Microsoft Intune Certificate Connector causes high CPU Usage

Contributor

Hi all

 

we have setup SCEP with our On-Prem Environment and Intune, which is working fine so far. We discovered that the the Process"Microsoft.Intune.Connectors.PkiRevoke" is eating up all CPU. We are just using SCEP and the Revoke Part from the Connector, not PKCS.

 

Does anybody know, what could cause this issue?

 

Many thanks for your help

 

Best regards,
Marc

12 Replies

@marckuhn Interesting, we have exactly the same behavior. Last week we setup a new NDES server with the Intune Certificate connector for SCEP certificates combined with the Azure App Proxy.  Certificate issuance does work as expected.

However, the proces microsoft.intune.connectors.pkirevoke.exe is causing 99%  CPU usage. The connector is running under a service account with the appropriate privileges as described here:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#grant-permissions-fo... 

@marckuhn 

We have exactly the same problem. Degraded the VM to two vCPUs, which are always full in use. Service is not usable. 

OS is Server 2022 with all updates.

Seems like a bug, any news on this?

Hi all
currently i don't have this issue anymore on one of our environments. Do you have any errors in the event Log regarding revocation of cert's?

Best regards,
Marc
Hi @marckuhn - thanks for getting back on this.
From our perspective, the Event IDs 3003 stopped from being logged by november 9th. However, Event IDs 2 er still there, as well as the high CPU load from the microsoft.intune.connectors.pkirevoke.exe process unfortunately.

Any idea as to what is different from that one environment you are talking about?
Hmm, after restarting the PkiRevokeConnectorSvc service the error 3003 is back as well.

@Raymond Huis in 't Veld 

 

I can't really tell why but I took the road and removed the Certificate Connector on that server and reinstalled it there. What I didn't activated now are the PKCS points, just SCEP and Cert Revocation. I still use the SYSTEM User for this.

 

My CPU on this server is back to normal, even though I have also that 3003 errors in the log. I wasn't able to test the revocation successfully. I think this isn't working at least in my environment.

 

I have a Server 2019 with all AAD related tools on it like AADC, App-Proxy, Cert Connector, NDES.

 

What I didn't configure was the "Logon as a service" permission for my NDES Service Account. Do you have this in place on your side?

 

Best regards,

Marc

I tried a repair of the Intune Connector. Not holding my breath though ;)
This morning before the repair I noticed it is not just CPU it is claiming, also the assigned memory is way above 400MB (while after a restart of the service it is about 25MB).

Our situation is pretty equal. Win Server 2019, Azure App Proxy, Intune Certificate connector (with just SCEP en Cert Revocation configured). Running it as service account though. with "Logon as a service" user rights.

What I am wondering, that 3003 error points towards a "Failed to download revocation requests". I am curious whether our proxy setup with the bare minimum whitelisted URLs is holding us from downloading those revocation requests causing some sort of a memory leak and CPU drain.
Having the same issue here too. Using PFX and Revoke options. Getting constant ‘2’ and ‘3003’ errors in the Intune logs and 100% CPU usage.

Everything works well for a while then CPU spikes and certs requests stop being fulfilled. Only a restart of the services start the requests going through again. Works great for a while then hit the issue again.

I have a case open with MS so will report back if they come up with anything.

@Sparkeh 

 

Exact same issue and setup here. No idea how to fix this as of yet. Please let me know if you manage to resolve this!

We have a case open as well.
Hi all
i discovered today, that we have currently all traffic towards the Internet with port tcp/80 & tcp/443 open from the AADC. I'm wondering if we all have a webproxy in between which could cause that issue.

Best regards,
Marc

@ANDRES365 

 

We have reinstalled the connector without PFX component - we only need the SCEP service. Its working now.