top of page
Copy of data center.jpg

Welcome to ECS LEAD

Your Trusted Microsoft Partner

4 min read

How to Fix PKCS Certificate Revocation Issues in Intune

How to Fix PKCS Certificate Revocation Issues in Intune

When deploying certificates through Intune, IT admins sometimes encounter issues with revoked PKCS certificates continuing to be deployed. This can cause confusion and connectivity problems, especially in environments where certificates play a crucial role, like in Wi-Fi authentication and VPN access. In this post, we’ll walk through common causes of this issue and how to resolve it effectively.


Understanding PKCS Certificate Revocation in Intune

What is PKCS Certificate Revocation?

Public Key Cryptography Standards (PKCS) certificates are used to secure user authentication and encrypt sensitive communications. When a certificate is no longer valid, either because of a security issue or because the user no longer needs access, the certificate should be revoked.

Certificate revocation informs systems that the certificate is no longer trustworthy. However, in some cases, even after revocation, Intune may still deploy these certificates to users, leading to security risks and operational inefficiencies.


Common Reasons for Certificate Revocation Issues

Some of the typical reasons for certificate revocation issues in Intune include:

  • Cached policies: Intune may hold onto cached certificate policies, deploying revoked certificates instead of generating new ones.

  • Improper certificate removal: Even if a certificate is revoked in the CA (Certificate Authority), it may not be fully deleted from the user’s local machine or the Intune database.

  • Sync problems: If devices or users don’t properly sync with Intune after revocation, they may continue receiving the old certificates.


Modern home office setup with a laptop displaying analytics, a large desktop monitor showing 'Work Hard Anywhere' on the screen, a small potted plant, and other desk accessories.Modern home office setup with a laptop displaying analytics, a large desktop monitor showing 'Work Hard Anywhere' on the screen, a small potted plant, and other desk accessories.

Why Intune Keeps Deploying Revoked Certificates

Cached Policies and Old Certificate Persistence

One of the most common reasons for Intune deploying revoked certificates is that the system caches old policies. These cached settings may not be immediately updated, causing Intune to continue using the original certificate template that includes the revoked certificate.


How Revocation Works in a Typical CA Setup

In a typical Certificate Authority setup, when a certificate is revoked, the CA adds the certificate to a Certificate Revocation List (CRL). The CRL is then published, informing systems to stop trusting that certificate. If this list isn't properly synced with Intune or if Intune policies aren’t updated, the revoked certificates may continue to be used.


Identifying the Root Cause in Intune

To resolve this issue, it's crucial to first identify why Intune isn't recognizing the revocation. Check event logs on the local machine, review logs from the CA, and inspect the Intune connector to see where the issue lies. Often, it's a policy or sync issue that’s causing Intune to deploy old certificates.


Step-by-Step Guide to Resolving Revocation Problems

Removing and Reassigning Certificate Profiles

One of the first steps in resolving this issue is unassigning the problematic certificate profiles from affected users. After a few minutes, reassign the profiles. This will prompt Intune to refresh the policy for those users, forcing it to issue a new certificate rather than redeploy the revoked one.


Ensuring Full Removal of Old Certificates

Even after revocation, some certificates can remain in the user’s local certificate store. It’s essential to ensure that the revoked certificate is fully removed from both the user and computer certificate stores. You can manually delete these certificates or use group policies to automate the removal process.


Manual Device Sync to Refresh Policy

After removing the revoked certificates and reassigning profiles, you should perform a manual sync on the affected devices. This can be done either through the Intune portal or by instructing users to manually trigger the sync from their devices. This ensures that the latest certificate policies are applied.


Advanced Troubleshooting Tips for IT Admins

Reviewing Logs and Intune Connector Events

If the issue persists, it’s essential to dive deeper into the logs. Start by reviewing the event viewer on the affected devices. Check for any errors related to certificate issuance. Additionally, review the logs in the Intune connector, as this can provide insights into whether the policy deployment is stuck on older settings.


Verifying Certificate Removal in User and Machine Stores

Even though you may have revoked the certificates at the CA level, it’s important to verify that the certificate is fully removed from both the user and machine certificate stores. Check under both personal and trusted root certificate authorities to make sure no remnants of the revoked certificate exist.


Resetting User Profiles for Fresh Certificate Issuance

If none of the above methods work, a more drastic step may be required. You can try resetting the user profiles in Intune by fully removing the users from Intune, waiting a few minutes, and then re-enrolling their devices. This forces Intune to treat them as new users and issue a fresh certificate.


Person sitting at a wooden table, using a laptop near a large window with a backpack resting on the table, and a portable orange hard drive connected to the laptop.

Best Practices to Avoid Future Certificate Issues

Keeping CA Server and Intune Profiles in Sync

To avoid future issues with revoked certificates, make sure that your CA server and Intune profiles are always synchronized. Regularly check that the CRL is updated and published properly, and ensure that Intune policies are refreshed after any changes to certificate templates.


Monitoring Certificate Lifecycle and Renewal Processes

An often-overlooked step in certificate management is tracking the lifecycle of issued certificates. Set up a system to monitor when certificates are approaching expiration or need to be renewed. This helps ensure that outdated certificates are removed promptly and replaced with valid ones.


Regularly Clearing Outdated Policies in Intune

Intune has a habit of caching old policies, which can cause issues if not addressed. Regularly clearing out outdated profiles and certificates within Intune can help prevent the reissuance of revoked certificates. Ensure that devices are also syncing with Intune on a regular basis to apply the most up-to-date policies.


Final Thoughts: Ensuring Smooth Certificate Deployment

At ECS LEAD, we’ve helped countless organizations overcome Intune deployment issues like PKCS certificate revocation problems. If you’re struggling to keep certificates properly managed in your environment, feel free to reach out. Our team of experts can help you streamline the process, ensure proper certificate management, and avoid costly disruptions to your network security. We specialize in providing tailored solutions that fit your organization's specific needs, making certificate management hassle-free.

A sleek and modern office environment with a cool blue tone, featuring rows of clean white workstations and comfortable office chairs. The floor has a glossy finish that reflects the light streaming in from the large windows, creating a bright and airy atmosphere. The office is currently empty, highlighting the organized and minimalistic design aesthetic.

Find Your Cloud Fit

Looking for the ideal cloud solution that elevates your business? Our experts are ready to guide you to the perfect match. Whether it’s clarifying options or addressing specific needs, we’re here to streamline your journey to the cloud.

bottom of page