Issue with Intune Synchronization on Windows 11 Business 24H2

[jastlw]

Description

Issue Description:

After using a custom script (link), Windows 11 Business 24H2 (26100.23.0) no longer synchronizes with Intune. The IntuneManagementExtensions.log (part of it) indicates that a secure TLS channel (handshake) could not be established, which might be the root cause of the problem.

Potential Causes:

• Disable insecure protocols
• Disable insecure renegotiation
• Disable insecure connections from .NET apps
• Enable secure connections

Questions:

1. Does anyone have any insights or ideas on this issue?
2. Could it be related to the settings mentioned above?
3. Is it possible that Microsoft uses insecure renegotiation for managing Windows devices? This seems unlikely and concerning.

Reproduction steps

1. Apply the custom script (link provided).
2. Attempt to synchronize Windows 11 Business 24H2 with Intune.
3. Check the IntuneManagementExtensions.log for errors related to TLS handshake.

Expected behavior

Windows 11 Business 24H2 should successfully synchronize with Intune without any TLS handshake errors.

Screenshots

No response

privacy.sexy environment details

• Windows 11 Business 24H2 (26100.23.0)
• Custom script applied (link provided)
• IntuneManagementExtensions.log indicating TLS handshake issues

Additional context

I aim to enhance data protection and security within the company, relying heavily on Defender and Intune. If there are any additional tips regarding the script or if I might have missed something, please let me know.

[jastlw]

I’ve identified that the Intune device synchronization issue is caused by the following PowerShell command:

PowerShell -ExecutionPolicy Unrestricted -Command "$data = '1'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' /v 'DisableRenegoOnClient' /t 'REG_DWORD' /d "^""$data"^"" /f"

I believe this setting is unnecessary because the following settings are already configured:

PowerShell -ExecutionPolicy Unrestricted -Command "$data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' /v 'AllowInsecureRenegoClients' /t 'REG_DWORD' /d "^""$data"^"" /f"
PowerShell -ExecutionPolicy Unrestricted -Command "$data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' /v 'AllowInsecureRenegoServers' /t 'REG_DWORD' /d "^""$data"^"" /f"

Since the renegotiation_info extension is enforced during renegotiation, I suggest removing the DisableRenegoOnClient line from privacy.sexy to maintain compatibility with Intune.

Please provide feedback on whether this approach is correct.

[undergroundwires]

Hi, thank you for the report and sharing findings.

I'm not able to test this.

DisableRenegoOnClient is well-documented and the documentation mentions that disabling it is a secure standard.
It's recommended on Strict, prompting users to be careful.

I don't know what to do with privacy.sexy to improve it. Let me know if you have any idea.

I don't understand why Microsoft wouldn't support secure ways for Intune, and it's probably on them to fix.
I'm sure this issue will help others find solutions to problem thoug.