You can't issue SCEP certificates to devices in Intune after a certificate renewal

Applies to: Microsoft Intune

 

Symptoms


You use Microsoft Intune to assign Simple Certificate Enrollment Protocol (SCEP) certificates to devices that you manage. After you renew an expired certificate, new certificates can’t be assigned to the devices. When you open the NDESPlugin.log file, the log stops at "Sending request to certificate registration point."

Additionally, if you enable CAPI2 logging on the Network Device Enrollment Service (NDES) server, you receive the following error message:

 

Cause


This problem occurs because the NDES policy module still uses the thumbprint from an expired client authentication certificate. That certificate was selected when the NDES policy module or Intune Certificate Connector was first installed.

Resolution


To fix this problem, set the NDES policy module to use the new certificate. To do this, follow these steps on the NDES server:

  1. Use certlm.msc to open the local computer certificate store, expand Personal, and then click Certificates.
  2. In the list of certificates, find an expired certificate for which the following conditions are true:
     
    • The value of Intended Purposes is Client Authentication.
    • The value of Issued To or Common Name matches the NDES server name.
  3. Double-click the certificate to open the Certificate dialog box, click the Details tab, scroll down to Thumbprint, and then verify that the value matches the value of the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint
  4. Click OK to close the Certificate dialog box, right-click the certificate, and then select All Tasks > Request Certificate with New Key.
  5. In the Certificate Enrollment dialog box, click Next, and then click More information is required to enroll for this certificate. Click here to configure settings.
  6. In the Certificate Properties dialog box, click the Subject tab, and then do the following:
     
    1. Under Subject name, click the Type drop-down box and select Common Name. In the Value box, enter the fully qualified domain name (FQDN) of the NDES server, then click Add. 
    2. Under Alternative name, click the Type list, and then select DNS.
    3. In the Value box, enter the FQDN of the NDES server, and then click Add.
  7. Click OK to close the Certificate Properties dialog box.
  8. Click Enroll, wait until the enrollment finishes successfully, and then click Finish.
  9. Double-click the new certificate, and then click the Details tab in the Certificate dialog box.
  10. Scroll down to locate and click Thumbprint, and then copy the hexadecimal string from the box.
  11. Start Notepad.
  12. Paste the hexadecimal string, remove the spaces between the hexadecimal characters, and then save as a text file.

    Note If you receive a warning message about Unicode format, click OK.
  13. Reopen the text file, copy the thumbprint, and then paste it to the value of the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint

    Note Don't copy any additional characters, such as the question mark at the beginning of the file.
  14. At an elevated command prompt, run the following command:

    iisreset