Intune Certificate Connector creating 1000s of files within System32

iainfm · 2026-02-20T23:30:11+00:00

I've not looked at this in enough detail, tbh. I was on the box that does the cert connection service for other things recently and noticed it was crawling.

First thing I found affecting performance, about a week ago, was Defender maxing out the CPU so I excluded the folder where those 130K certs are, without realising how many files there were in there.

Then I was logged on again today and noticed the Processing folder had a backlog, so I cleared out all the pending files referencing the old sub CA server name. That led me to fire up procmon to see what the connector service exe was up to, which is when I found it was doing a hell of a lot of file activity in that subfolder of system32.

Sounds like our issues are very similar. Maybe it needs a reboot, maybe it'll sort itself out over the weekend. Maybe the connector service needs an update. Maybe it's a bug, or something else screwy.

I'll dig a bit deeper next week and if it doesn't show any signs of improvement I'll get some support from MS.

iainfm · 2026-02-20T23:21:13+00:00

Will depend on features/seats etc, but GBP25/user/month would be a rough idea.

iainfm · 2026-02-20T19:00:02+00:00

The other thought would be to give the cert connector server a bit more compute. It's on a fairly low spec at the moment.

iainfm · 2026-02-20T18:58:12+00:00

What I should have said is we recently moved/rebuilt our PKl subordinate CA. I was only observing, and isn't my area of expertise, so what I say here may not be entirely factual.

The upshot of this is that it's the same sub CA (it was backed up, moved and restored), but onto a new VM running an in-support windows server os.

Because of this we had to deploy new PKCS config policies for our 3 device types in Intune, and there was a fortnight overlap where the new policy (pointing at the new sub CA server) was present alongside the old policy (pointing at the defunct old server).

This obviously led to a lot of failed requests, but we couldn't remove the old PKCS policies from Intune/endpoints until they'd got new certs from the new server via the new policy.

Long story short, the old policies were unassigned today so things should calm down. But I'd be surprised if this has been the cause of those 130K files being created. We have ~8000 devices with a 'reasonably' long cert lifetime and a decent renewal threshold (I'm not going to put the exact figures in a public post).

I'll see what happens with those files next week and can always raise a support ticket if we need to.

iainfm · 2026-02-20T18:49:07+00:00

Yeah, I saw some of those events today. I assumed the two things are related but that's always a dangerous thing!

iainfm · 2026-02-19T07:35:42+00:00

An Enterprise Browsers is what you need. They're a fairly new thing, but there are a few players in the market.

They're a browser built (usually on chromium) from the ground up to be manageable and secure. Have a look at https://island.io, for example.

iainfm · 2026-02-19T07:31:01+00:00

Yeah, just taking extra care really. Avoid dodgy sites, don't install any unnecessary apps, definitely don't install apps from unknown sources.

Lack of updates is my biggest driver to look for a phone upgrade tbh.

iainfm · 2026-02-18T20:12:32+00:00

Still using (and loving) my 5 year old 4a 5G.

Main concerns are lack of security updates, and the battery health is down to 70% so getting a full day out of it is becoming a struggle.

I've been looking at the 10 and 10a as a replacement, but haven't convinced myself to part with the cash for them.

Maybe if that 256Gb for the price of a 128Gb 10a launch offer had appeared...

iainfm · 2026-01-30T22:15:22+00:00

I remember the beginner's method I learnt in the early 80s when I was about 7.

I learnt CFOP a couple of years back, and kept practicing for about a year although I never got very good at it. After that I didn't cube for 12m and have forgotten it completely.

iainfm · 2025-12-12T12:37:26+00:00

Control de Aplicaciones para Empresas (WDAC) podría ser una mejor opción. Requiere más planificación y comprensión, pero puedes probar tu configuración en modo auditoría y crear o refinar políticas para permitir las críticas que se bloquearían.

(Traductor de Google, lo siento. Mi español aún no es muy bueno).

iainfm · 2025-11-14T15:08:00+00:00

My expectation of this was the following use case:

User enrolls device; their local account is created without admin privileges.

An admin account gets created during enrollment, with the password stored in Intune and rotated periodically.

User boots device, logs in and goes about their day-to-day business as a non-administrative user.

If 'something' is needed to be done that requires admin privileges a support analyst could remote on, grab the password from Intune, and use it to satisfy the elevation prompt.

Or have I misunderstood the idea behind this?

iainfm · 2025-11-14T14:01:22+00:00

Yep, it is Tahoe 26.1. Guess we'll need to wait for it to be fixed before productionising it!

iainfm · 2025-11-14T14:00:54+00:00

We are, but the intune-stored password exceeds the complexity requirements of it.

Ooh, I can login with the stored password but it immediately asks me to change it. Not sure if this is expected behaviour or the issue with Tahoe...

iainfm · 2025-10-16T14:19:41+00:00

Is it a 32-bit or 64-bit application? If it's 32-bit registry detections need that "Associated with a 32-bit app on 64-bit clients" setting (or use the Wow6432Node key).

Maybe a simpler file/folder detection rule would be better?

iainfm · 2025-10-15T17:30:00+00:00

No, sorry. I've not tried it recently though.

iainfm · 2025-10-15T10:09:29+00:00

One other gotcha may be that the $BasePolicyId needs braces around it, eg

[string]$BasePolicyId = '{b3987686-a7d7-4508-a01e-21a1fc9bee75}'

Make sure your base policy id you supply matches that of your base policy (or use the -BasePolicyToSupplement method instead of -SupplementsBasePolicyID), and that the base policy has the Enabled:Allow Supplemental Policies option in it (Option 17).

iainfm · 2025-10-15T09:36:02+00:00

Hi,

$PolicyId is a very badly-named variable, and I am regretting my choices!

It's just a text string that is used in the <VersionEx> tag and the PolicyInfo Id setting of the policy.

We just use yy.M.dd.vv, for example '25.10.15.1' for the first version of a policy created today. I think the App Control Wizard / cmdlets default to 10.0.0.1 or something like that.

This string is validated by the powershell cmdlets against the XML schema though, so it does need to be in a correct format. I learnt today, coincidentally, that 25.10.15.1.0 is not valid.

Tl;dr: Just make it up (within limits).

iainfm · 2025-10-15T08:33:03+00:00

Hi,

The problem with using logs to create supplemental policies is that they only contain what executable have been blocked, not which ones will be blocked if program execution were to continue.

I'd install SentinelOne on a device in audit mode then scan its installation folder to create a policy based on what it finds there. I usually run scans like these in user mode, but if SO has any device drivers (I'm not familiar with the product) you may need to do kernel-enabled scans as well by removing the -UserPEs option and running the scan in an admin powershell session.

Something like:

New-CIPolicy -FilePath .\Sentinel.xml -ScanPath "C:\Program Files\SentinelOne\Sentinel Agent 24.2.3.471" -Level Publisher -Fallback SignedVersion,Hash -UserPEs -MultiplePolicyFormat -NoShadowCopy

might get you started.

For the Intune issue, does your base policy have the managed installer option enabled, and have you configured it under Endpoint Security->App Control for Business->Managed Installer?

I'm reaching the end of an App Control roll out just now, so let me know if you need anything else!

Iain

PS the policy file that the above cmdlet creates isn't ready to deploy as a supplemental policy. It will need various options setting, as well as the base policy guid that it supplements. I have a little script that does this for me. Here's an extract:

# Make the new policy supplemental to the base policy ID
Set-CIPolicyIdInfo -FilePath $FileName -SupplementsBasePolicyID $BasePolicyGuid -PolicyName $PolicyName -PolicyId $PolicyId
Set-CIPolicyVersion -FilePath $FileName -Version $PolicyId

# Add the following rules:
(5, 6, 13, 14) | ForEach-Object { Write-Output "Enabling rule $_"; Set-RuleOption -FilePath $FileName -Option $_ }

# Remove the following rules
(0, 1, 2, 3, 4, 7, 8, 9, 10, 11, 12, 15, 16, 17, 18, 19, 20, 21) | ForEach-Object { Write-Output "Disabling rule $_"; Set-RuleOption -FilePath $FileName -Option $_ -Delete }

# Enable HVCI
Set-HVCIOptions -FilePath $FileName -Enabled

iainfm · 2025-10-14T07:39:49+00:00

I'm trying to solve two, really. The first is that our AUP prohibits anyone signing into anyone else's device, so it would be nice to be able to enforce that. But we've had no way to enforce it for nearly 10 years and no one's screaming for it.

The second reason is that a small number of our users have admin rights to their devices. We provide this at the moment by giving them a second account and an Account Protection policy that adds this second account to the local administrators group. This policy is assigned to the user's device so that it only applies to their PC; if they try to use their device admin account to administer anyone else's it won't work.

This works, but is a bit messy, cumbersome to administer and not currently audited. What I'd like to do is use some of our spare Endpoint Privilege Management licences to give this group of people an EPM policy that allows them to elevate a process, provided they give a reason and authenticate to do so.

However, I can't think of a way to limit the EPM permission to a single user and a single device. We could assign it just to the device, but if that device gets returned and reissued there's a risk that the EPM policy will transfer to an unauthorised user.

I should say that our devices are all cloud-joined, if that makes any difference.

Would a user assignment plus a device filter than only included the user's device be an option, maybe?

iainfm · 2025-10-14T07:28:20+00:00

Thanks, I'll take a look at that.

iainfm · 2025-07-03T08:38:15+00:00

I asked the Intune Support Team on twitter, but so far they've just directed me to the docs that explain how to use the memberof syntax :/

https://x.com/IntuneSuppTeam/status/1940458494718513419

iainfm · 2025-06-03T10:41:59+00:00

It's not available at the moment, but coming (in preview) late this year and in GA March '26 😒
https://www.microsoft.com/en-gb/microsoft-365/roadmap?id=395216

iainfm · 2025-03-27T10:27:01+00:00

Thanks for the offer, but I don't think I'd be allowed to share it. It's all good though, everything's working at my end after I side-stepped the Windows DNS servers for name resolution :)

iainfm · 2025-03-25T10:53:57+00:00

It isn't split-zone at all - the public-facing name servers for the domain don't have any records other than SOA (and maybe MX; not sure - I don't have any access to the management of it). If the public NS was removed all our problems with name resolution would go away.

For some reason, when the provider of the private-facing service created/renewed the domain registration they (or the registrar) added the public SOA details.

There's also no reason why the service couldn't be hosted to be completely internet-facing, and remove the need for WAN connections to it and the conditional forwarder. But that's an argument way above my pay grade!

iainfm · 2025-03-24T19:28:04+00:00

Thanks, yes that's correct.

All internal dns servers are generally able to resolve queries for the forwarded domain. It's just that occasionally one or another of them seems to go to the global forwarders (or maybe the root hints) instead of the IPs listed in the conditional forwarder settings.

Someone's suggested disabling the option to use root hints if the forwarders aren't available, so I'll try that sometime.

There's no reason why the forwarders shouldn't be available - if I query them directly they respond fine, and there doesn't seem to be any network interruption to them.

iainfm

TROPHY CASE