How To Troubleshoot Intune SCEP Certificate Issues

How To Troubleshoot Intune SCEP Certificate Error - Overview

If you are having issues with Intune SCEP certificate issuance, and are confused by the “Error” with no additional information, this page will help you troubleshoot the most common issues with Intune SCEP Certificate Issuance. Intune SCEP Error The first step to troubleshooting Intune SCEP if using EZCA is to go to EZCA and go to Certificate Authorities, if you have some misconfiguration in your CA you will see a red box with the error message. How To Troubleshoot Intune SCEP Cloud PKI not working The most two common issues that you will see in EZCA are Note the error message will display for 24 hour after it is fixed:

Intune Application Not Registered

  1. Intune Application Not Registered, this means that EZCA cannot communicate with Intune to issue the certificate. To solve this issue you will need to use a Global Administrator account to register the Intune application It looks very similar to the process you did for the EZCA application, however it is a different application that gives us access to Intune. Once you have added the Intune application to your tenant, you can validate it by checking in Enterprise Applications in Azure AD and see the three Keytos Applications: Intune Application Registered for cloud PKI or you can verify it in the EZCA portal by going to Settings and Clicking on “Test Domain Setup” and you should see a green checkmark next to Intune Connection. Check Cloud PKI Intune Application Registered for SCEP Errors

A SCEP Request Was Requested for CA ID but The CA is not Active

This Error happens when you have a SCEP request for a CA that has been deleted in EZCA. To solve this issue you will need to go to EZCA and click on Certificate Authorities and make sure that the CA URL that you are using in Intune SCEP matches the CA URL in EZCA.

How to Get Intune CA URL from EZCA

  1. Go to EZCA and click on Certificate Authorities.
  2. Click on the CA that you are using for Intune SCEP and click on “View Requirements”. Intune SCEP Cloud CA URL from EZCA
  3. Copy the CA URL and paste it in Intune SCEP Profile. Intune SCEP Cloud PKI URL from EZCA
  4. Ensure that the right URL and CA Certificate are in your Intune SCEP Profile. Fix Intune SCEP Cloud PKI URL in Intune

How To Troubleshoot Intune SCEP in Windows

  1. Open Event Viewer.
  2. Go to Applications and Services Logs.
  3. Go to Microsoft.
  4. Go to Windows.
  5. Go to DeviceManagement-Enterprise-Diagnostics-Provider -> Admin.
  6. Look for the most SCEP error (you will see some MDM errors, make sure you are looking at a SCEP one). Intune SCEP Windows Logs
  7. Look at the error message, if it has a 400 error, it is most likely one of the errors above.
  8. If it mentions something about the thumbprint not matching, or CA mismatching, it is most likely that the CA selected in the Intune SCEP profile is not the CA that was used to issue the certificate. Make sure that the “Root CA” in the Intune SCEP profile is the same as the Issuing CA in EZCA. Intune SCEP wrong CA

How To Troubleshoot Intune SCEP in MacOS

To get the logs from MacOS you will need to use the Terminal and run the following command:

log show --info --debug --predicate 'subsystem == "com.apple.SCEP"' --last 1h

This will give you the last hour of SCEP logs, you can change the --last 1h to --last 1d to get the last day of logs.
If you see an error containing: “Error Domain=MDM-SCEP Code=15001 “Unable to create identity from signed certificate ==> -25300 (The specified item could not be found in the keychain.)” It means that the computer was not able to validate the CA that issued the certificate. Make sure that the CA Certificate in the Intune SCEP profile is the same as the CA that issued the certificate. Intune SCEP wrong CA

How To Troubleshoot Intune SCEP in Android

Getting Logs out of Android is a bit more complicated than Windows and MacOS, hence I recommend getting your profiles working on Windows and MacOS first before moving to Android. The main difference between Android (if you are using a two tier PKI, meaning a Root CA and Issuing CA) and Windows/MacOS is that Android does expect the CA Certificate in the SCEP profile to be the Root CA Certificate and not the Intermediate CA Certificate.

Are Intune SCEP Certificates Automatically Renewed?

Yes, Intune SCEP Certificates are automatically renewed, this is done automatically by Intune and the device will automatically renew the certificate when it is about to expire. You can control the renewal period in the Intune SCEP Profile, the default is 20% of the lifetime before the certificate expires. How to Automatically Renew Intune SCEP Certificate