Hello everyone, today we have a post from Intune Sr. Support Escalation Engineer and certificate expert Anzio Breeze. In this post, Anzio goes through the entire process of setting up the PKCS certificate infrastructure and assigning PFX certificates to Intune client devices, including detailed insight into the happenings under the covers and tips for troubleshooting should you encounter any issues. Whether you’ve already implemented PKCS or you’re just thinking about it, this post is one you’ll want to read and bookmark.
=====
With Microsoft Intune, you can easily give your users access to corporate resources through VPN, Wi-Fi or email profiles, and by authenticating these connections with certificates your end users don't have to enter their user names and passwords when making a connection. You can use Intune to assign these certificates to devices you manage and two types are supported:
Each certificate type has its own prerequisites and infrastructure requirements, and in this article I walk through everything you need to get PKCS certificates configured in your environment and assigned to you users.
What is PFX / PKCS?
PFX is a file format used for storing encrypted objects in a single file. Typically you will see a private key and its X.509 certificate stored together (this could include the certificate chain). PKCS stands for “Public Key Cryptography Standards” and it was created by RSA Security LLC in the 1990s.
Intune supports the use of private and public key pair (PKCS) certificates and includes built-in settings to use these certificates for access and authentication to your organization’s resources. Certificates authenticate and secure access to your corporate resources, like a VPN or a WiFi network, and are deployed to devices using device configuration profiles.
Requirements
To use PKCS certificates with Intune, you'll need the following infrastructure:
- Active Directory domain: All servers listed in this section must be joined to your Active Directory (AD) domain.
- Certification Authority: An Enterprise Certification Authority (CA). Intune requires you to run AD Certificate Services (AD CS) with an Enterprise CA, not a standalone CA.
- A client: To connect to the Enterprise CA.
- Root certificate: An exported copy of your root certificate from your Enterprise CA.
- Intune Certificate Connector (also called the NDES Certificate Connector)
Configuration
Configuring and deploying PKCS certificates can be broken down into three main tasks. Note that this assumes you have already installed the Enterprise CA.
- Task A: Configuring certificate templates on the certification authority
- Task B: Installing and configuring the Intune Certificate Connector
- Task C: Creating and deploying a Trusted Root CA certificate profile and a PKCS #12 (.PFX) profile
I go through each of these individually, then we’ll take a look at the end user experience, talk about some of the log files used and cover a few troubleshooting tips.
Task A: Configuring certificate templates on the certification authority
1. On the issuing CA, use the Certificate Templates snap-in to create a new custom template, or copy an existing template (like the User template) and then edit it for use with PFX deployment. The key here is that the template must have the following configuration:
- Specify a friendly Template display name for the template:
- Make sure that Compatibility Settings are configured as shown below.
- On the Subject Name tab, select Supply in the request:
- On the Extensions tab, ensure Description of Application Policies includes Client Authentication and any other usage you require.
- On the Request Handling tab, Purpose should be Signature and Encryption. Also, Allow private key to be exported must be enabled for certificate deployments to work.
- On the Security tab, make sure SYSTEM has the permissions shown below:
- Add the computer account for the computer where the Intune Certificate Connector is going to be installed:
2. Now we need to use the Certification Authority snap-in on the issuing CA to publish the certificate template.
- Start by selecting the Certificate Templates node, then click Action -> New -> Certificate Template to Issue and select the template we just created.
- Verify the template published by viewing it under the Certificate Templates folder:
- On the CA computer, make sure that the computer that will host the Intune Certificate Connector has enroll permission so that it can access the template used in creating the .PFX profile. Do that by setting the permissions on the Security tab of the CA computer properties as shown below:
NOTE: To revoke certificates the Service Account (SYSTEM) needs Issue and Manage Certificates rights for each certificate template used by a certificate profile.
Installing and configuring the Intune Certificate Connector
1. Open the Microsoft Endpoint Management admin center, and then click Intune -> Device Configuration -> Certification Connectors -> Add -> Download Certificate Connector.
2. After the download completes, run the downloaded installer (ndesconnectorssetup.exe) as administrator. For .PFX certificates, be sure to run the installer on a computer that is able to connect to the Certification Authority. Choose the .PFX Distribution option then click Install and configure the rest of settings in the wizard.
3. Sign-in when the Connector UI opens. It’s important that you use a Global Admin for the tenant and it needs to have an Intune license or the sign-in will fail.
4. Open a command prompt and run services.msc, then right-click the Intune Connector Service and click Restart.
Task C – Creating and deploying a Trusted Root CA certificate profile and a PKCS #12 (.PFX) profile
1. Export the Trusted Root CA certificate from the issuing CA as a .cer file. You do not export the private key. You will import this certificate when you configure a Trusted CA certificate profile.
2. Create a Trusted Certificate profile. Here’s an example of an Android Root profile:
Here’s an example of an iOS Root profile:
3. Create a .PFX certificate profile. Here’s an example of an Android PFX profile:
Here’s an example of an iOS PFX profile:
Notes:
1. For Certification Authority, specify the internal FQDN of the certificate authority computer (e.g. Server1.domain.local)
2. For Certification Authority Name, specify the certificate authority name as displayed in the certification authority MMC. Look under Certification Authority (Local)
To be sure of this information you can run this cmdlet on the CA as demonstrated below:
certutil -config - -ping
4. With our profiles created, we now need to assign them to our groups. From the Intune portal, start by going to Device Configuration-> Profiles.
5. Select the profile you want to assign and choose Assignments. Include or exclude the groups of your choosing. Note that when you select a group you're choosing an Azure AD group, and to select multiple groups just hold down the Ctrlkey while making your selections. When done, be sure to save your changes.
Below are example screen shots for Android.
Android Trusted Root profile:
Android PFX profile:
iOS Trusted Root profile:
iOS PFX profile:
This completes the configuration and assignment of the profiles. Once the profiles reach the assigned devices they will request and receive a Trusted Root CA certificate and a PFX certificate. Here’s a simple look at what the overall process looks like:
- Admin creates a PFX certificate profile
- Intune Service request the On-Prem Intune Certificate Connector to create a new certificate for the user
- On-Prem Intune Certificate Connector sends PFX Blob and Request to On-Prem MS Certificate Authority
- On-Prem MS Certificate Authority issues and sends the PFX User Certificate back to the On-Prem Intune Certificate Connector
- On-Prem Intune Certificate Connector uploads the encrypted PFX User Certificate to Intune
- Intune decrypts the PFX User Certificate and re-encrypts for the device using the Device Management Certificate. Sends the PFX User Certificate to the Device.
- The certificate status is reported back to Intune
The end user experience and log files used
First we’ll take a look at Android. Note that these screen shots were taken from a non-KNOX device.
You can also use a tool like My Certificates from the Google Play store to view them. Here’s what that looks like:
Android Log Files
- Company Portal (OMADMLOG) from the device
- svclog from the Intune Certificate Connector computer. By default this is found under C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs.
I typically like to use a tool like cmtrace from the Configuration Manager Toolkit to analyze the OMADMLOG logs. This allows you to use filter options to see specific activity in the log. I start by using “Certmgr” as the filter value to the see the specific data.
Below I highlighted some key items to look for in the OMADMLog to validate that the ROOT and PFX certificates are successfully processing on the device.
OMADMLog_0.log
2019-04-11T21:18:31.0290000 INFO com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 8380 00588 Root cert '17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2019-04-11T21:18:31.2370000 INFO com.microsoft.omadm.platforms.android.certmgr.PfxCertificateManager 8380 00588 Found [le-PFXTemplate-6a881fa5-0866-4430-9cc1-f887e816953c] alias, IsCert: [false], IsKey: [true]
2019-04-11T21:18:31.3150000 INFO com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 8380 00588 SCEP cert 'E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2019-04-11T21:18:31.3220000 VERB com.microsoft.omadm.platforms.android.certmgr.PfxCertificateManager 8380 00588 Successfully processed pfx certificate. PfxCertificateData converted into ClientCertificateState for install.
2019-04-11T21:21:12.8290000 INFO com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 8380 00594 Root cert '17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69' state changed from CERT_INSTALLING to CERT_INSTALL_SUCCESS
2019-04-11T21:22:08.6310000 INFO com.microsoft.omadm.platforms.android.certmgr.PfxCertificateManager 8380 00602 Waiting to process PFX certificate until user gives us access to existing certificate. RequestId=E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623
2019-04-11T21:22:08.6330000 INFO com.microsoft.omadm.platforms.android.certmgr.PfxCertificateManager 8380 00602 Waiting to process PFX certificate until user gives us access to existing certificate. RequestId=E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623
2019-04-11T21:22:47.2400000 INFO com.microsoft.omadm.platforms.android.certmgr.CertInstallActivity 8380 00002 Installing private key for user certificate. RequestId: E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623
2019-04-11T21:22:47.5699999 VERB com.microsoft.omadm.platforms.android.certmgr.CertInstallActivity 8380 00002 Install requestCode '2' returned with result code: 0
2019-04-11T21:22:47.5699999 INFO com.microsoft.omadm.platforms.android.certmgr.CertInstallActivity 8380 00002 Installing user certificate. Key: E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623
2019-04-11T21:23:09.7860000 INFO com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 8380 00608 SCEP cert 'E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623' state changed from CERT_INSTALLING to CERT_ACCESS_REQUESTED
2019-04-11T21:23:29.3360000 INFO com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 8380 00612 SCEP cert 'E67A52B1-430D-4CD3-A57B-10310FA8A847-2097371623' state changed from CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED
On the Intune Certificate Connector computer, you will find a log file called NDESConnector_Date.svclog that contains valuable information about the processing of the PFX request. To view this log, I like to use Service Trace Viewer from the Windows SDK.
Below I put a box around some of the key entries showing a successful processing of the PFX request, issuance, and uploading of the PFX user certificate.
NDESConnector_Date.svclog
We can also validate the issuance of PFX user certificates on the MS Certificate Authority computer:
When the certificate is successfully processed, you will see the file associated with the PFX request in the following location:
C:\Program Files\Microsoft Intune\PfxRequest\Succeed
The file is readable with your faorite text editor. Below is a sample of some of the contents of the file using NotePad++
Now let’s see what this looks like on an iOS device:
iOS Log Files
- Console Logs from the device
- svclog from the Intune Certificate Connector computer. By default this is found under C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs.
If you’re not familiar with using a Mac to collect console logs from an iOS devices, here’s an example using a Mac running Sierra 10.12+
1. Open the Console app from the Launchpad or Spotlight and attach your iOS device to your Mac. Make sure you select Trust this Computer on the iOS device.
2. On the Action tab, enable Include info messages and Include Debug messages:
3. From the Devices list on the left, select your iOS device:
4. Reproduce your issue.
5. To export the logs from the Console, the best way is to clear any search queries you may have, then go to the Menu Bar and select Edit -> Select All, then Edit -> Copy. You can then paste them into TextEdit to save the file in .txt format.
Here’s an example of a console log showing root certificate activity:
default 12:06:24.627809 -0400 securityd inserted <cert,rowid=20,cdat=2019-04-12 16:06:24 +0000,mdat=2019-04-12 16:06:24 +0000,ctyp=3,cenc=3,labl=17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69,alis=null,subj=31153013060A0992268993F22C64011916056C6F63616C311C301A060A0992268993F22C640119160C666F75727468636F66666565311830160603550403130F464F55525448434F46464545204341,issr=31153013060A0992268993F22C64011916056C6F63616C311C301A060A0992268993F22C640119160C666F75727468636F66666565311830160603550403130F464F55525448434F46464545204341,slnr=140BB89F305A23A54067B98F3D70CD3A,skid=61154CC9709E1A3BA1A266D3A5062D1C62666015,pkhh=61154CC9709E1A3BA1A266D3A5062D1C62666015,data=0c50:070000000AE80B0A...|e78d26b6cc651551,agrp=com.apple.certificates,pdmn=dku,sync=0,tomb=0,sha1=15A4A5C46F7610223C1B46B0BDDAFE35E04630C6,vwht=null,tkid=null,v_Data=<?>,v_pk=325B32CAAF5645C2BB111446C4AC81DECB32B224,accc=null,u_Tomb=null,musr=,UUID=32299FDB-42FF-4730-9293-032D4D0F08B2,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=>\
debug 12:06:24.628193 -0400 securityd No CKKS view for (null), skipping: <cert,rowid=20,cdat=2019-04-12 16:06:24 +0000,mdat=2019-04-12 16:06:24 +0000,ctyp=3,cenc=3,labl=17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69,alis=null,subj=31153013060A0992268993F22C64011916056C6F63616C311C301A060A0992268993F22C640119160C666F75727468636F66666565311830160603550403130F464F55525448434F46464545204341,issr=31153013060A0992268993F22C64011916056C6F63616C311C301A060A0992268993F22C640119160C666F75727468636F66666565311830160603550403130F464F55525448434F46464545204341,slnr=140BB89F305A23A54067B98F3D70CD3A,skid=61154CC9709E1A3BA1A266D3A5062D1C62666015,pkhh=61154CC9709E1A3BA1A266D3A5062D1C62666015,data=0c50:070000000AE80B0A...|e78d26b6cc651551,agrp=com.apple.certificates,pdmn=dku,sync=0,tomb=0,sha1=15A4A5C46F7610223C1B46B0BDDAFE35E04630C6,vwht=null,tkid=null,v_Data=<?>,v_pk=325B32CAAF5645C2BB111446C4AC81DECB32B224,accc=null,u_Tomb=null,musr=,UUID=32299FDB-42FF-4730-9293-032D4D0F08B2,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=>\
debug 12:06:24.667534 -0400 profiled Adding dependent www.windowsintune.com.credentials.17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69 to parent Microsoft.Profiles.MDM in domain ManagingProfileToManagedProfile to system\
debug 12:06:24.667604 -0400 profiled Removing parent Microsoft.Profiles.MDM from domain ManagingProfileToManagedProfile orphan list.\
debug 12:06:24.667653 -0400 profiled Adding dependent Microsoft.Profiles.MDM to parent www.windowsintune.com.credentials.17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69 in domain ManagedProfileToManagingProfile to system\
debug 12:06:24.667713 -0400 profiled Removing parent www.windowsintune.com.credentials.17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69 from domain ManagedProfileToManagingProfile orphan list.\
default 12:06:24.667772 -0400 keybagd 0x16b4c3000 KBUpdateKeyBag: Saved new keybag with result 0\
default 12:06:24.667842 -0400 profiled taking platform fast path for key: re6Zb+zwFKJNlkQTUeT+/w\
default 12:06:24.672869 -0400 profiled Profile \'93www.windowsintune.com.credentials.17CECEA1D337FAA7D167AD83A8CC7A8FCBF95C69\'94 installed.\
Here’s the activity surrounding the PFX certificate in the same log:
default 12:08:32.028354 -0400 securityd inserted <cert,rowid=25,cdat=2019-04-12 16:08:32 +0000,mdat=2019-04-12 16:08:32 +0000,ctyp=3,cenc=3,labl=d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8,alis=null,subj=310F300D06035504031306414E5A494F42,issr=31153013060A0992268993F22C64011916056C6F63616C311C301A060A0992268993F22C640119160C666F75727468636F66666565311830160603550403130F464F55525448434F46464545204341,slnr=680000008073B060B979A18DE0000000000080,skid=855E416DAB26135361B45DDF72160D4A4BEBB589,pkhh=855E416DAB26135361B45DDF72160D4A4BEBB589,data=0f1c:070000000ACC110A...|8322d92afca08424,agrp=com.apple.identities,pdmn=dku,sync=0,tomb=0,sha1=C99A97AE969413E123C650F0A679F435894C1BFD,vwht=null,tkid=null,v_Data=<?>,v_pk=EF0B7E679E49650F90C01B8B4FF38CA42DDB1D44,accc=null,u_Tomb=null,musr=,UUID=97521040-80FE-4330-A394-B9DF768B4035,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=>\
debug 12:08:32.028436 -0400 securityd No CKKS view for (null), skipping: <cert,rowid=25,cdat=2019-04-12 16:08:32 +0000,mdat=2019-04-12 16:08:32 +0000,ctyp=3,cenc=3,labl=d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8,alis=null,subj=310F300D06035504031306414E5A494F42,issr=31153013060A0992268993F22C64011916056C6F63616C311C301A060A0992268993F22C640119160C666F75727468636F66666565311830160603550403130F464F55525448434F46464545204341,slnr=680000008073B060B979A18DE0000000000080,skid=855E416DAB26135361B45DDF72160D4A4BEBB589,pkhh=855E416DAB26135361B45DDF72160D4A4BEBB589,data=0f1c:070000000ACC110A...|8322d92afca08424,agrp=com.apple.identities,pdmn=dku,sync=0,tomb=0,sha1=C99A97AE969413E123C650F0A679F435894C1BFD,vwht=null,tkid=null,v_Data=<?>,v_pk=EF0B7E679E49650F90C01B8B4FF38CA42DDB1D44,accc=null,u_Tomb=null,musr=,UUID=97521040-80FE-4330-A394-B9DF768B4035,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=>\
default 12:08:32.032275 -0400 securityd inserted <keys,rowid=88,cdat=2019-04-12 16:08:32 +0000,mdat=2019-04-12 16:08:32 +0000,kcls=1,labl=d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8,alis=null,perm=1,priv=1,modi=1,klbl=855E416DAB26135361B45DDF72160D4A4BEBB589,atag=,crtr=0,type=42,bsiz=2048,esiz=2048,sdat=2001-01-01 00:00:00 +0000,edat=2001-01-01 00:00:00 +0000,sens=0,asen=0,extr=1,next=0,encr=0,decr=1,drve=0,sign=1,vrfy=0,snrc=0,vyrc=0,wrap=0,unwp=1,data=0dc2:070000000A940E0A...|6e0443ce15c808e4,agrp=com.apple.identities,pdmn=dku,sync=0,tomb=0,sha1=2081782186F5B6085780239E1EF2D48F36439600,vwht=null,tkid=null,v_Data=<?>,v_pk=9A1019D550781D62A72A3DD8DEE62BDDCB627C9C,accc=null,u_Tomb=null,musr=,UUID=987D10D9-AD41-49D2-90B0-97183F00446A,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=>\
debug 12:08:32.032433 -0400 securityd No CKKS view for (null), skipping: <keys,rowid=88,cdat=2019-04-12 16:08:32 +0000,mdat=2019-04-12 16:08:32 +0000,kcls=1,labl=d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8,alis=null,perm=1,priv=1,modi=1,klbl=855E416DAB26135361B45DDF72160D4A4BEBB589,atag=,crtr=0,type=42,bsiz=2048,esiz=2048,sdat=2001-01-01 00:00:00 +0000,edat=2001-01-01 00:00:00 +0000,sens=0,asen=0,extr=1,next=0,encr=0,decr=1,drve=0,sign=1,vrfy=0,snrc=0,vyrc=0,wrap=0,unwp=1,data=0dc2:070000000A940E0A...|6e0443ce15c808e4,agrp=com.apple.identities,pdmn=dku,sync=0,tomb=0,sha1=2081782186F5B6085780239E1EF2D48F36439600,vwht=null,tkid=null,v_Data=<?>,v_pk=9A1019D550781D62A72A3DD8DEE62BDDCB627C9C,accc=null,u_Tomb=null,musr=,UUID=987D10D9-AD41-49D2-90B0-97183F00446A,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=>\
default 12:08:32.032495 -0400 securityd qPwoAZH4lhPxZbg9lO3QlzeGuh: will-commit api 1 changes, txn=<SecDbConnection rw open>, 0x13be01020\
debug 12:08:32.032994 -0400 profiled Adding dependent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 to parent 69646e740000000000000019 in domain PayloadDependencyDomainCertificate to system\
debug 12:08:32.033112 -0400 profiled Removing parent 69646e740000000000000019 from domain PayloadDependencyDomainCertificate orphan list.\
debug 12:08:32.033186 -0400 profiled Adding dependent 69646e740000000000000019 to parent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 in domain PayloadDependencyDomainCertificateInv to system\
debug 12:08:32.033277 -0400 profiled Removing parent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 from domain PayloadDependencyDomainCertificateInv orphan list.\
debug 12:08:32.033345 -0400 profiled Removing dependent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 from parent 69646e740000000000000019 in domain PayloadDependencyDomainCertificate from system\
debug 12:08:32.033398 -0400 profiled Adding parent 69646e740000000000000019 to domain PayloadDependencyDomainCertificate orphan list.\
debug 12:08:32.033460 -0400 profiled Removing dependent 69646e740000000000000019 from parent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 in domain PayloadDependencyDomainCertificateInv from system\
debug 12:08:32.033593 -0400 profiled Adding parent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 to domain PayloadDependencyDomainCertificateInv orphan list.\
debug 12:08:32.033641 -0400 profiled Adding dependent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 to parent 69646e740000000000000019 in domain PayloadDependencyDomainCertificate to system\
debug 12:08:32.033691 -0400 profiled Removing parent 69646e740000000000000019 from domain PayloadDependencyDomainCertificate orphan list.\
debug 12:08:32.033813 -0400 profiled Adding dependent 69646e740000000000000019 to parent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 in domain PayloadDependencyDomainCertificateInv to system\
debug 12:08:32.033872 -0400 profiled Removing parent d638b25d-8046-452b-8db7-e4c50861e835-10FA9FE58E2887C7CD2147F2318EE4F671A889C8 from domain PayloadDependencyDomainCertificateInv orphan list.\
default 12:08:32.654966 -0400 profiled Profile \'93www.windowsintune.com.encryptedpayload.D638B25D-8046-452B-8DB7-E4C50861E835-2097371623\'94 installed.\
On the Intune Certificate Connector computer, you will find a log file called NDESConnector_Date.svclog that contains valuable information about the processing of the PFX request. To view this log, I like to use Service Trace Viewer from the Windows SDK.
Below I put a box around some of the key entries showing a successful processing of the PFX request, issuance, and uploading of the PFX user certificate.
NDESConnector_Date.svclog
We can also validate the issuance of PFX user certificates on the MS Certificate Authority computer:
When the certificate is successfully processed, you will see the file associated with the PFX request in the following location:
C:\Program Files\Microsoft Intune\PfxRequest\Succeed
The file is readable with your favorite text editor. Below is a sample of some of the contents of the file using NotePad++
Troubleshooting Tips
1. Confirm that the Profile Configuration settings are correct. This is the most common problem area. Check for typos and make sure that Certificate Authority and Certificate Authority Name are correct.
- Certification Authority: This is the internal FQDN of the Certificate Authority computer (e.g. server1.domain.local)
- Certification Authority Name: This is the Certificate Authority Name as displayed in the certification authority MMC. Look under Certification Authority (Local)
To verify this info, you can also run this cmdlet on the CA:
certutil -config - -ping
Here’s another look at how we configured this in our example:
2. Check the device log for errors. This would be the Company Portal log (OMADMLOG) for Android and console logs for iOS.
3. Check NDESConnector_Date.svclog on the Intune Certificate Connector computer for errors. By default this is found in C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs.
4. Check the MS Certificate Authority for errors. Specifically, check the Failed Requests folder and look for errors:
5. Check the \Microsoft Intune\PfxRequest folders for any failed or stuck processing PFX requests.
If errors are found, a quick Bing search using the error messages found will usually put you on the right path to resolving any issues you may encounter.
Anzio Breeze
Intune Senior Support Escalation Engineer
Microsoft
Post updates
6/17/21: updated PFX template property screenshot.