Use the following steps to test the URL that is specified in the SCEP certificate profile. Don’t get confused between SCEP and Windows Defender or Endpoint Protection clients. There are 3 certificate profiles available in Intune, and those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. You can also Upload and email logs to support. The certificate is delivered to the device. Highlights configuration problems on an NDES server, as configured for use with Intune Standalone SCEP certificates.. In Part 3, we already did a compare-and-contrast of the Intune SCEP workflow with the General SCEP Workflow, which brought us to the core component of the Intune SCEP PKI architecture – Intune SCEP Certificate Connector.. We have learned that Intune leverages this connector for automated SCEP Certificate Enrolment … For devices that run Windows, use the Windows Event logs to diagnose enrollment or device management issues for devices that you manage with Intune. The result should be: HTTP Error 403.0 – Forbidden. Intune SCEP Certificate Workflow. The certificate chain includes Root CA certificate and Intermediate/Issuing CA certificate. After the Network Device Enrollment Service (NDES) server receives the requested certificate for a … In this post, I will try to cover the knowledge acquired from the field to fix different issues of Windows Defender or Endpoint Protection client (a.k.a SCEP?).. You can also find entries that resemble the following in the iOS debug log: On the Windows device, verify the certificate was delivered: Run eventvwr.msc to open Event Viewer. For devices that run iOS/iPadOS, you use debug logs and Xcode that runs on a Mac computer: Connect the iOS/iPadOS device to Mac, and then go to Applications > Utilities to open the Console app. When the CA has issued the certificate, you'll see an entry similar to the following example on the CA: For device administrator enrolled devices, you'll see a notification similar to the following image, which prompts you to install the certificate: For Android Enterprise or Samsung Knox, the certificate installation is automatic, and silent. If the account you used doesn't have an Intune license, the connector (NDESConnectorUI.exe) fails to get the certificate from Intune. If the value is still missing, it's often because of network connectivity issues between the server that NDES and the Intune service. First of all there is a very good knowledge base article that will guide you thru all the steps: Troubleshoot the delivery of certificates provisioned by SCEP to devices in Microsoft Intune. Open a web browser, and then browse to that SCEP server URL. Use the information in this article to help you investigate delivery of certificates to devices when you use Simple Certificate Enrollment Protocol (SCEP) to provision certificates in Intune. Reproduce the problem, and then save the logs to a text file: The Company Portal log for iOS and iPadOS devices doesn't contain information about SCEP certificate profiles. First, we need to trust the public root certificate from SCEPman. NDES to policy module communication. Microsoft Intune allows third-party certificate authorities (CA) to issue and validate certificates using SCEP. Review the device. Deploy a SCEP certificate profile. A little background from the product description: Microsoft Intune allows third-party certificate authorities (CA) to issue and validate certificates using the Simple Certificate Enrollment Protocol … To troubleshoot this step, review errors that are logged in the devices debug log. You’ll need that exported root CA cert for this and please don’t forget to deploy this before you deploy the SCEP profile. You can also review the devices OMADM log. This is also shown in the event log: ... as Intune … Troubleshooting Wi-Fi profile issues in Microsoft Intune Asosiy kontentga o‘tish To identify problems for the communication and certificate provisioning workflow, review log files from both the Server infrastructure, and from devices. On the device, open Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider, Review deployment of SCEP certificate profiles, Verify NDES configuration on-premises for SCEP certificates in Intune, Configure infrastructure to support SCEP with Intune, prerequisites for using SCEP certificate profiles, Explaining the architecture and the communication flow of the SCEP process, Helping you to narrow down where a problem exists in that communication flow, Identifying the key log files that are referenced in subsequent articles for troubleshooting certificate profiles. At some point in time you like to modify a package but you do … IIS logs show the certificate requests from mobile devices entering NDES. To get rid of the on-premises components we developed SCEPman. To collect the OMADM.logs from a device, see Upload and email logs using a USB cable. Use the information in this article to help you investigate delivery of certificates to devices when you use Simple Certificate Enrollment Protocol (SCEP) to provision certificates in Intune. NDES passes the request to issue the certificate Look for entries that resemble the following, which are logged when certificates install: On the iOS/iPadOS or iPadOS device, you can view the certificate under the Device Management Profile. Similar information for macOS is not available at this time. When an Intune controlled device, has obtained its authentication certificate through SCEP (as opposed to imported PKCS or manual import), and the SCEP based issued certificate gets revoked, (ie revocation status is updated through OCSP and/or CRL) , what mechanism is in place on the Intune side, to send a new SCEP call to enforce a new certificate to be obtained? Intune generates a challenge string, which requires a specific user, certificate purpose, and certificate type. This article helps determine whether you have configured correctly your infrastructure to use Simple Certificate Enrollment Protocol (SCEP) certificates in Microsoft Intune. This Event should have a general description of: SCEP: Certificate installed successfully. Troubleshooting Intune Certificate Connector can be challenging. Certificate delivery to the device. This could happen when a wrong trusted root certificate was selected in the SCEP certificate profile. The device uses the URI for NDES from the profile to contact the NDES server so it can present a challenge. This article can also be used to troubleshoot SCEP certificate deployment issues if your on-premises configuration has changed or is broken and needs validation. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select Use proxy server. Understanding the process and autonomy gives you a good starting point to successfully determine the issue or even solve your problem. Device logs depend on the device platform: On-premises infrastructure that supports use of SCEP certificate profiles for certificate deployments includes the Microsoft Intune Certificate Connector, NDES that runs on a Windows Server, and the certification authority. You can use the Service Trace Viewer Tool to view this log file. Imagine you have a kind of source share for all the .intunewin files you have created. Troubleshoot device to NDES server communication for SCEP certificate profiles in Microsoft Intune Use the following information to determine if a device that received and processed an Intune Simple Certificate Enrollment Protocol (SCEP) certificate profile can successfully contact Network Device Enrollment Service (NDES) to present a challenge. Location: On the server that hosts NDES at c:\inetpub\logs\LogFiles\W3SVC1. Anyway, after spending quite a lot of hours troubleshooting the NDES/SCEP installation, I will try to sum up some tips for troubleshooting. Trying to implement SCEP with Intune … NDES forwards the challenge to the Intune Certificate Connector policy module on the server, which validates the request.