Intune

The ‘Unified’ Certificate Connector and changes in SCEP configuration/logging via Intune

My name is Saurabh Sarkar and I am an Intune engineer in Microsoft. I have a YouTube channel ‘EverythingAboutIntune’ and you can subscribe to the same to learn more about Microsoft Intune.


Preface:

  • SCEP/ NDES is one of the methodologies of deploying a user/device certificate via Intune
  • This certificate can then be leveraged by the device to connect to Wifi/VPN etc
  • Please refer to the blog here which explains how to setup NDES for Intune

Background:

On 29th July 2021, Microsoft announced the launch of the ‘Unified Certificate Connector for Intune which is documented here in Intune new release. This is a major announcement, and it changes a lot of things as far as SCEP certificate deployment via Intune is concerned.
In this article we are going to take a look over all that has changed with the advent of the new connector.


Major Changes in the Working and Implementation of the Unified Certificate connector for Intune:

Below are the changes that have happened with the introduction of the new Certificate Connector for Intune. While some changes are superficial, some are very major changes.

  • Changes in the UI to download the connector from the portal
  • Changes in the setup file for the connector
  • Changes in the UI to setup/configure the connector
  • Changes in the Pre-Req for the installer
  • Changes in the Setup process (No Client auth cert required) **Important
  • Changes in the capabilities of the connector
  • Changes in the listing of the Errors while installing the connector
  • Change in services behind the connector
  • Changes in the working Folder structure of the connector
  • Changes in the logfiles **Important
  • Changes in the registry location
  • Changes in IIS pool
  • Changes in the background flow **Important
  • Update of the connector version

Now we will take a look into all these changes and do a comparison in detail.


Changes in the UI to download the connector from the portal:

  • While going to the “Certificate Connectors” tab in the Intune portal, we now see a significant change. We no longer have hyperlinks to download 3 different connectors viz SCEP, PKCS and PFX imported. Instead now there is only 1 hyperlink via which we can download the Unified Connector for Intune

#Old Connector:


#New Connector:


Changes in the setup file for the connector

  • Once downloaded, we see that the name and the size of both the connector installer files have changed

Old Connector:


New Connector:


Changes in the UI to setup/Configure the connector

  • We also observe that the UI presented to us, during the connector installation has significantly changed. The Unified connector has a fresher look!(which in my opinion look like the UI for Azure AD Connect)

Old Connector:


New Connector:


Changes in the Pre-Req for the installer

  • There are a lot of pre-reqs for installing the Intune connector all of which are documented here.
  • The major difference now is that for the newer connector, we need .NET Framework 4.7.2 present in the server (Other preqs remain the same)


Changes in the Setup process (no client auth cert required) | Important

  • For NDES and SCEP to function with the new connector, we no longer need to bind a Client Auth EKU certificate to the connector during its installation. With the older version this was a mandatory selection.

Old Connector:


New Connector:

  • The Client auth certificate is no longer needed. This prompt to select the certificate no longer appears in the new connector’s UI


Changes in the listing of the Errors while installing the connector

  • If we are missing any mandatory components while installing the connector, the same is displayed as an error. The way the error is displayed has also changed.
  • Earlier the connector would run for the pre-req checks one at a time and would display the missing components(if there were multiple components missing, we would have to install the connector multiple times to know of the same).
  • The new connector runs all the pre-req checks and displays in form of a checklist.

Old Connector:


New Connector:


Change in the services behind the installer

  • The services running in the background to make sure that the connector is functional has also changed/renamed.

Old Connector:


New Connector:

  • Below are the services in action behind the Unified connector


Changes in the working Folder structure of the connector

  • The folder structure created with the installation of the new connector has also changed.

Old Connector:


New Connector:


Changes in the Logfiles | Important

  • There has been a major change as far as log files are concerned. While with the older connector, all the log files (NdesConnectorsvc, CRPlogs and NdesPlugin logs) were all present in “C:\Program Files\Microsoft Intune” folder, with the new connector, all the logfiles have moved to the Eventviewer of the NDES server.

Old Connector:


New Connector:

  • Admin Log – This log contains one log event per request to the connector. Events include either a success with information about the request, or an error with information about the request and the error.
  • Operational Log – This log displays additional information to that found in the Admin log, and can be of use in debugging issues. This log also displays ongoing operations instead of single events.


Changes in the Registry location:

With the installation of the newer connector the CRP is no longer installed as it is not needed. Hence we see the same missing from the registry location as well now!

Old Connector:


New Connector:


Changes in IIS pool

  • As there is no CRP getting installed in the machine, we see that the CRP pool in the IIS is also not created when the newer installer is used.

Old Connector:


New Connector:


Changes in the background flow: | Important

  • There has been a major change in the functionality of the NDES server’s challenge validation with the new connector. With the older version, the challenge validation was performed at the NDES server. Please refer to the complete flow here.
  • In the Unified certificate connector the challenge validation is done by the Intune service and the result inturn (Success\Failure) is notified to the NDES server. Now there are no NDESConnectorSvc logs and we cannot see the outcome of each phase of challenge validation from the on-prem server side logs.This can only be tracked in the Intune service side logs.
  • With the new connector, to achieve the above step of challenge validation, the Unified connector will send a request to the Intune service to perform the CSR validation. The Intune service will perform the same and send the response back (Success/Failure) back to the Connector.


Update of the connector version

The older version of the connector didnot update automatically. Admins would have to re-install the latest version, whenever released. However the Unified connector auto-updates to the latest version


Conclusion and my 2Cents:

  • The previous connectors still remains in support from Microsoft as of now but it is no longer available for download. If we need to install or reinstall a connector, we would have to install the new Certificate Connector for Microsoft Intune portal.
  • The logging of the Unified certificate connector is neater(as everything is in the Evenlogs), the UI has a fresher look and feel and having a single connector is very streamlined.
  • More details can be found in the MS official documentation here