How to upgrade the Intune certificate connector

Microsoft recently announced that, Starting April 2022, certificate connectors earlier than version 6.2101.13.0 will be deprecated and will show a status of Error. This status does not affect functionality. Starting June 2022, such connectors will not be able to issue certificates. This includes both the PFX Certificate Connector for Microsoft Intune and Microsoft Intune Connector, which on July 29, 2021 were replaced by the Certificate Connector for Microsoft Intune.

Microsoft Intune connector validity is 6 months from the time it is released and after that, the connector is not longer supported and your functionality might be impacted. So it is always important to keep track of the connector status.

For more information about the lifecycle of the connector such as automatic update vs  manual update , please refer to https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-overview#lifecycle

In this blog post, I will discuss about how to upgrade the intune connector to the latest version and configure the service.

As per the Microsoft announcement, I was checking one of my existing intune connector certificate that was used for issuing the certificate for VPN during the hybrid Azure AD joined  (autopilot) I have logged into the intune portal to check the connector status and it shows error in the status. this means that, I am running the older version of the agent that needs to be upgraded.

you can check the intune connector status for certificate using URL Certificate Connectors - Microsoft Endpoint Manager admin center

image

To know the version that is installed on your server, log into the certificate server, and check it from programs and features.

The version that I had was 6.1904.1.0

image

How to download and install/upgrade the latest intune certificate connector?

Login to the endpoint portal and browse to Tenant Administration and click on connector status Certificate Connectors - Microsoft Endpoint Manager admin center

Click on the certificate connector that shows error and click on Add

image

Click on certificate connector to download the latest version.

image

image

Intune connector version:6.2202.38.0

image

The upgrade of the Intune certificate connector requires the following pre-req on the server. The previous does not need http activation however the new connector needs HTTP activation else the configuration of intune connector will fail.

Please review the prerequisites to install intune connector https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-prerequisites#general-prerequisites

Start the Intune connector installation (run as administrator)

image

Click on Install and this process will remove the previous version and install the new version.

image

Click on Configure Now. If you close the window, you can launch the configuration of the intune connector at later time.

image

You can launch the intune connector configuration manually from the start menu or from the location C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI\PFXCertificateConnectorUI.exe

image

Launch the intune certificate connector. This is the welcome page that will launch every time you open the connector.

image

Select the features that you want to enable. I have selected SCEP feature to issue the certificates to the devices using SCEP protocol from AD CA.

image

Next is service account.

This is used to run the connector and access registry and file system on the computer that hosts the connector.

The connector uses this account to communicate with CA and access the hardware security modules.

I use the domain user who is also local administrator on the windows server.

image

If you use system account and proceed next, you may hit the following error and is because of Logon as a service rights.

Configuring Microsoft Intune certificate connector failed. No changes were made to feature or proxy settings.  Please try again.

Enrollment Failed. Error: Microsoft.Intune.Connectors.AgentAuth.IntuneClientException: IntuneClient Request Failure

image

I have used the domain user account and click on next.

Incase you are using proxy to connect to internet, provide the details.

image

In the prerequisites, it validates if any components are missing.

As you can see below, the previous version of Intune connector does not need HTTP Activation however this version requires it. It is always important to read the documentation before starting anything.

Missing required windows server feature: HTTP ACTIVATION

image

Open the server manager and install the HTTP Activation, once it finish, return to the connector page, rerun the check.

The prerequisite check is passed now.

image

The next is Azure AD sign in.

Choose the environment of the cloud and click next

image

You will be prompted for credentials.

This user account must be a Global Admin or an Intune Admin with an Intune license assigned AND the user must be a synchronized account from your local Active Directory.

You cannot an account that is created in the azure AD that is GA or Intune admin with license assigned.

If you do so, you will see the following error.

Something went wrong. An unanticipated error occurred. Your IT Department may be able to help.

image

At this stage, you will have to close the wizard and start from the beginning. So make sure you use the right account that meet the prerequisites.

If the authentication is success, you will see the following page indicating the sing in successful.

image

Click on next to configure the service. Wait for a while to the service to register with Microsoft Intune.

image

Incase of any errors on the configuration, we can refer to the event viewer.

  • Event Viewer > Application and Service Logs > Microsoft > Intune > Certificate Connectors

image

Now, we will check the connector status in the Intune portal , if the configuration is completed successfully, it will register successfully and status is Active.

image

We can rename newly register the connector to some meaningful name and remove the existing (old) connector that shows Error.

Test the certificate deployment profile to make sure the certificates are issued to the devices using the newly register connector.

Hope you find this post useful.

Reference article https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-install

https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-overview#logging

13 Responses to "How to upgrade the Intune certificate connector"

  1. An oldie but a goodie. Any idea if that Azure AD account you're signing into Azure AD with during setup has to continue to hold the Global Admin or Intune Admin roles after setup? Or is it only required during initial setup to set some configuration and can have those highly privileged access roles removed afterwards?

    Reply
  2. Very important: If you're using a proxy - use the prefix http:// or the connection won't work. Maybe you could add this to the screenshot where the proxy is shown. We needed 2 days to figure out what the problem was.

    Reply
  3. Hi Eswar,

    Your article was a blessing since MS articles only have outdated information.

    We had a few queries during implementing the connector upgrade, and i am posting them here so it would be helpful to somebody.

    The new connector is entirely different, i mean it has different set of registry values, different file arrangement in the installation folder.
    For example, The registry folder 'NDESPolicy' no longer exists in the mentioned path -> (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy)

    Registry entries inside this path is also changed (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftIntune)

    Due to these changes, the validation script the mentioned technet article throws error. (https://docs.microsoft.com/en-us/troubleshoot/mem/intune/verify-ndes-configuration).

    //
    1. Validate that the NDES server has .NET framework 4.7.2
    (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release -ge 461808
    It should return TRUE
    If FALSE, refer the article (https://dotnet.microsoft.com/download/dotnet-framework/net472 (install .NET Runtime)

    2.Make sure you are allowing TLS 1.2 in your NDES server.

    3.Collect information from the old connector: proxy, revocation permissions account (SVC or System)

    4. Check that the account on which the connector is running (most probably system account of the NDES server) has "issue and manage certificate" permissions on the CA.

    5. Uninstall the old connector.

    6. Reboot the server.

    7. Launch NDES URL (http://SERVER_FQDN/certsrv/mscep/mscep.dll) and verify if it is working. Since the connector is Uninstalled, the page should load and should not throw any error.

    8.Delete the Connector entry from the Intune console. Tenant Administration > Connector and tokens > Certificate Connector

    9.Download and Install the new connector (Don't forget to Run as administrator).

    10. click on 'Configure Now' and follow the connector wizard.

    11. Sign in with a Global Admin (or Intune Admin) account with an Intune license.

    12. After configuration has been done successfully, perform a reboot and check the NDES URL (Now it should throw 403 error). Also check if the connector is reflecting in Intune console.

    13. Proceed for Testing.
    //

    Reply
  4. If you get error similar like "Current connection was closed. Data could not be read"... check that your firewall or proxy does not decrypt this traffic. There is an list of addresses Microsoft provides that MUST be excluded from the SSL decryption. Of cource you may also exclude the server at IP level as well.

    Reply
    1. It does remove automatically once the new one is installed correctly. Did you remove the old one manually in your case?

      Regards,
      Eswar

      Reply
  5. Hi Eswar

    when running the wizard, I get the following message:
    Enrollment Failed. Error: System.Security.Cryptography.CryptographicException: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.

    at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
    at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv)
    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
    at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
    at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
    at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
    at Microsoft.Intune.Connectors.ConfigUI.Tasks.Enroll.d__0.MoveNext()

    This happens with an AD account (with the permission to log on as a service)

    The account has the necessary CA permissions (read/enroll certificates and issue & manage certificates). It is an on premise account. For the Azure AD sign in we use a dedicated AAD account with the Intune permission, which doesn't throw an error.

    The old NDES connector is installed on the same server and still works well (luckily).

    Do you have an idea, why the server needs a trust for delegation and the user must be allowed for delegation, which wasn't necessary before? I can't find this in the prerequisites.

    Thanks & best regards,
    Eike

    Reply
    1. Hi,
      Apologies for the late reply. Is this new setup or upgrading the existing connector?
      Did you try to open Local Security Policy under start menu\Windows Administrative Tools, then adding your user account in Security Settings/Local Policies/User Right Assignment/Enable computer and user accounts to be trusted for delegation.

      Thanks,
      Eswar

      Reply

Post Comment