Microsoft Intune Certificate Connector causes high CPU Usage

Brass Contributor

Hi all

 

we have setup SCEP with our On-Prem Environment and Intune, which is working fine so far. We discovered that the the Process"Microsoft.Intune.Connectors.PkiRevoke" is eating up all CPU. We are just using SCEP and the Revoke Part from the Connector, not PKCS.

 

Does anybody know, what could cause this issue?

 

Many thanks for your help

 

Best regards,
Marc

19 Replies

@marckuhn Interesting, we have exactly the same behavior. Last week we setup a new NDES server with the Intune Certificate connector for SCEP certificates combined with the Azure App Proxy.  Certificate issuance does work as expected.

However, the proces microsoft.intune.connectors.pkirevoke.exe is causing 99%  CPU usage. The connector is running under a service account with the appropriate privileges as described here:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#grant-permissions-fo... 

@marckuhn 

We have exactly the same problem. Degraded the VM to two vCPUs, which are always full in use. Service is not usable. 

OS is Server 2022 with all updates.

Seems like a bug, any news on this?

Hi all
currently i don't have this issue anymore on one of our environments. Do you have any errors in the event Log regarding revocation of cert's?

Best regards,
Marc
Hi @marckuhn - thanks for getting back on this.
From our perspective, the Event IDs 3003 stopped from being logged by november 9th. However, Event IDs 2 er still there, as well as the high CPU load from the microsoft.intune.connectors.pkirevoke.exe process unfortunately.

Any idea as to what is different from that one environment you are talking about?
Hmm, after restarting the PkiRevokeConnectorSvc service the error 3003 is back as well.

@Raymond Huis in 't Veld 

 

I can't really tell why but I took the road and removed the Certificate Connector on that server and reinstalled it there. What I didn't activated now are the PKCS points, just SCEP and Cert Revocation. I still use the SYSTEM User for this.

 

My CPU on this server is back to normal, even though I have also that 3003 errors in the log. I wasn't able to test the revocation successfully. I think this isn't working at least in my environment.

 

I have a Server 2019 with all AAD related tools on it like AADC, App-Proxy, Cert Connector, NDES.

 

What I didn't configure was the "Logon as a service" permission for my NDES Service Account. Do you have this in place on your side?

 

Best regards,

Marc

I tried a repair of the Intune Connector. Not holding my breath though 😉
This morning before the repair I noticed it is not just CPU it is claiming, also the assigned memory is way above 400MB (while after a restart of the service it is about 25MB).

Our situation is pretty equal. Win Server 2019, Azure App Proxy, Intune Certificate connector (with just SCEP en Cert Revocation configured). Running it as service account though. with "Logon as a service" user rights.

What I am wondering, that 3003 error points towards a "Failed to download revocation requests". I am curious whether our proxy setup with the bare minimum whitelisted URLs is holding us from downloading those revocation requests causing some sort of a memory leak and CPU drain.
Having the same issue here too. Using PFX and Revoke options. Getting constant ‘2’ and ‘3003’ errors in the Intune logs and 100% CPU usage.

Everything works well for a while then CPU spikes and certs requests stop being fulfilled. Only a restart of the services start the requests going through again. Works great for a while then hit the issue again.

I have a case open with MS so will report back if they come up with anything.

@Sparkeh 

 

Exact same issue and setup here. No idea how to fix this as of yet. Please let me know if you manage to resolve this!

We have a case open as well.
Hi all
i discovered today, that we have currently all traffic towards the Internet with port tcp/80 & tcp/443 open from the AADC. I'm wondering if we all have a webproxy in between which could cause that issue.

Best regards,
Marc

@ANDRES365 

 

We have reinstalled the connector without PFX component - we only need the SCEP service. Its working now.

I am also seeing this issue on Server 2019. Anyone had any feedback from MS on this?

Did you get any guidance on the issue here? Thanks
Heard back from MS today who noted that this issue is widely reported and engineers are working on it.

Was asked to create the following reg key: HKLM\Software\Microsoft\MicrosoftIntune\PFXCertificateConnector\HealthTelemetry\EnableHealthTelemetry = 0 and restart the server.

Unfortunately this didn’t seem to help. Waiting for MS’s next move now…

Thanks for giving that update Sparkeh. Hopefully they'll come back with a fix. Would be grateful if you could post any further progress.

Hi HandA
do you use the PFX Component or just SCEP? In my case the issue seems to be gone since i change the config and removed PFX topics as i don't need that, just SCEP.
Best regards,
Marc

@marckuhn 

 

Hi Marc,

Its just SCEP. I thought at the install you select either SCEP or PKCS at the install stage. I only selected SCEP I believe. How did you check\remove PFX topics?

 

Thanks

Hi @HandA
i deinstalled the whole software and installed it from scratch again. I knew it because i'm always doing some printscreens for my documentation.
Your printscreens looks exactly what i have configured. Do you have a WebProxy in front of that server?

We also still have it on an other environment and configured the affinity for that process, so it can't use all the CPU. But that's more like a workaround than a solution.

Best regards,
Marc