[Enable HTTPS on Microsoft Connected Cache]

Step-by-step guide to enable HTTPS on Microsoft Connected Cache so Intune Win32 app downloads remain local. Covers prerequisites, generating a CSR on the cache node, CA signing, importing an unencrypted .crt, enabling HTTPS on Windows/Linux, validation, common troubleshooting, and network considerations.

Starting June 16, 2026, Intune will require HTTPS for Microsoft Connected Cache. Administrators must enable TLS on cache nodes to avoid CDN fallback and lost bandwidth savings.

Main feature/change and impact

Intune now enforces HTTPS delivery for Connected Cache. Connected Cache must present a valid TLS certificate on port 443. If not configured, devices will bypass local cache and use the CDN. This change preserves data integrity and prevents man-in-the-middle interruptions. Proper TLS keeps local app delivery performant and reduces external bandwidth use.

Practical implications

You must generate a CSR on each cache node; the node creates the private key. Sign the CSR with a CA trusted by clients, then import the unencrypted .crt file. Ensure software version 2.0.0.2112 or higher and port 443 availability. Allow required endpoints and bypass TLS inspection or permit the certificate chain. Follow platform-specific steps for Windows or Linux nodes.

“CSR generation completed successfully”

Enabling HTTPS requires specific operational steps and verification. After importing the certificate, validate end-to-end TLS and confirm clients trust the certificate. If issues occur, review the generateCsr logs under …\Certificates\logs and check SAN and Subject values. Finally, plan certificate lifecycle and renewal processes to avoid service disruption. Test in a single-node lab before rolling changes into production. Monitor cache behavior post-change to confirm clients use the local cache rather than the CDN.

Key points from the article:

Ensure cache node software version is 2.0.0.2112 or higher

Generate CSR on node to retain private key

Sign CSR with CA that clients trust, use .crt unencrypted

Bind certificate to port 443 and enable HTTPS

Validate end-to-end and check logs in Certificates\logs

Related Coverage:

• Building sovereign AI at the edge: Microsoft and Armada collaborate to deliver Azure Local on Galleon modular datacenters
• Microsoft named a Leader in 2026 Gartner® Magic Quadrant™ for Integration Platform as a Service
• Announcing three new partners for multi-tenant management with Microsoft Intune

From the Intune Customer Success articles

---