Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
224
Views
0
Helpful
3
Replies

ISE and Microsoft Intune - graph.net certifcate expiring

Go to solution
Abdulaziz Loonat
Level 1
Level 1

‎04-29-2025 02:47 AM - edited ‎04-29-2025 02:47 AM

Currently set up use ISE MDM to authenicate Intune Devices (Windows 11). This is working as expected.

I got a notifcation that the Microsoft Graph.Net certifcate is expiring end of this month.

Am I correct in that I need to go to the url graph.windows.net in a browser and then exporting the certificate and import is back into ISE.

Some guidance would be much appreciated

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-29-2025 03:16 PM

First of all, you should not be using graph.windows.net, but rather graph.microsoft.com as stated in the Intune integration guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/UEM-MDM-Server-Integration/b_MDM_UEM_Servers_CiscoISE/m_integrate-microsoft-endpoint-manager-intune.html#task_gvy_vnj_tnb

Secondly, MS rotated the certificates used for the Graph API endpoints several years ago as called out in my blog:
https://cs.co/ise-entraid#Intune

---

With those changes, ISE is now only required to have the DigiCert Global Root G2 CA certificate in Trusted Certificates store for the MDM lookups to work properly. Although this Root Certificate is installed in the Trusted Certificates store by default, you should ensure that the option for 'Trust for authentication within ISE' is enabled under the Usage options.

https://techcommunity.microsoft.com/t5/intune-customer-success/intune-certificate-updates-action-may-be-required-for-continued/ba-p/1839655

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎04-29-2025 08:51 AM

 

        - FYIhttps://www.cisco.com/c/en/us/support/docs/field-notices/742/fn74227.html

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Abdulaziz Loonat
Level 1
Level 1

‎04-29-2025 09:07 AM

The ISE instance is 3.2 running patch 7 - which is not effected by the above advisory

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-29-2025 03:16 PM

First of all, you should not be using graph.windows.net, but rather graph.microsoft.com as stated in the Intune integration guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/UEM-MDM-Server-Integration/b_MDM_UEM_Servers_CiscoISE/m_integrate-microsoft-endpoint-manager-intune.html#task_gvy_vnj_tnb

Secondly, MS rotated the certificates used for the Graph API endpoints several years ago as called out in my blog:
https://cs.co/ise-entraid#Intune

---

With those changes, ISE is now only required to have the DigiCert Global Root G2 CA certificate in Trusted Certificates store for the MDM lookups to work properly. Although this Root Certificate is installed in the Trusted Certificates store by default, you should ensure that the option for 'Trust for authentication within ISE' is enabled under the Usage options.

https://techcommunity.microsoft.com/t5/intune-customer-success/intune-certificate-updates-action-may-be-required-for-continued/ba-p/1839655

0 Helpful
Customers Also Viewed These Support Documents