Microsoft Intune 的证书连接器Certificate connectors for Microsoft Intune

为支持使用证书进行身份验证以及使用 S/MIME 对电子邮件进行签名和加密,Intune 要求使用证书连接器。To support the use of certificates for authentication and the signing and encryption of email using S/MIME, Intune requires the use of a certificate connector. 证书连接器是你在本地服务器上安装的软件。A certificate connector is software you install on an on-premises server. 连接器使云托管设备可以从本地基础结构(例如正在颁发证书的颁发机构)预配证书。The connector enables cloud-managed devices to provision certificates from on-premises infrastructure, like an issuing Certificate Authority.

本文介绍可用的连接器及其生命周期和使用先决条件,以及如何使其保持最新状态。This article describes the available connectors, their lifecycle, prerequisites for use, and how to keep them up to date.

可用连接器Available connectors

Intune 有两个证书连接器。There are two certificate connectors for Intune. 它们各有自己的用途和要求。Each has its own uses and requirements.

Microsoft Intune 的 PFX 证书连接器PFX Certificate Connector for Microsoft Intune

PFX 证书连接器支持针对 PKCS #12 证书请求的证书部署,并处理对导入到 Intune 中的 PFX 文件的请求,从而为特定用户实现 S/MIME 电子邮件加密。The PFX Certificate Connector supports certificate deployment for PCKS #12 certificate requests and handles requests for PFX files imported to Intune for S/MIME email encryption for a specific user.

提示

在此连接器的 8 月更新之前,由 Intune 证书连接器处理 PKCS #12 证书请求。Prior to the August update for this connector, PKCS #12 certificate requests were handled by the Intune Certificate Connector. 在 8 月更新中,PFX 证书连接器中合并了所有 PKCS 证书请求的功能,该功能支持将连接器自动更新为新版本,并且要求使用 .NET Framework 4.7.2 版。With the August update, the functionality for all PKCS certificate requests was consolidated in the PFX Certificate Connector, which supports auto-update of the connector to new versions, and requires use of .NET Framework version 4.7.2.

Microsoft Intune 连接器的功能并未弃用,可以继续将其用于 PKCS 证书配置文件。The functionality of the Microsoft Intune Connector is not deprecated and it can continue to be used with PKCS certificate profiles. 但如果不使用 SCEP 或以其他方式要求使用 NDES,可以切换到 PFX 证书连接器并从服务器删除 NDES。However, if you do not use SCEP or otherwise require use of NDES, you can switch to the PFX Certificate Connector and remove NDES from your servers.

PFX 证书连接器The PFX Certificate Connector:

  • 为每个 Intune 租户支持此连接器的多个实例。Supports multiple instances of this connector for each Intune tenant. 连接器的每个实例必须安装在 Windows Server 上,并且可以访问用于加密上传的 PFX 文件的密码的私钥。Each instance of the connector must install on a Windows Server and have access to the private key used to encrypt the passwords of the uploaded PFX files.

  • 可以安装在托管 Microsoft Intune 连接器实例的服务器上。Can install on the same server that hosts an instance of the Microsoft Intune Connector.

  • 支持自动更新为新版本。Supports automatic updates to new versions. 若要自动安装新版本,托管连接器的计算机必须在端口 443 上访问 autoupdate.msappproxy.net 。To automatically install new versions, the computer that hosts the connector must contact autoupdate.msappproxy.net on port 443. 如果连接器未能自动更新,你可以手动更新连接器。If the connector fails to automatically update, you can manually update the connector.

  • 支持证书吊销(需要连接器运行版本 6.2008.60.607 或更高版本)Supports certificate revocation (requires the connector run version 6.2008.60.607 or later)

  • 网络要求与受管理设备相同Has the same network requirements as managed devices

    有关详细信息,请参阅 Microsoft Intune 的网络终结点Intune 网络配置要求和带宽For more information, see Network endpoints for Microsoft Intune, and Intune network configuration requirements and bandwidth.

安装连接器的 Windows 服务器The Windows server where the connector installs:

  • 必须运行 Windows Server 2012 R2 或更高版本。Must run Windows Server 2012 R2 or later.
  • 运行 .NET 4.7.2 Framework。Run the .NET 4.7.2 Framework.

若要安装 PFX 证书连接器To install the PFX Certificate connector:

有关此连接器的安装指南,请参阅下载、安装和配置 PFX 证书连接器For guidance installation of this connector, see Download, install, and configure the PFX Certificate Connector.

Microsoft Intune 连接器Microsoft Intune Connector

Microsoft Intune 连接器有时也称为 Microsoft Intune 证书连接器。The Microsoft Intune Connector is sometimes referred to as the Microsoft Intune Certificate Connector. 在你使用简单证书注册协议 (SCEP) 并具有 Active Directory 证书服务证书颁发机构 (CA) 时,此连接器支持证书部署。This connector supports certificate deployment when you use Simple Certificate Enrollment Protocol (SCEP) and have an Active Directory Certificate Services Certification Authority (CA). 这一类型的 CA 也称为 Microsoft CA。This type of CA is also referred to as a Microsoft CA.

结合使用 SCEP 和 Microsoft CA 时,你还必须配置网络设备注册服务 (NDES)。When you use SCEP with a Microsoft CA, you must also configure the Network Device Enrollment Service (NDES). 因此,此连接器通常称为 NDES 证书连接器。For that reason, this connector is often referred to as the NDES Certificate Connector.

如果你使用第三方证书颁发机构,则无需使用此连接器和 NDES。If you use a third-party Certification Authority, you don’t need to use this connector and NDES isn’t required.

Microsoft Intune 连接器The Microsoft Intune Connector:

  • 安装在还可以托管 PFX 证书连接器实例的 Windows 服务器上。Installs on a Windows server, which can also host an instance of the PFX Certificate Connector.

  • 支持每个租户最多有此连接器的 100 个实例,每个实例位于不同的 Windows Server 上。Supports up to 100 instances of this connector per tenant, with each instance on a separate Windows server. 使用多个连接器时:When you use multiple connectors:

    • 环境中 Microsoft Intune 连接器的所有实例都应为同一版本。All instances of the Microsoft Intune Connector in your environment should be at the same version.
    • 基础结构支持冗余和负载均衡,因为任何可用连接器实例都可以处理证书请求。Your infrastructure supports redundancy and load balancing, as any available connector instance can process your certificate requests.
  • 需要手动更新才能安装新版连接器。Requires a manual update to install the new version of the connector. 手动更新需要卸载当前的连接器,然后才能安装新版连接器。Manual update requires you to uninstall the current connector, and then install the new version of the connector. 不需要其他操作。Additional actions shouldn't be required.

  • 支持美国联邦信息处理标准 (FIPS) 模式。Supports Federal Information Processing Standard (FIPS) mode. FIPS 不是必需的。FIPS isn't required. 启用 FIPS 后,就可颁发和吊销证书。When FIPS is enabled, you can issue and revoke certificates.

  • 网络要求与受管理设备相同。Has the same network requirements as managed devices.

    有关详细信息,请参阅 Microsoft Intune 的网络终结点Intune 网络配置要求和带宽For more information, see Network endpoints for Microsoft Intune, and Intune network configuration requirements and bandwidth.

安装连接器的 Windows 服务器The Windows server where the connector installs:

  • 必须运行 Windows Server 2012 R2 或更高版本。Must run Windows Server 2012 R2 or later.
  • 运行 .NET 4.5 Framework。Run the .NET 4.5 Framework. 此连接器与 PFX 证书连接器安装在同一服务器上时,必须使用 .NET 4.7.2 Framework,这是 PFX 连接器的要求。When this connector installs on the same server as the PFX Certificate Connector, you must use .NET 4.7.2 Framework, which is required by the PFX connector.
  • 不能是托管正在颁发的证书颁发机构 (CA) 的服务器。Can't be the same server that hosts your issuing Certificate Authority (CA).
  • 与 Microsoft CA 一起用于 SCEP 时,需要能够访问运行 NDES 的服务器。When used for SCEP with a Microsoft CA, requires access to a server that runs NDES. NDES 在 Windows 服务器上运行,并且可以与此连接器在同一服务器上运行。NDES runs on a Windows server, and can run on the same server as this connector.

如果 NDES 是必需的When NDES is required:

  • 必须在托管 NDES 和 Microsoft Intune 连接器的服务器上禁用 Internet Explorer 增强型安全配置。Internet Explorer Enhanced Security Configuration must be disabled on the server that hosts NDES and the server that hosts the Microsoft Intune Connector.

  • 连接器需要其他配置才能与 NDES 通信。The connector requires additional configurations to communicate with NDES. 你将找到安装和配置 NDES 的流程以及安装 Microsoft Intune 连接器的流程。You'll find procedures for installing and configuring NDES with the procedures for installing the Microsoft Intune Connector.

    有关 NDES 的详细信息,请参阅网络设备注册服务指南For more information about NDES, see Network Device Enrollment Service Guidance.

若要安装 Microsoft Intune 连接器To install the Microsoft Intune Connector:

有关安装此连接器的指南,请参阅配置基础结构以支持在 Intune 中使用 SCEPFor guidance on installation of this connector, see Configure infrastructure to support SCEP with Intune.

连接器生命周期Connector Lifecycle

定期发布更新版的证书连接器。Periodically, updated versions of certificate connectors are released. 新版连接器的公告显示在 Intune 的新增功能一文中,以及本文结尾处的连接器的新增功能部分。Announcements for new connector releases appear in the (What’s New](../fundamentals/whats-new.md) article for Intune and in the What's new for Connectors section near the end of this article.

发布新版本后,弃用对旧版本的支持,可在有限的宽限期内继续使用旧版本。When a new version releases, support for the previous version is deprecated with a limited grace period for its continued use. 宽限期到期时,终止对该弃用版本的支持,并且可能会随时停止运行。After the grace period expires, support for that deprecated version ends, and it can stop functioning at any time. 宽限期为六个月。The grace period is six months.

计划尽快将连接器更新为最新版本。Plan to update a connector to the latest version at the first opportunity. 每个连接器都有不同的更新路径:Each connector has a different update path:

  • Microsoft Intune 的 PFX 证书连接器 - 支持自动更新。PFX Certificate Connector for Microsoft Intune - Supports automatic updates.
  • Microsoft Intune 连接器 - 需要手动更新。Microsoft Intune Connector - Requires manual update.

自动更新Automatic update

如果受连接器类型和环境支持,Intune 可以在发布该连接器版本后立即将连接器自动更新为最新版本。When supported by the connector type and your environment, Intune can automatically update the connector to the latest version shortly after that connector version is released.

若要自动更新,托管连接器的服务器必须访问 Azure 更新服务:To update automatically, the server that hosts the connector must access the Azure update service:

  • 端口:443Port: 443
  • 终结点:autoupdate.msappproxy.netEndpoint: autoupdate.msappproxy.net

如果防火墙、基础结构或网络配置限制自动更新,请解决阻塞性问题或将连接器手动更新为新版本。When firewalls, infrastructure, or network configurations limit access for automatic update, resolve the blocking issues or manually update the connector to the new version.

手动更新Manual update

手动更新证书连接器的流程与重新安装连接器的流程相同。The process to manually update a certificate connector is the same for reinstalling a connector.

即使证书连接器支持自动更新,你也可以手动更新。You can manually update a certificate connector even when it supports automatic updates. 例如,当网络配置阻止自动更新时,可以手动更新连接器。For example, you can manually update the connector when your network configuration blocks an automatic update.

重新安装证书连接器To reinstall a certificate connector

  1. 在托管连接器的 Windows 服务器上,使用“Windows 应用和功能”卸载连接器。On the Windows server that hosts the connector, use Windows Apps and Features to uninstall the connector.

  2. 若要安装新版本,请按以下流程安装新版连接器。To install the new version, use the procedure to install a new version of the connector. 安装较新版本的连接器时,请务必检查是否有任何新增的或更新的先决条件:Be sure to check for any new or updated prerequisites when installing a newer version of a connector:

连接器状态和版本Connector status and version

在 Microsoft Endpoint Manager 管理中心,可以选择证书连接器以查看其状态信息并确认其版本:In the Microsoft Endpoint Manager admin center, you can select a certificate connector to view information about its status and confirm its version:

  1. 登录到 Microsoft Endpoint Manager 管理中心Sign in to the Microsoft Endpoint Manager admin center

  2. 转到“租户管理” > “连接器和令牌” > “证书连接器” 。Go to Tenant administration > Connectors and tokens > Certificate connectors.

  3. 选择连接器以查看其状态。Select a connector to view its status.

查看连接器状态时:When viewing the connector status:

  • 已弃用的连接器旁边将显示警告。Deprecated connectors will show with a Warning. 六个月的宽限期到期后,该警告将变为错误。After the six-month grace period, the warning changes to an Error.
  • 超出宽限期的连接器将显示错误。Connectors that are beyond the grace period show an Error. 这些连接器不再受支持,并且随时可能停止工作。These connectors are no longer supported and can stop working at any time.

连接器的新增功能What's new for Connectors

我们将定期发布这两个证书连接器的更新。Updates for the two certificate connectors are released periodically. 更新连接器时,你可以在此处阅读有关更改的信息。When we update a connector, you can read about the changes here.

PFX 证书连接器版本历史记录PFX Certificate Connector release history

Microsoft Intune 的 PFX 证书连接器支持自动更新The PFX Certificate Connector for Microsoft Intune supports automatic updates.

2020 年 8 月 26 日August 26, 2020

版本 6.2008.60.607 - 此版本中的更改:Version 6.2008.60.607 - Changes in this release:

  • 需要 .NET Framework 版本 4.7.2Requires .NET Framework version 4.7.2
  • 请替换 Microsoft Intune 连接器,以与 PKCS 证书配置文件一起使用。Replaces the use of the Microsoft Intune Connector for use with PKCS certificate profiles. 目前,PFX 证书连接器是使用 PKCS #12 或导入的 PFX 证书所需的唯一连接器。The PFX Certificate Connector is now the only connector required to use PCKS #12 or Imported PFX certificates.
  • 添加了对在除 Windows 8.1 以外的所有支持平台上使用 PKCS 证书配置文件的支持。Adds support for using PKCS certificate profiles with all supported platforms except Windows 8.1.
  • 添加了对 Outlook S/MIME 的证书吊销的支持。Adds support for certificate revocation for Outlook S/MIME.

2019 年 11 月 18 日November 18, 2019

版本:6.1911.11.602 - 此版本中的更改:Version: 6.1911.11.602 - Changes in this release:

  • 添加了对 PFX 导入的 S/MIME 支持。Added S/MIME support for PFX Import.

2019 年 5 月 17 日May 17, 2019

版本 6.1905.0.404 - 此版本中的更改:Version 6.1905.0.404 - Changes in this release:

  • 修复了以下问题:因现有 PFX 证书持续重新处理而导致连接器停止处理新请求。Fixed an issue where existing PFX certificates continue to be reprocessed which causes the connector to stop processing new requests.

2019 年 5 月 6 日May 6, 2019

版本 6.1905.0.402 - 此版本中的更改:Version 6.1905.0.402 - Changes in this release:

  • 连接器的轮询间隔从 5 分钟降到了 30 秒。The polling interval for the connector is reduced from 5 minutes to 30 seconds.

2019 年 4 月 2日April 2, 2019

版本 6.1904.0.401 - 此版本中的更改:Version 6.1904.0.401 - Changes in this release:

  • 此连接器目前支持自动更新。This connector now supports automatic update.
  • 解决了使用全局管理员帐户登录连接器后连接器可能无法注册到 Intune 的问题。Fixed an issue where the connector might fail to enroll to Intune after signing in to the connector with a global administrator account.

Microsoft Intune 连接器版本历史记录Microsoft Intune Connector release history

2019 年 4 月 2 日April 2, 2019

版本 6.1904.1.0 - 此版本中的更改:Version 6.1904.1.0 - Changes in this release:

  • 解决了使用全局管理员帐户登录连接器后连接器可能无法注册到 Intune 的问题。Fixed an issue where the connector might fail to enroll to Intune after signing in to the connector with a global administrator account.
  • 包括证书吊销的可靠性修补程序。Includes reliability fixes to certificate revocation.
  • 包括性能修补程序,以提高处理 PKCS 证书请求的速度。Includes performance fixes to increase how quickly PKCS certificate requests are processed.

后续步骤Next steps

为要使用的每个平台创建 SCEP、PKCS 或 PKCS 导入的证书配置文件。Create SCEP, PKCS, or PKCS imported certificate profiles for each platform you want to use. 请参阅以下文章进一步了解:To continue, see the following articles: