Midnight Coders

Tales from the Microsoft Cloud Trenches

The Ghost of Domains Past: A Certificate Renewal Ghost Story

Once upon a time (actually, recently), there was a perfectly healthy Intune environment. Devices were checking in, policies were deploying, and everyone was happy. Then something strange started happening. Devices that should have renewed their MDM certificates… weren’t.

The certificates were approaching their expiration date. The scheduled task was running. But nothing was happening. It was like the certificates had developed a case of stage fright.

The Plot Thickens: A Mysterious Error Code

We started investigating. In the enrollment registry, we found a clue:

RenewErrorCode = 0x80180018

And in the DeviceManagement-Enterprise-Diagnostics-Provider log, an ominous message appeared:

Event 52: MDM Enroll: Server Returned Fault/Code/Subcode/Value=(UserLicense) 
Fault/Reason/Text=(Failed to issue token: UserValidation)

At first glance, this looked like a licensing issue. And indeed, Microsoft’s documentation confirmed it: MENROLL_E_USERLICENSE (0x80180018) — “License of user is in bad state and blocking the enrollment. The user needs to call the admin.”

But here was the twist: The users were licensed. Properly licensed. Active. Intune was working normally for everything else. So why was the enrollment server claiming otherwise?

The Merger Connection

Here’s where our detective story takes an interesting turn. All the affected devices had something in common: their users had recently been through a domain migration. Their email domains and UPNs had changed. The old domain was removed from the authorized domains.

But here’s the kicker: The enrollment data stored on the device remained unchanged.

We checked one of the affected devices. The current user account was now user@newcompany.com. But in the enrollment registry? The UPN was still pointing to the old domain: user@oldcompany.com.

The device was trying to renew its certificate using credentials that no longer existed in Entra ID. It was like trying to renew your driver’s license using your childhood home address — technically meaningful to you, but no longer valid.

The Discovery Dance

When the Enrollment Service tried to locate the user’s Intune license during renewal, what happened? The domain was no longer resolving to any real user. The device’s renewal request didn’t include a valid user email (UPN). And because the UPN pointed to a non-existent domain, the license check failed.

We could see this in the network trace (Fiddler, our trusty sidekick). The discovery request was being sent to the enrollment service with the wrong UPN — the old, defunct email address.

The enrollment service was essentially saying: “I have no idea who this person is. They don’t exist in this domain anymore. No license for you!”

The Fix: Updating One Little Value

Here’s the satisfying part of the story. We didn’t need to re-enroll the device. We didn’t need to wipe it. We just updated one value in the enrollment registry: the UPN.

From:

UPN = user@oldcompany.com

To:

UPN = user@newcompany.com

Then we triggered the certificate renewal process. And wouldn’t you know it — the MDM certificate was renewed immediately. The moment the device started using the correct identity, the renewal completed without issue.

We even built detection and remediation scripts to find and fix other devices with the same problem. One registry change. No drama. No re-enrollment.

Why This Matters Now More Than Ever

With the Microsoft Intune Root Certification Authority renewal coming in May 2026, this issue becomes critical. When the root certificate is renewed, every MDM device certificate chained to it must also be renewed. If a device can’t renew (because its UPN points to a ghost domain), the certificate chain breaks.

The device may still appear healthy for a while. It checks in. It receives policies. But when the certificate finally expires? Complete communication breakdown. Intune loses its connection to that device.

And here’s the sneaky part: This issue doesn’t generate obvious errors. Everything looks fine until suddenly it isn’t.

How to Check Your Environment

Want to see if any of your devices are haunted by ghosts of domains past? You can check directly in the registry:

HKLM\SOFTWARE\Microsoft\Enrollments\{EnrollmentID}\UPN

If the UPN points to a domain that no longer exists in your Entra ID tenant, you’ve found a haunted device.

The Moral of the Story

When you migrate domains, remember: devices are creatures of memory. They remember how they enrolled. They remember the identity they used. And if that identity becomes a ghost, they’ll keep trying to use it — until something breaks.

The lesson? After any domain migration, audit your enrollment data. Check those UPNs. Update them before they become a certificate renewal nightmare.

Stay vigilant, friends. The cloud remembers everything — even the identities you thought you’d left behind.

Tags: