Security

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.

Ok managed to solve the different issues.

The 90% CPU spikes and timeouts in the logs were all related. For reasons I still don't fully understand, just enabling the endpointCache, and changing the endpointCacheTime to 900 fixed all of that. The 900 was from the Sample Config in the Aruba Tech Docs article. I'm not sure why mine was 300. The queries stopped timing out, the CPU dropped to low and didn't spike over 20% again, and the GUI is much more responsive.

    "enableEndpointCache": true,
    "endpointCacheTimeSeconds": 900,

I also switched over to HTTP lookup, and that is now working, however I came across something not mentioned anywhere that I could find - although HTTP lookup is only authorization, Clearpass would not let me create a Service without at least one Authentication Source with an error: Authentication Sources are not configured

I added the default [Endpoints Repository] [Local SQL DB] but this still meant that completely new devices to Clearpass would initially fail and not be looked up for Authorization attributes. I realize this is a bit of a corner case because if the device exists in Intune it should be populated to the Endpoints database, but in my case when troubleshooting I wanted to delete the endpoint and test as if it was a very new unknown device.

The fix for this was to create a new role for unknown entra devices with an Enforcement Profile that sets the Endpoint to Known state. Then on the next attempt it would be queried against the HTTP method to Intune and pulled down all the attributes against it's Intune ID in the SAN URI. This worked well and populated the Endpoints database with two different entries - one for the most recent wired MAC-address in Entra, and the other the Wi-Fi MAC-address used for the auth attempt.

With the HTTP method being used I also added these to the extension's config:
    "httpCacheTtlInSeconds": 30,
    "httpCacheMaxEntries": 100,

Original Message:
Sent: Jul 01, 2025 09:26 PM
From: BrendanMYS
Subject: Intune extension 6.4.1 using 90% CPU, not syncing updates correctly

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.

Good that you have find the root cause. Definitely good to have caching enabled. 

Regarding the auth source that is required. That is not completely true. The auth source is optional when you the auth method is TLS without authorization enabled.

For each authentication request ClearPass will do a lookup in Entra. It depends on your role mapping / enforcement policy if the device is allowed for the first time. 

Ok managed to solve the different issues.

The 90% CPU spikes and timeouts in the logs were all related. For reasons I still don't fully understand, just enabling the endpointCache, and changing the endpointCacheTime to 900 fixed all of that. The 900 was from the Sample Config in the Aruba Tech Docs article. I'm not sure why mine was 300. The queries stopped timing out, the CPU dropped to low and didn't spike over 20% again, and the GUI is much more responsive.

    "enableEndpointCache": true,
    "endpointCacheTimeSeconds": 900,

I also switched over to HTTP lookup, and that is now working, however I came across something not mentioned anywhere that I could find - although HTTP lookup is only authorization, Clearpass would not let me create a Service without at least one Authentication Source with an error: Authentication Sources are not configured

I added the default [Endpoints Repository] [Local SQL DB] but this still meant that completely new devices to Clearpass would initially fail and not be looked up for Authorization attributes. I realize this is a bit of a corner case because if the device exists in Intune it should be populated to the Endpoints database, but in my case when troubleshooting I wanted to delete the endpoint and test as if it was a very new unknown device.

The fix for this was to create a new role for unknown entra devices with an Enforcement Profile that sets the Endpoint to Known state. Then on the next attempt it would be queried against the HTTP method to Intune and pulled down all the attributes against it's Intune ID in the SAN URI. This worked well and populated the Endpoints database with two different entries - one for the most recent wired MAC-address in Entra, and the other the Wi-Fi MAC-address used for the auth attempt.

With the HTTP method being used I also added these to the extension's config:
    "httpCacheTtlInSeconds": 30,
    "httpCacheMaxEntries": 100,

Original Message:
Sent: Jul 01, 2025 09:26 PM
From: BrendanMYS
Subject: Intune extension 6.4.1 using 90% CPU, not syncing updates correctly

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.

Thanks Willem. So if the Authorization Required is disabled, does that simply mean attributes from that method are not available to be used in Role Mapping?

As far as I can see that means anyone with a valid cert would be able to connect - is that right? And that cert could be signed by any trusted publisher with client auth enabled? I'm a bit unsure of how targeted this would leave the authentication - although having it work first time would be a much better experience.

Good that you have find the root cause. Definitely good to have caching enabled. 

Regarding the auth source that is required. That is not completely true. The auth source is optional when you the auth method is TLS without authorization enabled.

For each authentication request ClearPass will do a lookup in Entra. It depends on your role mapping / enforcement policy if the device is allowed for the first time. 

Ok managed to solve the different issues.

The 90% CPU spikes and timeouts in the logs were all related. For reasons I still don't fully understand, just enabling the endpointCache, and changing the endpointCacheTime to 900 fixed all of that. The 900 was from the Sample Config in the Aruba Tech Docs article. I'm not sure why mine was 300. The queries stopped timing out, the CPU dropped to low and didn't spike over 20% again, and the GUI is much more responsive.

    "enableEndpointCache": true,
    "endpointCacheTimeSeconds": 900,

I also switched over to HTTP lookup, and that is now working, however I came across something not mentioned anywhere that I could find - although HTTP lookup is only authorization, Clearpass would not let me create a Service without at least one Authentication Source with an error: Authentication Sources are not configured

I added the default [Endpoints Repository] [Local SQL DB] but this still meant that completely new devices to Clearpass would initially fail and not be looked up for Authorization attributes. I realize this is a bit of a corner case because if the device exists in Intune it should be populated to the Endpoints database, but in my case when troubleshooting I wanted to delete the endpoint and test as if it was a very new unknown device.

The fix for this was to create a new role for unknown entra devices with an Enforcement Profile that sets the Endpoint to Known state. Then on the next attempt it would be queried against the HTTP method to Intune and pulled down all the attributes against it's Intune ID in the SAN URI. This worked well and populated the Endpoints database with two different entries - one for the most recent wired MAC-address in Entra, and the other the Wi-Fi MAC-address used for the auth attempt.

With the HTTP method being used I also added these to the extension's config:
    "httpCacheTtlInSeconds": 30,
    "httpCacheMaxEntries": 100,

Original Message:
Sent: Jul 01, 2025 09:26 PM
From: BrendanMYS
Subject: Intune extension 6.4.1 using 90% CPU, not syncing updates correctly

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.

Ok managed to solve the different issues.

The 90% CPU spikes and timeouts in the logs were all related. For reasons I still don't fully understand, just enabling the endpointCache, and changing the endpointCacheTime to 900 fixed all of that. The 900 was from the Sample Config in the Aruba Tech Docs article. I'm not sure why mine was 300. The queries stopped timing out, the CPU dropped to low and didn't spike over 20% again, and the GUI is much more responsive.

    "enableEndpointCache": true,
    "endpointCacheTimeSeconds": 900,

I also switched over to HTTP lookup, and that is now working, however I came across something not mentioned anywhere that I could find - although HTTP lookup is only authorization, Clearpass would not let me create a Service without at least one Authentication Source with an error: Authentication Sources are not configured

I added the default [Endpoints Repository] [Local SQL DB] but this still meant that completely new devices to Clearpass would initially fail and not be looked up for Authorization attributes. I realize this is a bit of a corner case because if the device exists in Intune it should be populated to the Endpoints database, but in my case when troubleshooting I wanted to delete the endpoint and test as if it was a very new unknown device.

The fix for this was to create a new role for unknown entra devices with an Enforcement Profile that sets the Endpoint to Known state. Then on the next attempt it would be queried against the HTTP method to Intune and pulled down all the attributes against it's Intune ID in the SAN URI. This worked well and populated the Endpoints database with two different entries - one for the most recent wired MAC-address in Entra, and the other the Wi-Fi MAC-address used for the auth attempt.

With the HTTP method being used I also added these to the extension's config:
    "httpCacheTtlInSeconds": 30,
    "httpCacheMaxEntries": 100,

Original Message:
Sent: Jul 01, 2025 09:26 PM
From: BrendanMYS
Subject: Intune extension 6.4.1 using 90% CPU, not syncing updates correctly

Intune extension in ClearPass 6.12.4 has been behaved until now but just started using 90% CPU (User level), and more worryingly is not updating key attributes like Compliance status. My wireless dot1x policy requires Intune Compliance = Compliant, or InGracePeriod.

I have several cases now where the machine may have been of status 'nocompliance' briefly in Intune but had quickly resolved, however the status remained in the Intune extension populated endpoint attributes. I've tried Reinstall, Restart, changing some settings :  syncAllSchedule (30mins -> 60), syncUpdatedOnly (false -> true).

The changes managed to bring the (User) CPU level down to normal which was very low, but the sync issues remain.

As a related issue, I am still using a policy that uses the Endpoint DB as Auth, and so it is using the MAC address which I want to move away from. This might now be a more pressing issue because several users have begun failing auth, and on investigation I've found the Wi-Fi MAC in Intune has changed - by only character, as if Intune has grabbed the MAC of a different adapter if the order of adapters got rearranged on the client (i.e. MIcrosoft Virtual Adapter).  For this I assume I have to move to a policy of no auth and rely on authorization only - potentially via HTTP lookup.

Here is the extension config which is now version 6.4.1 after a recent update

{
    "logLevel": "INFO",
    "verifySSLCerts": true,
    "azureADEndpoint": "login.microsoftonline.com",
    "graphEndpoint": "graph.microsoft.com",
    "tenantId": "xxx",
    "clientId": "xxx",
    "clientSecret": "********",
    "syncPageSize": 50,
    "enableSyncAll": true,
    "syncAllSchedule": "*/60 * * * *",
    "syncUpdatedOnly": true,
    "syncAllOnStart": true,
    "ignoreEndpointDifferences": "Last Sync Date Time, Free Storage Space in Bytes",
    "enableEndpointCache": false,
    "endpointCacheTimeSeconds": 300,
    "intuneAttributes": null,
    "enableUserGroups": false,
    "userGroupUpdateSchedule": "*/30 * * * *",
    "bypassProxy": false,
    "enableStats": false,
    "statsUsername": "xxx",
    "statsPassword": "********"
}


Other observations:

• After deleting a problematic Endpoint from ClearPass, it will not add back from Intune via the extension. Even after restarts which is meant to perform a full sync and many hours later it has still not appeared. [edit - now assuming "updated" is relating to Intune context, not ClearPass, so extension skips without Intune information changing]
  • Work-around by turning the "synconlyupdated' back to false and restarting but this causes the CPU spike for ~20minutes
• With DEBUG turned on there is still no mention of problematic MAC addresses or Entra ID's in the logs. It mentions things like:
  
  [WARN] Unable to process a device <entra id> (No remaining MAC Addresses found for the device <entraid>.  No Endpoints to update.).
[ERROR] Intune - There was a problem loading existing endpoints for the device <entra id> (timeout of 10000ms exceeded).
[ERROR] Intune - There was an error adding an endpoint with the MAC Address <mac> to ClearPass. Request failed with status code 422
[ERROR] Intune - {
  validation_messages: [ 'Endpoint "<mac>" already exists' ],
  type: 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html',
  title: 'Unprocessable Entity',
  status: 422,
  detail: 'Endpoint "<mac>" already exists'
}
• As a work-around to the wrong MAC address (since it only affects a small number) I exported the Endpoint, modified the two entries of the wifi mac address then imported it back.