Microsoft recently announced that, Starting April 2022, certificate connectors earlier than version 6.2101.13.0 will be deprecated and will show a status of Error. This status does not affect functionality. Starting June 2022, such connectors will not be able to issue certificates. This includes both the PFX Certificate Connector for Microsoft Intune and Microsoft Intune Connector, which on July 29, 2021 were replaced by the Certificate Connector for Microsoft Intune.
Microsoft Intune connector validity is 6 months from the time it is released and after that, the connector is not longer supported and your functionality might be impacted. So it is always important to keep track of the connector status.
For more information about the lifecycle of the connector such as automatic update vs manual update , please refer to https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-overview#lifecycle
In this blog post, I will discuss about how to upgrade the intune connector to the latest version and configure the service.
As per the Microsoft announcement, I was checking one of my existing intune connector certificate that was used for issuing the certificate for VPN during the hybrid Azure AD joined (autopilot) I have logged into the intune portal to check the connector status and it shows error in the status. this means that, I am running the older version of the agent that needs to be upgraded.
you can check the intune connector status for certificate using URL Certificate Connectors - Microsoft Endpoint Manager admin center
To know the version that is installed on your server, log into the certificate server, and check it from programs and features.
The version that I had was 6.1904.1.0
How to download and install/upgrade the latest intune certificate connector?
Login to the endpoint portal and browse to Tenant Administration and click on connector status Certificate Connectors - Microsoft Endpoint Manager admin center
Click on the certificate connector that shows error and click on Add
Click on certificate connector to download the latest version.
Intune connector version:6.2202.38.0
The upgrade of the Intune certificate connector requires the following pre-req on the server. The previous does not need http activation however the new connector needs HTTP activation else the configuration of intune connector will fail.
Please review the prerequisites to install intune connector https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-prerequisites#general-prerequisites
Start the Intune connector installation (run as administrator)
Click on Install and this process will remove the previous version and install the new version.
Click on Configure Now. If you close the window, you can launch the configuration of the intune connector at later time.
You can launch the intune connector configuration manually from the start menu or from the location C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI\PFXCertificateConnectorUI.exe
Launch the intune certificate connector. This is the welcome page that will launch every time you open the connector.
Select the features that you want to enable. I have selected SCEP feature to issue the certificates to the devices using SCEP protocol from AD CA.
Next is service account.
This is used to run the connector and access registry and file system on the computer that hosts the connector.
The connector uses this account to communicate with CA and access the hardware security modules.
I use the domain user who is also local administrator on the windows server.
If you use system account and proceed next, you may hit the following error and is because of Logon as a service rights.
Configuring Microsoft Intune certificate connector failed. No changes were made to feature or proxy settings. Please try again.
Enrollment Failed. Error: Microsoft.Intune.Connectors.AgentAuth.IntuneClientException: IntuneClient Request Failure
I have used the domain user account and click on next.
Incase you are using proxy to connect to internet, provide the details.
In the prerequisites, it validates if any components are missing.
As you can see below, the previous version of Intune connector does not need HTTP Activation however this version requires it. It is always important to read the documentation before starting anything.
Missing required windows server feature: HTTP ACTIVATION
Open the server manager and install the HTTP Activation, once it finish, return to the connector page, rerun the check.
The prerequisite check is passed now.
The next is Azure AD sign in.
Choose the environment of the cloud and click next
You will be prompted for credentials.
This user account must be a Global Admin or an Intune Admin with an Intune license assigned AND the user must be a synchronized account from your local Active Directory.
You cannot an account that is created in the azure AD that is GA or Intune admin with license assigned.
If you do so, you will see the following error.
Something went wrong. An unanticipated error occurred. Your IT Department may be able to help.
At this stage, you will have to close the wizard and start from the beginning. So make sure you use the right account that meet the prerequisites.
If the authentication is success, you will see the following page indicating the sing in successful.
Click on next to configure the service. Wait for a while to the service to register with Microsoft Intune.
Incase of any errors on the configuration, we can refer to the event viewer.
- Event Viewer > Application and Service Logs > Microsoft > Intune > Certificate Connectors
Now, we will check the connector status in the Intune portal , if the configuration is completed successfully, it will register successfully and status is Active.
We can rename newly register the connector to some meaningful name and remove the existing (old) connector that shows Error.
Test the certificate deployment profile to make sure the certificates are issued to the devices using the newly register connector.
Hope you find this post useful.