In recent weeks I’ve discovered a couple of strange behaviours with regards to Intune Certificate profiles, hopefully this post will save someone some time if you are coming across the same issues, or simply help you start troubleshooting any other Intune Certificate Deployment problems.
The setup here was using an Intune Service release of 2102, and the latest version of the Intune PFX connector (self updating). All servers are Windows Server 2019. An up to date version of Windows 10 enterprise was installed on the clients.
Issue #1 – PKCS profile changes do not appear to be saved
Having configured the Internal PKI (and published associated certificate templates), installed the latest version of the Intune PFX connector on some connector servers, and pushed out Root and Intermediate Certificates via Trusted profiles, we configured a PKCS profile to push a device certificate to the computer personal store all as per the Microsoft Intune documentation. This worked great.
However as part of testing, we wanted to check we could re-point the same PKCS Intune profile to a second Issuing CA in the environment, to prove that certificates could also be issued from a second CA if needed, if say the first one was dead (there is no option to specify more than one Issuing CA in a PKCS profile at the moment). So we changed the Intune profile to point to a different CA in the following fields:
This did not work, despite everything being set up correctly / identically.
It is useful to know that on PFX connector servers, the directory where certificate requests from Intune are processed
More specifically in PFXRequest folder:
On looking in these directories, I could see “.pfr” files in the failed folder around the time the PC checked in with Intune. These files can be opened in notepad, and it was apparent that despite having changed the PKCS profile in the Intune GUI to reflect the “new” CA, saved it and observed it showing the updated settings, the pfr file showed it was still pointing to the first original CA authority / authority name configured, failing because the original CA was offline.
This appears to be an issue with making changes to a PKCS profile after initial profile settings are saved; I’ve not seen any official evidence of this as a bug, but currently it seems to be a “thing” a workaround if profile changes are required in this case would be to create a new profile for use entirely with the updated settings.
Issue #2 – Duplicate certificates
A similar setup, we had device certificates successfully deploying to Windows 10 devices via an Intune PKCS profile and locally could see these certificates living in the PCs computer personal store; however we noticed that some devices had two certificates (often issued seconds or minutes apart), issued from the same Intune Certificate template.
After much checking of “have I done something wrong here, is the device under the scope of two policies” and other similar thoughts, tracking back on the PFX connector servers to the good old program files, we could see that actually the connector server was showing two separate (in the C:\Program Files\Microsoft Intune\PFXCertificateConnector\PfxRequest\Succeed directory) .pfr files for the single PC the PKCS profile was applied to, so the connector server was only processing what Intune was telling it to, and of course the Certificate Authority was Issuing what the connector server was telling it to.
What is the harm here you may think – well, certain applications will prompt if there is more than one valid certificate present in the user personal / computer personal store, and in our case the VPN client used was asking which of the two perfectly valid computer certificates to use. Something like this:
Luckily we were able to roll back the change back to a previous configuration, as it is less than desirable to have 500 users ringing the next day asking “which certificate do I select here?” even if they are both OK. In slightly different circumstances e.g. if we had two certificates from different CAs we could have reconfigured the VPN client to use the appropriate one, or if the certificates were from different templates on the one CA we could specify the template OID to use on the VPN client side to use, but unfortunately with this the certs were from same CA, same template.
This issue seemed like it was very much something in Intune, and was raised with Microsoft; the PFX connectors are self-updating and were on the latest version, and we confirmed the specification of the server and client operating systems but we’ve been told that this duplication is an issue with 2102 version of Intune which should be resolved in 2104; so we need to clean up the personal stores of the machines that have had duplicate certificates deployed, and re test on 2104 to check the issue has been resolved.
In summary, the C:\Program Files\Microsoft Intune\PFXCertificateConnector\PfxRequest directories are useful for troubleshooting; firstly by finding if you have a PFR file, if you do where your PFR file is, and double checking the settings that are in the file. This may lead you to double checking the Certificate Authority / templates, connector server settings or client side settings.