Intune certificate updates: affects Intune, SCEP, ConfigMgr

Posted by

This may be of highly interest to you, so understand if you are impacted start by reading the article source

Intune Certificate Updates: Action may be required for continued connectivity

So if you use IOS SDk, Intune App wrapper or Xamarin Bindings you have to take actions

If you use App procetion policies(APP or MAM) you want to ensure you are using the latest application version with SDK (Many M365 is already fixed)

Using co-management and ConfigMgr? Read this article

Using SCEP, ODJ, PFX connectors you need to ensure your servers receive Root certificate updates

There are a couple of ways of block automatic updates of certificates to your servers are here are some ways of figuring out if you might have an issue or not

If everything works as it should you should have a certificate in certlm.msc (Certificates for the local machine) under Trusted Root Certificate Authorities named “DigiCert Global Root G2

A couple of registry values

  • HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
    • A value of 1 disables the Windows AutoUpdate of the trusted CTL.
  • HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate
    • A value of 1 enables the Windows AutoUpdate of the untrusted CTL.
  • HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
    • Configures the shared location (the HTTP or the FILE path).

Also follow the Event Viewer in Windows Logs\Application with a Source of CAPI2. If you see any events containing information such as:

  • Event ID 7
    • Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site
  • Event ID 8
    • Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site with error: hexadecimal_error_value

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.