Fix GuideConfiguration FailedMicrosoft Intune Certificate Connector

Fix Microsoft Intune Certificate Connector Configuration Failed Error – Windows Server 2019/2022 2026

Microsoft Intune Certificate Connector configuration fails due to insufficient elevated privileges during setup, even when logged in as administrator. Running the configuration wizard as administrator resolves UAC permission issues.

March 21, 2026 12 min 0

Configuration FailedMicrosoft Intune Certificate Connector 5 methods 12 min

Instant Solution

Right-click the Microsoft Intune Certificate Connector Configuration Wizard and select Run as administrator. Accept the UAC prompt and complete the setup process. This grants the wizard the elevated privileges required to modify system settings and configure the certificate connector properly.

Understanding Microsoft Intune Certificate Connector Configuration Failures

The Microsoft Intune Certificate Connector serves as a critical bridge between your on-premises Certificate Authority and Microsoft Intune's cloud-based device management platform. This connector enables automated certificate enrollment for managed devices using SCEP (Simple Certificate Enrollment Protocol) and PKCS certificate profiles.

Configuration failures during connector setup have become increasingly common in enterprise environments, particularly on Windows Server 2019 and 2022 systems. The primary culprit is Windows' User Account Control (UAC) mechanism, which prevents applications from automatically obtaining elevated privileges even when run by administrative users.

When the configuration wizard fails, it typically occurs at the final step where the connector attempts to register with the Intune service and configure local system components. This failure prevents certificate enrollment workflows from functioning, impacting device compliance and security policies across your managed environment.

The issue affects both fresh installations and connector updates, making it a persistent challenge for IT administrators managing hybrid certificate infrastructures. Understanding the root cause and implementing proper elevation procedures ensures reliable connector deployment and ongoing certificate management operations.

Diagnostic

Symptoms

Configuration wizard displays "Configuring Microsoft Intune Certificate Connector Failed" error at final step
Setup process completes but connector fails to initialize properly
Certificate enrollment requests fail to process through the connector
Event Viewer shows access denied errors during connector configuration
Connector service fails to start after installation
Unable to establish connection between on-premises CA and Intune service

Analysis

Root Causes

Configuration wizard lacks explicit administrative privileges despite admin user login
User Account Control (UAC) prevents automatic elevation of installer privileges
Windows security policies restrict application access to protected system areas
Insufficient permissions to modify registry keys required for connector operation
Service account lacks necessary rights to configure certificate templates
Group Policy settings prevent elevation of installer processes

Resolution Methods

Solutions

Run Configuration Wizard as Administrator

This is the primary solution that resolves most configuration failures:

Close any running instances of the Intune Certificate Connector Configuration Wizard
Navigate to Start Menu → All Programs → Microsoft Intune
Locate Microsoft Intune Certificate Connector Configuration Wizard
Right-click the wizard shortcut and select Run as administrator
When the User Account Control prompt appears, click Yes to grant elevated privileges
The wizard will launch with administrator rights - proceed through the configuration steps
Enter your Intune tenant credentials when prompted
Select the appropriate Certificate Authority (CA) from the dropdown list
Configure certificate templates as required for your environment
Complete the wizard - it should now finish successfully without errors

Pro tip: Always run the wizard as administrator even if you're logged in with an admin account, as UAC prevents automatic elevation.

Verification: Open Services console (services.msc) and verify that Microsoft Intune Certificate Connector Service is running with status "Started".

Configure UAC Settings and Re-run Setup

If Method 1 fails, adjust UAC settings temporarily:

Press Windows + R, type msconfig, and press Enter
Navigate to the Tools tab
Select Change UAC Settings and click Launch
Move the slider to Never notify (temporarily)
Click OK and restart the computer
After restart, navigate to the Intune Certificate Connector installation directory:
C:\Program Files\Microsoft Intune\Certificate Connector
Right-click ConfigWizard.exe and select Run as administrator
Complete the configuration process
After successful configuration, restore UAC settings to their original level
Restart the computer to apply UAC changes

Warning: Only disable UAC temporarily during configuration. Restore security settings immediately after completion.

Verification: Run Get-Service -Name "Microsoft Intune Certificate Connector Service" in PowerShell to confirm service status.

Manual Service Configuration and Registry Fix

For advanced troubleshooting when the wizard continues to fail:

Open Command Prompt as administrator

Stop the connector service if running:

net stop "Microsoft Intune Certificate Connector Service"

Navigate to the registry editor by running regedit as administrator
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftIntune\CertificateConnector
Verify the following registry values exist and are correctly configured:
- TenantId (REG_SZ): Your Intune tenant ID
- ConnectorVersion (REG_SZ): Current connector version
- InstallPath (REG_SZ): Installation directory path
If values are missing, create them manually with appropriate data

Grant the connector service account full control permissions:

$acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\CertificateConnector"
$accessRule = New-Object System.Security.AccessControl.RegistryAccessRule("NT SERVICE\Microsoft Intune Certificate Connector Service","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\CertificateConnector"

Restart the service:

net start "Microsoft Intune Certificate Connector Service"

Verification: Check Event Viewer under Applications and Services Logs → Microsoft Intune Certificate Connector for successful startup events.

Clean Installation with Elevated PowerShell

Complete reinstallation using PowerShell with full administrative privileges:

Uninstall the existing connector from Control Panel → Programs and Features
Open PowerShell as administrator

Remove residual registry entries:

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\MicrosoftIntune\CertificateConnector" -Recurse -Force -ErrorAction SilentlyContinue

Clear any remaining service entries:

Get-Service -Name "*Intune*Certificate*" | Stop-Service -Force
Get-WmiObject -Class Win32_Service -Filter "Name LIKE '%Intune%Certificate%'" | Remove-WmiObject

Download the latest connector installer from the Microsoft Endpoint Manager admin center

Run the installer with elevated privileges:

Start-Process -FilePath "NDESConnectorSetup.exe" -Verb RunAs -Wait

After installation, launch the configuration wizard with administrative rights:

Start-Process -FilePath "C:\Program Files\Microsoft Intune\Certificate Connector\ConfigWizard.exe" -Verb RunAs

Complete the configuration process with your Intune credentials

Pro tip: Use PowerShell's -Verb RunAs parameter to ensure consistent elevation across all installation components.

Verification: Execute Test-NetConnection -ComputerName manage.microsoft.com -Port 443 to verify connectivity to Intune services.

Group Policy and Service Account Configuration

Advanced method for domain environments with restrictive policies:

Open Group Policy Management Console (gpmc.msc) as domain administrator
Navigate to the OU containing the connector server
Edit the relevant Group Policy Object
Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
Grant the following rights to the connector service account:
- Log on as a service
- Act as part of the operating system
- Manage auditing and security log
Update Group Policy on the target server:
```
gpupdate /force
```

Configure the service to run under a dedicated service account:

$serviceName = "Microsoft Intune Certificate Connector Service"
$serviceAccount = "DOMAIN\IntuneConnectorSvc"
$servicePassword = ConvertTo-SecureString "YourServicePassword" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($serviceAccount, $servicePassword)
Set-Service -Name $serviceName -Credential $credential

Grant the service account permissions on the Certificate Authority:
- Open Certificate Authority console
- Right-click the CA name → Properties → Security
- Add the service account with Issue and Manage Certificates permissions
Restart the connector service and re-run the configuration wizard as administrator

Verification: Run sc query "Microsoft Intune Certificate Connector Service" to confirm service is running under the correct account.

Validation

Verification

After applying any of the above methods, verify the fix using these steps:

Open Services console by running services.msc
Locate Microsoft Intune Certificate Connector Service and verify it shows status "Running"
Check Event Viewer for successful connector events:
- Navigate to Applications and Services Logs → Microsoft Intune Certificate Connector
- Look for Event ID 1000 indicating successful service startup
- Verify no error events (Event IDs 2000-2999) are present

Test connectivity to Intune services:

Test-NetConnection -ComputerName manage.microsoft.com -Port 443
Test-NetConnection -ComputerName portal.manage.microsoft.com -Port 443

Verify certificate enrollment functionality by creating a test SCEP profile in the Endpoint Manager admin center
Monitor the connector logs for successful certificate processing

If it still fails

Advanced Troubleshooting

If the above methods don't resolve the configuration failure, try these advanced troubleshooting steps:

Check Certificate Authority Configuration

Ensure your Certificate Authority is properly configured for NDES integration. Verify that the NDES service account has appropriate permissions on the CA and that certificate templates are published correctly.

Network Connectivity Issues

Run network diagnostics to ensure the connector server can communicate with Microsoft Intune services:

nslookup manage.microsoft.com
telnet manage.microsoft.com 443

Firewall and Proxy Configuration

Configure Windows Firewall to allow outbound HTTPS traffic on port 443. If using a proxy server, configure the connector to use proxy settings through the registry or netsh commands.

Certificate Store Verification

Check that required certificates are present in the local machine certificate store:

Get-ChildItem -Path Cert:\LocalMachine\My
Get-ChildItem -Path Cert:\LocalMachine\Root

Complete Reinstallation

If all else fails, perform a complete removal using the Microsoft Program Install and Uninstall troubleshooter, manually clean registry entries, and reinstall the connector with a fresh download from the Endpoint Manager admin center.

Frequently Asked Questions

Why does the Intune Certificate Connector configuration fail even when I'm logged in as administrator?+

Windows User Account Control (UAC) prevents applications from automatically running with elevated privileges, even when launched by administrator accounts. The connector configuration wizard requires explicit administrative rights to modify system registry keys, configure services, and establish secure connections to Intune services. Running the wizard as administrator through right-click context menu grants these necessary elevated privileges.

Can I permanently disable UAC to avoid this configuration issue?+

While disabling UAC would prevent this specific issue, it's strongly discouraged as a permanent solution. UAC provides essential security protection against malicious software and unauthorized system changes. Instead, temporarily lower UAC settings during connector configuration, then restore them immediately afterward. Use Group Policy to manage UAC settings consistently across multiple servers if needed.

What permissions does the connector service account need on the Certificate Authority?+

The connector service account requires 'Issue and Manage Certificates' permissions on the Certificate Authority, along with 'Read' and 'Enroll' permissions on relevant certificate templates. Additionally, the account needs 'Log on as a service' rights on the connector server and access to the NDES application pool if NDES is configured. These permissions enable the connector to process certificate requests and communicate with the CA effectively.

How do I verify that the connector is working properly after configuration?+

Check the Microsoft Intune Certificate Connector Service status in services.msc, review Event Viewer logs under Applications and Services Logs → Microsoft Intune Certificate Connector for successful startup events, and test network connectivity to manage.microsoft.com on port 443. Create a test SCEP certificate profile in Endpoint Manager and deploy it to a test device to verify end-to-end certificate enrollment functionality.

What should I do if the connector configuration succeeds but certificate enrollment still fails?+

Verify that certificate templates are properly published and configured for autoenrollment, check that the NDES service is running and accessible, ensure firewall rules allow communication between the connector and CA, and review SCEP profile settings in Endpoint Manager for correct CA selection and template mapping. Use the Intune troubleshooting blade to diagnose specific enrollment failures and check device-side certificate enrollment logs.