SCEP or Simple Certificate Enrollment Protocol, allows devices to enroll for a certificate using a URL and a secret key. You can use Intune to deploy SCEP certificates to Windows devices.
However, if SCEP certificate deployment fails after you renew the certificate of any root certification authority (CA) or issuing CA, this post will help you resolve the issue.
There are multiple ways to find out if the error has occurred:
- Deployment status in the Intune portal
- On the Windows 10 device, event 32 and 307 are logged in Admin logs.
- Event 30 is logged in CAPI2 log,
The reason behind the certificates is that certificates that are issued CA still refer to the old CA certificate. This, in return, results in an error as they are no longer trusted.
SCEP deployment to Windows devices fails after you renew the CA certificate
NDES ( Network Device Enrollment Service) is a Microsoft service that allows devices running without domain credentials to obtain certificates based on the SCEP. According to Microsoft, you need to reinstall both the NDES server role and Microsoft Intune Connector on the NDES server. During the reinstallation, certificates will be reissued, and the issue will be resolved.
The reinstallation method is a three-step process that includes installing the NDES server, configuring the NDES server, and creating the SCEP profile in the Intune portal. NDES will perform the following steps during the installation to get the certificate.
- Generates and provides one-time enrollment passwords to administrators
- Submits enrollment requests to the CA
- Retrieves enrolled certificates from the CA and forward them to the network device.
Interestingly, the problem is specific to Windows devices and does not happen on Android and iOS devices.
So if you have a problem, all you need to do is reinstall them, it will resolve itself.
