PFX certificates issued using the Intune Certificate Connector: Fix your Intune Migration Configuration Issues


During the migration process, we identified a few dozen accounts that would have problems with certificate hashes after being migrated. We put those accounts on hold and came up with a fix for the issue, but before the fix can take effect, all PFX policies have to be regenerated. You can regenerate the policy yourself, or you can wait, and we'll do it for you. We recommend you do the regeneration yourself, so you can control the timing and make sure everyone in your organization is aware of the change.

NOTE: You only need to do this if you were notified on August 22 in the Office Message Center. The post is titled Regenerate certificates issued using the Intune Certificate Connector to unblock your migration.

  1. Go to http://manage.microsoft.com and click the Policy node.
  2. Under Policy, click Configuration Policies.
  3. In the list of policies, select a template that has PKCS #12 (.PFX) in the name and then click Edit.



  4. In the General section, edit the Description. For example, add "updated <date>" and then click Save Policy.


  5. Repeat for all other policies based on the PKCS #12 (.PFX) template.

After the PFX policies are regenerated, some users may be prompted to enter their username and password. Also, Android users who use PFX and username/password authentication may need to reinstall their security credentials.

If Android users are prompted, it might look like this.

NOTE: The Android experience can vary greatly depending on the manufacturer. If you provide screen shots to your users, you may need to get screen shots for each Android model you support.

  1. Open Notifications.


  2. Tap a notification that says "You need to install security credentials from your workplace". You will see a dialog box like this, though it may vary somewhat depending on the phone manufacturer.


  3. Leave everything as-is and touch OK.

Your migration should now be unblocked for this issue. For more information about configurations that can block your Intune migration, see http://aka.ms/intunemigrationblockers.

Comments (1)

  1. Niki Davies says:

    Hi MS,

    Once I have amended the description in policies you state that some users will be prompted to enter there username and password.
    There are no screenshots for this behavior with iOS devices, there are for Android. Would I be able to get screenshots for our comms? Does the username/password request appear in company portal, the outlook app or on the home screen?

Skip to main content