Microsoft Intune Certificate Connector Failure

The Microsoft Intune Certificate Connector enables the provisioning and de-provisioning of on-premises PKI certificates for Intune-managed devices. Always On VPN administrators using Intune to deploy certificates with the Intune Certificate Connector using either PKCS or SCEP may encounter a scenario where certificates are no longer being provisioned to users or devices after working reliably previously.

Certificate Not Found

When this issue occurs, users will no longer be able to access the VPN and receive a “certificate could not be found that can be used with this Extensible Authentication Protocol” error message.

Connector Status

To determine the status of the Intune Certificate Connector, open the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors. The status of the certificate connector server will be in Error.

Event Log

Open the event log on the server where the Intune Certificate Connector is installed. Navigate to Applications and Services Logs > Microsoft > Intune > CertificateConnectors > Operational. Here, you will find a variety of warning and error messages.

Event ID 5001

This is a warning from the CertificateConnectors source with event ID 5001 in the Task Category HealthMessageUploadFailedAttempt with the following details.

PKI Create Service:

Failed to upload health messages. Requeuing messages.

Event ID 1003

This is an error from the CertificateConnectors source with event ID 1003 in the Task Category PkcsDownloadFailure with the following details.

PKI Create Service:

Failed to download PKCS requests.

Event ID 2

This is an error from the CertificateConnectors source with event ID 2 in the Task Category Exception with the following details.

PKI Create Service:

Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.

Expired Certificate

The warning and error messages recorded in the event log indicate an expired certificate on the Intune Certificate Connector server. Open the local computer certificate store (certlm.msc) on the server where the Intune Certificate Connector is installed. Review the expiration date of the certificate issued by Microsoft Intune ImportPFX Connector CA. It is most likely expired.

Click on the Certification Path tab to view the certificate status.

Renew Certificate

To renew this certificate, you must reinstall the Intune Certificate Connector. However, you do not have to uninstall it first. To renew the certificate, navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and double-click on PFXCertificateConnectorUI.exe. Follow the prompts without making changes to the existing configuration. You’ll be prompted for the service account password (if using a domain account) and proxy credentials (if using a proxy server). In addition, you’ll be asked to sign in to Entra ID (formerly Azure AD). Be sure to provide credentials that are a global administrator and have an Intune license assigned. Once the process is complete, a new certificate will be installed in the local computer certificate store.

Intune Configuration

After updating the Intune Certificate Connector, a new certificate connector appears in the Intune Admin Center. You can now safely delete the old connector and rename the new one accordingly.

Redundancy

Deploying multiple instances of the Intune Certificate Connector is an excellent way to avoid future outages! It’s also a good idea to stagger their installation by a few months to ensure that a future certificate expiration doesn’t result in lost functionality. If you’ve deployed Intune Certificate Connectors recently, consider updating them at rotating intervals so certificates expire at different times.

Additional Information

Intune Certificate Connector Configuration Failed

Intune Certificate Connector Service Account and PKCS

Intune Certificate Connector Configuration Failure

Microsoft Intune Learning Resources for Always On VPN Administrators

Always On VPN Disconnects in Windows 11

Always On VPN administrators migrating their endpoints to Windows 11 may encounter a scenario where Always On VPN randomly disconnects when the VPN profile is deployed using Microsoft Intune. The same configuration deployed to Windows 10 devices works reliably, however. In addition, Always On VPN profiles deployed using PowerShell (natively or with SCCM) or PowerON DPC do not experience this problem.

Troubleshooting

Administrators troubleshooting this issue will find the root cause is associated with the Always On VPN profiles being removed and replaced each time the device syncs with Intune. This occurs even if there are no changes to the configuration. Removing and replacing the Always On VPN profiles on each device sync is unnecessary, of course, but is also highly disruptive to connected users.

Intune and XML

The Intune team identified the issue, and a fix was made available in the August update. However, many of you have reported the issue persists with some Windows 11 clients after installing the latest updates. Further investigation indicates that although the issue has been resolved when using Intune and the native VPN device configuration profile template, the problem still occurs when using the Custom device configuration template.

Workaround

Microsoft is aware of the issues with deploying Always On VPN client configuration settings using XML in Intune, but there’s no indication when or if they will fix it. Until then, administrators have two options to address this problem.

Native VPN Template

When deploying Always On VPN client configuration settings to Windows 11 endpoints, use the native VPN device configuration template, as shown here.

Using the native VPN template does have some limitations, however. The following settings are not exposed using the native VPN template and can only be configured using XML.

XML

If you must use XML, I’ve had some success by ensuring the order of XML settings is exactly as Intune expects. Follow the steps below to confirm the XML settings order in your XML configuration file.

  1. Deploy your XML file with Intune.
  2. Run Get-VpnClientProfileXML.ps1 to extract the deployed XML settings.
  3. Compare the order of settings to your existing XML.
  4. Make changes to ensure all settings in your XML are in the same order as the extracted XML.
  5. Publish a new XML configuration file using Intune and test.

I’ll caution you that this workaround doesn’t always work reliably. Some customers report that this solved their problems entirely, while others have indicated it does not. My testing shows the same results. Let us know in the comments below if this works for you!

Additional Information

Always On VPN Windows 11 Issues with Intune

Always On VPN PowerShell Script Issues in Windows 11

Always On VPN and VpnStrategy

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Always On VPN supports a variety of VPN protocols for the user tunnel. Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP) are the most common. I wrote about the advantages and disadvantages of each in this post. To summarize, IKEv2 provides the highest security options but suffers from operational limitations. SSTP offers excellent security and is generally more reliable.

VpnStrategy

Always On VPN administrators must choose between IKEv2 and SSTP when configuring the Always On VPN user tunnel. Some administrators may prefer to use IKEv2 when available but then fall back to SSTP if it is not. To accomplish this requires editing the rasphone.pbk file and setting the value of VpnStrategy to 8, as described here.

Challenges

Unfortunately, setting the VpnStrategy value to 8 poses some challenges. Updating rasphone.pbk requires editing a text file on each endpoint post-deployment. Updating rasphone.pbk can be automated using the Update-Rasphone.ps1 script or Microsoft Intune proactive remediation.

Limitations

By default, Windows will overwrite the VpnStrategy setting in rasphone.pbk when fallback occurs. For example, setting VpnStrategy to prefer IKEv2 over SSTP will be reset to use SSTP first if a connection with IKEv2 fails. There’s a registry setting available that’s supposed to prevent this, but it doesn’t always work as expected.

Windows 11

There’s good news for administrators deploying Always On VPN on Windows 11. Microsoft recently introduced support for additional NativeProtocol types in XML. Specifically, VPN protocol preference can now be defined using the ProtocolList native protocol type. When using the ProtocolList native protocol type, each supported VPN protocol is listed in order of preference using the syntax shown below.

In addition, the RetryTimeInHours value defines the time Windows will try the last successful connection protocol. Setting this value to 0 overrides this and ensures the preferred protocol (the first protocol in the list) will always be attempted first.

SSTP Only

Previously the VPNv2CSP only supported IKEv2 or Automatic as values for the native protocol type. Windows 11 now supports SSTP as a native protocol type. Administrators configuring Always On VPN user tunnel connections using SSTP exclusively can now use this option.

Caveats

While the settings above are supported in both Windows 11 21H2 and 22H2, there are some known issues when enabling these settings. Specifically, when administrators define the ProtocolList value for the native protocol type, IKEv2 is always shown as the active protocol, even when an SSTP connection is established.

Also, if ProtocolList is used, the VPN connection cannot be managed using PowerShell. The VPN profile will not be displayed when running Get-VpnConnection at the time of this writing. Hopefully Microsoft will fix this soon.

Additional Information

Always On VPN CSP Updates

Always On VPN IKEv2 and SSTP Fallback

Always On VPN and Intune Proactive Remediation

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN IKEv2 Features and Limitations

%d bloggers like this: