September 2, 2022

Time To Upgrade the Certificate Connector!

Time To Upgrade the Certificate Connector!

If your certificate connector is still on a version earlier than 6.2101.13.0 then it is the right time to upgrade it because, from today onwards, they are deprecated and will not be able to issue certificates to your devices.

If you have a certificate connector configured, then you might be leveraging its functionality for issuing & revoking:

  • Private and public key pair (PKCS) certificates, or
  • PKCS imported certificates, or
  • Simple Certificate Enrollment Protocol (SCEP)

In July’21, Microsoft published the lifecycle policy for certificate connectors, and as per Microsoft:

  1. Each new connector release will be supported six months after its release date. During this period, automatic updates can install a newer connector version (depending upon your network configuration).
  2. If an out-of-support connector fails, it must update to the latest supported version.
  3. If automatic updates of the connector are blocked, the manual update of the connector will be required within six months before support for the installed version ends.
  4. Connectors out of support will continue functioning for up to 18 months after their release date. After 18 months, a connector’s functionality might fail due to service level improvements, updates, or addressing common security vulnerabilities that might surface in the future.

This helps replace three separate certificate connectors for SCEP and PKCS and imported PKCS with a Unified Certificate Connector. Previously, from Intune portal, we had the option to download three different connectors viz SCEP, PKCS and PFX imported. 

You just need to download and configure the new unified certificate connector, enabling multiple capabilities from a single connector. 

Check the version installed in your environment:

You can verify the version of the connector from the server on which it is installed.

This screenshot shows that the connector version is deprecated, which is why the MEM portal status shows an error.

Prerequisites for the Certificate Connector for Microsoft Intune:

Before installing and configuring the Certificate Connector for Microsoft Intune, let’s review the prerequisites and infrastructure requirements. These prerequisites can vary depending on the features you want to configure. However, the general requirements are as below:

  • Windows Server 2012 R2 or later. 
  • .NET v4.7.2
  • TLS 1.2
  • The server should have access to “” and port 443 should be open to keeping the connector auto-updated
  • Disable Enhanced Security Configuration in IE
  • Details for proxy configuration of the NDES server 
  • NDES service account details 

Please refer to the Prerequisites for using the Certificate Connector for Microsoft Intune – Azure | Microsoft Docs for detailed permissions and requirements for the connector. 

Let’s get the ball rolling then. 

Uninstall the Deprecated Connector:

  • Log in to the NDES server and uninstall the old connector. 
  • Launch an elevated command prompt and restart the IIS service

Download the Latest Connector:

  • Select the certificate connector link to download the connector installer. Save/Copy the file on the server where you will install the connector.
  • Run the installer (IntuneCertificateConnector.exe) with NDES service account.
  • Review and agree to the license terms and conditions, and then select Install to

Configure Intune Certificate Connector:

To configure the certificate connector, use the Certificate Connector for Microsoft Intune wizard. The configuration will start automatically if you choose to Configure Now in the previous step, or you can manually launch it by opening an elevated command prompt and running the below command:

  • The Certificate Connector for Microsoft Intune wizard will start with the Welcome page. Click Next to start the configuration wizard:
  • On Features, select the checkbox for each connector feature you want to install on this server, and then select Next
  •  On the Proxy page, add details for your proxy server if you require a proxy for internet access.
  • Next, on the Prerequisites page, the wizard runs several checks on the server before the configuration can begin. Review and resolve any errors or warnings received before you continue.
  • The next screen is the Azure AD Sign-In page; use the default Public Commercial Cloud for Environment., and then select Sign In. The user account must be a Global Admin or an Intune Admin with an Intune license assigned, and the user must be a synchronized account from your On-Prem Active Directory.
  • On the Configure page, the wizard applies the configuration to the connector for Intune. If successful, the utility continues to the Finish page, where you select Exit to complete configuration of the connector. 
  • After the configuration completes successfully and the wizard closes, the Certificate the connector for Microsoft Intune is ready for use.

Verify the New Connector:

The quick & best way to verify is by checking the SCEP URL. All is set if it is giving the expected HTTP 403 error! 

The connector status should also reflect as active and healthy in the MEM Portal, indicating a successful upgrade. 

Once you verify that all the services are running fine, delete the old connector from Intune portal.

That’s all for today. Hope you will find this post useful!