The Intune Certificate Connector, a critical on-premises component for issuing and managing certificates through Microsoft Intune, has quietly transitioned to a defined, six-month support cycle. Starting now, each connector release comes with a built-in expiration date—and an out-of-support connector will silently stop functioning, breaking certificate issuance for managed devices. IT administrators can no longer treat this connector as set-and-forget infrastructure.

The change: a hard six-month support window for every connector version

Microsoft has not announced this change with a high-profile blog post or a major update notification. Instead, the company updated its lifecycle documentation for the Intune Certificate Connector. According to Microsoft’s support policy, each new connector version is supported for six months after its release. Once that window closes, the connector is considered out-of-support and will no longer work for SCEP or PKCS certificate requests.

The connector itself enforces this policy: if the installed version exceeds the six-month mark, it will periodically check for updates and, if an update is available, refuse to process certificate requests until it is upgraded. If no update is available on the server, the connector may continue to function but is unsupported and could stop at any time. This means that certificate deployment through Intune can suddenly break without warning if the connector is left unattended.

The six-month clock resets with each new general availability release. However, Microsoft also releases “hotfix” updates that include bug fixes and security patches; these hotfix releases do not extend the support window—the timeline remains tied to the original major version. Admins must therefore plan for a recurring maintenance task: checking for and applying connector updates at least twice a year.

What this means for you: a new recurring maintenance item

For IT administrators managing hybrid environments that rely on Intune certificate profiles for Wi-Fi, VPN, email, or device authentication, this change turns the certificate connector from a background service into a scheduled maintenance item akin to Windows patch management.

For general IT admins: You’ll need to incorporate connector health checks into your regular server maintenance routines. Set calendar reminders every five months—giving a one-month buffer—to check the installed version against Microsoft’s latest release. Ignoring this means certificate issuance will fail, potentially causing widespread user disruption. If you manage multiple connectors (often recommended for high availability), each instance must be updated individually.

For security and compliance teams: An out-of-support connector introduces risk. These connectors often run on Windows Server with elevated privileges, and without updates, they may be vulnerable to security flaws. A non-functional connector can also break compliance-enforcement scenarios where certificates are used for device compliance policies.

For helpdesk teams: Be prepared for an uptick in “cannot connect to Wi-Fi” or “email not syncing” tickets when a connector goes stale. Standard troubleshooting may not reveal the cause unless the team knows to check the connector status on the Intune Connector for Active Directory server.

For developers and automation engineers: If you’ve built scripts or tools to deploy or manage connectors, they now must include logic to check version support status and alert when the six-month window is nearing expiration. Any deployment pipeline should ensure the latest version is pulled from Microsoft’s official download.

How we got here: from evergreen to limited-lifecycle

The Intune Certificate Connector has been around since 2017, originally designed to bridge on-premises Active Directory Certificate Services with Intune. In its early years, the connector followed a loose update model—new features were released periodically, but older versions kept working for extended periods. Many administrators installed it once and forgot about it.

Over time, Microsoft has pushed for more frequent updates to align with the rapid cloud-release cadence. The connector moved from manual installation to supporting in-place upgrades, and Microsoft encouraged automatic updates. But the automatic update mechanism was never fully reliable; in some environments, it silently failed, leaving connectors on old code.

The shift to a six-month lifecycle appears to be part of a broader Microsoft initiative to keep on-premises components in step with cloud service changes. Similar policies now apply to other Intune connectors and agents. For example, the Microsoft Intune Connector for Active Directory also has a mandatory update cycle, though not always as strictly enforced. The rationale is clear: Microsoft wants to reduce support fragmentation and ensure that all connectors run the latest code for security and reliability. However, this also offloads the maintenance burden onto IT admins, who must now actively manage infrastructure that previously ran itself.

What to do now: verify your version and fix auto-update

The immediate task is to check whether your certificate connector is still supported and whether its auto-update mechanism is functioning. Here’s a step-by-step plan:

  1. Find your installed version. Log on to the Windows Server where the Intune Certificate Connector is installed. Open Programs and Features (or use PowerShell Get-Package -Name "Microsoft Intune Certificate Connector"). Note the version number.
  2. Check against the supported versions. Go to the Microsoft Learn page for the Intune Certificate Connector. Microsoft maintains a list of currently supported versions and their end-of-support dates. If your version is past that date, upgrade immediately.
  3. Download and run the latest installer. The latest version is always available from the Microsoft Intune admin center or from the official Microsoft Download Center. Running the installer from the server will perform an in-place upgrade, preserving your existing configuration. Reboot the server after the upgrade to ensure all changes take effect.
  4. Verify the automatic update service. The connector relies on the “Intune Connector for Active Directory” service to check for updates. Ensure this service is running and set to Automatic. In some environments, firewall rules or proxy settings prevent the connector from reaching Microsoft’s update servers. Open ports 443 to manage.microsoft.com and intune.microsoft.com. If you use a proxy, configure the connector to use it, either via the connector’s configuration file or system-wide settings.
  5. Test certificate issuance. After upgrading, create a test device configuration profile that uses a SCEP or PKCS certificate and deploy it to a test device. Confirm that the certificate is delivered successfully.
  6. Set a recurring calendar event. Every five months, repeat steps 1–2. If a new major version has been released, schedule an upgrade window.
  7. Monitor Microsoft’s Message Center. Microsoft occasionally posts connector lifecycle notifications in the Microsoft 365 admin center Message Center. Set up alerts for messages tagged with “Intune” to catch early warnings about critical updates.
  8. Consider multiple connectors. For high availability, Microsoft recommends installing at least two certificate connectors in your environment. This gives you the ability to upgrade one while the other continues to serve requests, avoiding downtime.

Outlook: more agent lifecycles in your future

This change is not likely a one-off. Microsoft’s direction for all Intune agents and connectors points toward mandatory, regular update cycles. Expect similar policies for the new Cloud PKI service and other bridging components. The era of ignore-it-and-it-works is ending for on-premises hybrid infrastructure. While that adds to the admin’s plate, it also brings more consistent security and fewer surprises—provided you stay on top of the schedule.

For now, the six-month clock on your current Intune Certificate Connector is ticking. Check it today.