We have the Certificate Connector for Microsoft Intune (v6.2301.1.0) installed on a Server 2019 box and were hitting errors in the CertificateConnector Operational event logs for the PKI Revoke Service and the PKI Create Service looking like this:
Error 5001 - HealthMessageUploadFailedAttempt
Pki Revoke Service:
Failed to upload health messages. Requeuing messages
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
Error 3003 - RevokeDownloadFailure
Pki Revoke Service:
Failed to download Revocation requests.
ActivityId: xxxx
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
Error 2 - Exception
Pki Create Service:
Microsoft.Intune.Connectors.Pki.AgentRenewalProcessor.Process threw an exception.
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
Delete those 4 lines from either the GPO or the registry and the PKI Revoke service will it start downloading and uploading correctly. I can only assume that the app was written to try TLSv1.3 if it is mentioned in the registry and it will fail (at this time). Perhaps one day when TLSv1.3 is supported in Server 2019, it might work properly. Hope this helps someone else out there.