Microsoft Intune Certificate Connector Failure

The Microsoft Intune Certificate Connector enables the provisioning and de-provisioning of on-premises PKI certificates for Intune-managed devices. Always On VPN administrators using Intune to deploy certificates with the Intune Certificate Connector using either PKCS or SCEP may encounter a scenario where certificates are no longer being provisioned to users or devices after working reliably previously.

Certificate Not Found

When this issue occurs, users will no longer be able to access the VPN and receive a “certificate could not be found that can be used with this Extensible Authentication Protocol” error message.

Connector Status

To determine the status of the Intune Certificate Connector, open the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors. The status of the certificate connector server will be in Error.

Event Log

Open the event log on the server where the Intune Certificate Connector is installed. Navigate to Applications and Services Logs > Microsoft > Intune > CertificateConnectors > Operational. Here, you will find a variety of warning and error messages.

Event ID 5001

This is a warning from the CertificateConnectors source with event ID 5001 in the Task Category HealthMessageUploadFailedAttempt with the following details.

PKI Create Service:

Failed to upload health messages. Requeuing messages.

Event ID 1003

This is an error from the CertificateConnectors source with event ID 1003 in the Task Category PkcsDownloadFailure with the following details.

PKI Create Service:

Failed to download PKCS requests.

Event ID 2

This is an error from the CertificateConnectors source with event ID 2 in the Task Category Exception with the following details.

PKI Create Service:

Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.

Expired Certificate

The warning and error messages recorded in the event log indicate an expired certificate on the Intune Certificate Connector server. Open the local computer certificate store (certlm.msc) on the server where the Intune Certificate Connector is installed. Review the expiration date of the certificate issued by Microsoft Intune ImportPFX Connector CA. It is most likely expired.

Click on the Certification Path tab to view the certificate status.

Renew Certificate

To renew this certificate, you must reinstall the Intune Certificate Connector. However, you do not have to uninstall it first. To renew the certificate, navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and double-click on PFXCertificateConnectorUI.exe. Follow the prompts without making changes to the existing configuration. You’ll be prompted for the service account password (if using a domain account) and proxy credentials (if using a proxy server). In addition, you’ll be asked to sign in to Entra ID (formerly Azure AD). Be sure to provide credentials that are a global administrator and have an Intune license assigned. Once the process is complete, a new certificate will be installed in the local computer certificate store.

Intune Configuration

After updating the Intune Certificate Connector, a new certificate connector appears in the Intune Admin Center. You can now safely delete the old connector and rename the new one accordingly.

Redundancy

Deploying multiple instances of the Intune Certificate Connector is an excellent way to avoid future outages! It’s also a good idea to stagger their installation by a few months to ensure that a future certificate expiration doesn’t result in lost functionality. If you’ve deployed Intune Certificate Connectors recently, consider updating them at rotating intervals so certificates expire at different times.

Additional Information

Intune Certificate Connector Configuration Failed

Intune Certificate Connector Service Account and PKCS

Intune Certificate Connector Configuration Failure

Microsoft Intune Learning Resources for Always On VPN Administrators

Microsoft Entra Security Service Edge (SSE) on RunAs Radio

I recently had the opportunity to join my good friend Richard Campbell on the RunAs Radio podcast. During this episode, we discussed the new Microsoft Entra Security Service Edge (SSE). This new service offering includes Entra Internet Access, a cloud-based secure web gateway, and Entra Private Access, an identity-centric zero-trust network access (ZTNA) solution. Entra Private Access is in public preview today. Entra Private Access is still in private preview at the time of this writing, however.

You can listen to RunAs Radio episode 906 here.

Enjoy!

10 PowerShell Commands Always On VPN Administrators Should Know

Managing a secure and reliable VPN infrastructure is critical for supporting today’s highly mobile workforce. For Always On VPN administrators, PowerShell is an indispensable tool for achieving this goal. Not only can PowerShell be used to automate the installation and configuration of Windows Server Routing and Remote Access Service (RRAS) server, but it can also be used to audit configuration and monitor system health and user activity as well. In addition, it is highly recommended that the RRAS role be installed on Server Core for optimum security and performance. Administrators must be familiar with these PowerShell commands and more to support RRAS on Windows Server Core in their environment.

RemoteAccess Module

The RemoteAccess PowerShell module should be installed when the RRAS server is configured. There are 122 commands in this module, but only a subset of those pertain to the VPN server role. Here are ten popular commands for monitoring and managing an Always On VPN RRAS server.

Configuration Review

The following PowerShell commands are useful for reviewing the current RRAS server configuration.

Get-RemoteAccess – Displays the current configuration of the VPN server. Details include installation status, TLS certificate configuration, VPN client IP address assignment method, IPv4 and IPv6 addressing information (if using the static address assignment method), authentication type, and configured RADIUS servers.

Get-VpnAuthProtocol – Displays authentication configuration details such as accepted authentication types for both user and device connections, root certification authority (CA) certificate restrictions (if enabled), and certificate advertisement and EKU restrictions if enabled.

Get-VpnServerConfiguration – Displays additional VPN server configuration information, such as the IPsec configuration for IKEv2, the number of VPN ports configured, and more.

System Health

Get-RemoteAccessHealth – Displays the current health status of various VPN server services. The command’s default output is a little noisy. I recommend filtering it as follows:

Get-RemoteAccessHealth | Where-Object HealthState -NotMatch Disabled | Format-Table -AutoSize

User Activity

The following PowerShell commands can be used to view current and historical user activity details.

Get-RemoteAccessConnectionStatistics – Displays all active VPN connections on the server.

Get-RemoteAccessConnectionStatisticsSummary – Displays cumulative information about VPN connections on the server since the last service restart or reboot, such as the total number of connections, the number of unique users, the maximum number of concurrent connections, and the amount of data transferred.

Get-RemoteAccessUserActivity – Displays all active VPN connections for a specific user or device.

Management

The following PowerShell commands are helpful for reviewing authentication and logging settings.

Get-RemoteAccessRadius – Allows the administrator to view the currently configured RADIUS servers on the VPN server.

Get-RemoteAccessAccounting – Allows the administrator to view the current accounting repository (RADIUS or inbox) on the VPN server.

Clear-RemoteAccessInboxAccountingStore – Allows the administrator to remove log data from the Inbox Accounting database. Removing log data from the database can be helpful when transitioning a test server to production or to free up disk space by reducing the size of the logging database.

Additional Modules

In addition to the PowerShell commands above, Always On VPN administrators can leverage my custom PowerShell modules for advanced server and client configuration. These modules are published in the PowerShell Gallery.

AovpnTools – PowerShell module to configure and optimize Windows RRAS servers to support Always On VPN.

Install-Module -Name AovpnTools

InboxAccountingDatabaseManagement – PowerShell module to configure and manage the Inbox Accounting database for logging system information and user activity on the VPN server.

Install-Module -Name InboxAccountingDatabaseManagement

Additional Information

Always On VPN and RRAS on Windows Server Core

Inbox Accounting Database Management

AovpnTools PowerShell Module on GitHub

Inbox Accounting Database Module on GitHub

%d bloggers like this: