A World Where Intune Check-Ins Can’t Be Trusted | Patch and Rant Ep.24

What if Intune’s “Last Check-In” is the one signal you should stop trusting? In this episode of Patch and Rant, Rudy uncovers why a device can look perfectly healthy in the Intune portal, even when its certificate is already expired and real management is effectively dead. We break down how the OMA-DM client sends its first “hello” to Intune, gets a server response, and updates the local timestamps that later appear as the device’s Last Check-In. The catch? That timestamp can move forward before the device actually retrieves policies, deploys apps, or processes PowerShell scripts. Rudy explains why the session can still begin with an expired certificate, why that behavior exists, and where the real problem starts: the moment actual device management is supposed to happen. That means a device may still look alive in the portal while policies stop applying and apps stop updating. Bottom line: Last Check-In is not a health signal. It only proves the device managed to start a conversation with Intune, not that the conversation succeeded. 00:00 Intro: Why Last Check-In can fool admins 00:53 The expired certificate mystery 01:55 It checked in 5 minutes ago… how? 03:01 Why admins assume the device is healthy 03:38 The device can still say hello 04:08 Where the timestamp actually comes from 05:35 The first hello message to Intune 06:22 Why expired certs do not stop the session immediately 08:04 Why Microsoft allows this behavior 09:38 Where real device management fails 10:10 The real takeaway: Last Check-In is not health 11:10 What to check instead 11:43 Outro #Intune #MicrosoftIntune #DeviceManagement #EndpointManagement #PatchAndRant #SysAdmin