues and how to debug them.

 This error 0x80072f8f is seen on Windows MDM client when there is any certificate related issue with the management server -



To troubleshoot for any sync related issues, the first step is to follow this link and look at the event viewer logs

 Event viewer logs in this case do not give any clue as to what could be the reason for the sync failure. Digging up Microsoft links/forums points to a time sync issue between client and server but that’s not the case here. How to debug such issues, the first thing we can confirm is that there is no issue with the management server certificate.

 There are many certificate utilities, the one which we should use is Windows utility certutil.

Certutil can help to confirm if a given certificate and CA certificate are valid. It can also verify the CRL(Certificate Revocation List) is  valid or not by using the following command:

 certutil -verify <server cert> <ca file>

If this command gives an error, then there is some issue with the certificates.

In this case, when the sync issue was present, we will run this command on the server certificate and external CA server certificate.

In the screenshot below, it clearly says that it was not able to verify revocation status, which means the server certificate is not valid. This gives the clue to go and verify the CRL. Either the CRL is not accessible or the CRL file hosted is not the latest, may as well be expired.




 A working certificate will not throw any exception while verifying the certificate, as shown below




Configuration Management
Comment List