Deploying user or device authentication certificates to support Always On VPN requires installing the Certificate Connector for Microsoft Intune. The same connector can link Intune to on-premises public key infrastructure (PKI) using PKCS or SCEP certificates. The connector can be configured to run in the SYSTEM context or a domain service account.
Configuration Failure
Administrators may encounter the following error message when installing the certificate connector and selecting the option to use a domain service account.
āConfiguration failed. Configuring Microsoft Intune Certificate Connector failed. No changes were made to Feature or Proxy settings. Please try again.ā

Root Cause
This error occurs because the service account does not have the correct permissions assigned on the server where the connector is being installed. Specifically, the service account must have the Logon as a service right assigned. To do this, open the local group policy editor (gpedit.msc) and perform the following steps.
- Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Double-click Log on as a service.
- Click Add User or Group.
- Add the service account.
- Click OK.

Once complete, remove the Certificate Connector for Intune and re-run the installation again.
Additional Information
Always On VPN Windows 11 Issues with Intune
Pete
/ January 19, 2022Great article. I recently ran into the same error. However, the issue was not that the account did not have logon a service rights. It was because I used domain\user when providing the service account in the wizard. I discovered that I had to use [email protected] in order for the services to start. Hope that helps.