Symptoms
After you update to Microsoft System Center Configuration Manager current branch, version 1806 or 1810, the Microsoft Intune connector certificate renewal process fails.
This problem affects customers who have a hybrid mobile device management environment through Microsoft Intune. The problem occurs when the Service Connection Point is installed on a computer that is running Windows Server 2012 or Windows Server 2012 R2.
Additionally, error messages that resemble the following are recorded in the the DMPUploader log:
Note
Exception: [Unable to cast COM object of type 'System.__ComObject' to interface type 'CERTENROLLLib.CX509PrivateKey'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).]
The renewal process starts at the halfway point of the certificate lifespan. If the renewal fails after the certificate is expired, Configuration Manager cannot connect to Microsoft Intune.
The following log entry in DMPUploader.log indicates a successful renewal:
Note
Connector certificate renewed.
The following entry indicates a certificate that is already expired:
Note
Making Web Request to Location Service Url exception System.Net.WebException: The remote server returned an error: (403) Forbidden.~~
at System.Net.HttpWebRequest.GetResponse()~~
at Microsoft.ConfigurationManager.DmpConnector.Connector.SccmProxyGenerator.GetRestUserAuthLocationServiceResponse()
To prevent this problem, apply this update. Certificates that are already expired have to be renewed manually to reestablish the Microsoft Intune connection.
For an expired certificate, use either of the following options.
- Option 1
Migrate from a hybrid environment to Intune Standalone. Note that policies have to be re-created within seven (7) days in Intune Standalone to prevent the loss of policies and settings. For more information, see Migrate hybrid MDM users and devices to Intune standalone. - Option 2
Contact Microsoft Customer Support Services for help to renew the certificate. For more information, see How to get support for Microsoft Intune.
Hotfix information for System Center Configuration Manager, version 1806 and 1810
This hotfix is available for installation in the Updates and Servicing node of the Configuration Manager console on version 1806 and 1810 sites that use a hybrid mobile device management environment through Microsoft Intune.
Note Customers on version 1810 will see a reference to hotfix 4487997. This is expected. All required information is contained in hotfix 4487960.
If the service connection point is in offline mode, you must reimport the update so that it's listed in the Configuration Manager console.
See "Install in-console updates for Configuration Manager" for detailed information.
Restart information
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any previously released hotfix.
File information
File attributes for System Center Configuration Manager current branch, version 1806
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
| File name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Microsoft.configurationmanager.dmpconnector.connector.dll | 5.0.8692.1511 | 130,456 | 29-Oct-2018 | 01:10 | x86 |
File attributes for System Center Configuration Manager current branch, version 1810
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
| File name | File version | File size | Date | Time | Platform |
|---|---|---|---|---|---|
| Microsoft.configurationmanager.dmpconnector.connector.dll | 5.0.8740.1020 | 130,456 | 04-Jan-2019 | 01:25 | x86 |
More information
As of August 14, 2018, hybrid mobile device management is a deprecated feature. On September 1, 2019, any remaining hybrid MDM devices will no longer receive policy, applications, or security updates. For more information, see this Intune Support Team Blog article.
References
Install in-console updates for Configuration Manager
How does the service connection point authenticate with the Microsoft Intune service?
Learn about the terminology Microsoft uses to describe software updates.