Microsoft Intune connector certificate does not renew in Configuration Manager

Symptoms

After you update to Microsoft System Center Configuration Manager current branch, version 1806 or 1810, the Microsoft Intune connector certificate renewal process fails.

This problem affects customers who have a hybrid mobile device management environment through Microsoft Intune. The problem occurs when the Service Connection Point is installed on a computer that is running Windows Server 2012 or Windows Server 2012 R2.

Additionally, error messages that resemble the following are recorded in the the DMPUploader log:

Exception: [Unable to cast COM object of type 'System.__ComObject' to interface type 'CERTENROLLLib.CX509PrivateKey'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).]


The renewal process starts at the halfway point of the certificate lifespan. If the renewal fails after the certificate is expired, Configuration Manager cannot connect to Microsoft Intune.

The following log entry in DMPUploader.log indicates a successful renewal:

Connector certificate renewed.


The following entry indicates a certificate that is already expired:

Making Web Request to Location Service Url exception System.Net.WebException: The remote server returned an error: (403) Forbidden.~~
at System.Net.HttpWebRequest.GetResponse()~~
at Microsoft.ConfigurationManager.DmpConnector.Connector.SccmProxyGenerator.GetRestUserAuthLocationServiceResponse()


To prevent this problem, apply this update. Certificates that are already expired have to be renewed manually to reestablish the Microsoft Intune connection.

For an expired certificate, use either of the following options.

Hotfix information for System Center Configuration Manager, version 1806 and 1810

This hotfix is available for installation in the Updates and Servicing node of the Configuration Manager console on version 1806 and 1810 sites that use a hybrid mobile device management environment through Microsoft Intune.

Note Customers on version 1810 will see a reference to hotfix 4487997. This is expected. All required information is contained in hotfix 4487960.

If the service connection point is in offline mode, you must reimport the update so that it's listed in the Configuration Manager console.

See "Install in-console updates for Configuration Manager" for detailed information.

Restart information

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any previously released hotfix.

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File name

File version

File size

Date

Time

Platform

Microsoft.configurationmanager.dmpconnector.connector.dll

5.0.8692.1511

130,456

29-Oct-2018

01:10

x86

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File name

File version

File size

Date

Time

Platform

Microsoft.configurationmanager.dmpconnector.connector.dll

5.0.8740.1020

130,456

04-Jan-2019

01:25

x86

More information

As of August 14, 2018, hybrid mobile device management is a deprecated feature. On September 1, 2019, any remaining hybrid MDM devices will no longer receive policy, applications, or security updates. For more information, see this Intune Support Team Blog article.

References

Install in-console updates for Configuration Manager

How does the service connection point authenticate with the Microsoft Intune service?

Learn about the terminology Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×