MS agent release notes

The performance of the Certification Authority snap‑in has been enhanced, resulting in much faster loading and navigation of issued certificates in high‑volume deployments.

SCM-13143

There is improved HTTP proxy compatibility by including the port number in the CONNECT request as well as the Host header.

SCM-12270

Startup no longer converts CA private keys to non‑exportable by default; this can be enabled via the PrivateKeyNonExportable registry setting.

SCM-13903

Fixed a regression in MS Agent 4.3 that caused certificate requests to fail for Active Directory Certificate Templates requiring manual SAN entry.

SCM-12534

Improved handling of network loss during initialization, which previously resulted in logging the error "The specified domain either does not exist or could not be contacted."

SCM-12995

Fixed an issue where CA names containing spaces were parsed incorrectly, preventing the CA’s AD Configuration container from being located during discovery.

SCM-13187

Resolved an issue where conflicting error codes caused incorrect permission‑related error messages to appear during enrollment.

SCM-13380

Fixed an issue where startup without SCM connectivity caused the CA console to hide existing certificate templates and delete the assigned template list when attempting to add a new one.

SCM-13922

The MS agent now saves the Template Enrollment Flags and Template General Flags into the local CA DB instead of setting it to 0. This is purely informational, most of these flags have no impact on the MS Agent. However, the Publish certificate in Active Directory Flag is now supported.

SCM-12032

There is improved connection to TLS-based proxy by including SNI information in the initial handshake.

SCM-12278

The MS Agent now supports renewal of the local CA certificate.

SCM-9611

There is improved logging to include more details during startup.

SCM-11876, SCM-11858

The MS Agent stopped processing commands from Sectigo Certificate Manager if during startup it could not start its revocation subsystem. This was usually caused by MS Agent being unable to connect to the required locations in Active Directory.

SCM-11760, SCM-11880

Error logs would contain entries for Failed to check CA permissions for Authenticated Users when language packs were installed on the MS Agent computer.

SCM-11834

Updating the local CA CRL was failing. This expired CRL would impact any enrollment requiring key escrow.

SCM-12178

Service failed to start if installed without the Proxy Enrollment to SCM feature.

SCM-11452

Certificate discovery wouldn’t find certificates for directory entries containing non-ASCII characters.

SCM-11021

Enrollments would fail if requested for a certificate template using options to supply subject information in the request, instead of building from AD.

SCM-11164

MS Agent would appear offline in SCM during heavy load of enrollment requests.

SCM-11550

Improved ability to stop the service under heavy request load.

SCM-11062

Enrollment failure if received before agent was fully initialized. The logs would show a “No template found by OID” error when this was occurring.

SCM-11055

Enrollment failure if the certificate template mapping in SCM included customized attributes.

SCM-11040

Enrollment failure if the certificate template enabled key archive, and the request came from Microsoft Windows Server 2022.

SCM-11129

Enrollment failure if the person’s name contained non-ASCII characters.

SCM-11047

To improve installation flexibility, the installation no longer creates the Microsoft Enterprise CA automatically but requires it to be done as a prerequisite. While this creates a new additional prerequisite, it allows the MS Enterprise CA to be set up with more flexibility and removes the requirement that the installation be performed by an Enterprise Admin.

The MS Agent no longer utilizes Java so the bundled JRE has been removed. This lowers the memory usages of the agent and allows for improved scalability.

Support for key archival with Key Storage Providers.

SCM-10011, SCM-10124

Fixed AD lookup of user/computer entity using LDAPS.

SCM-9987

Uploading discovery results has been improved to handle network connectivity issues better.

SCM-10170

Improved support for HTTP proxies that use TLS.

SCM-8417

Include the szOID_NTDS_CA_SECURITY_EXT(1.3.6.1.4.1.311.25.2) extension in locally issued certificates such as those used for registration authorities.

SCM-9226

Improvements to parallelize discovery tasks processing.

SCM-9089

Fixed discovery scan of MS CA in Active Directory subdomain to find certificates.

SCM-8078

Fixed issue of registration authority certificate having the wrong hostname in the Subject, when using Citrix FAS.

SCM-8853

If CRL is corrupted on startup of MS Agent, automatically reissue.

SCM-9029