macOS - SCEP user certificate is not re-enrolled when user delete it from Keychain
Hi, we are facing strange issue within Intune, when manually deleted SCEP User certificate is not re-enrolled automatically based on configuration profile. Also this configuration profile is NOT marked as non-compliant even after a week of syncs for that device. And what is the most important, SCEP configuration profile definition from point of view of macOS knows, that SCEP certificate is missing because, when you open config profile within Settings/Device Management on macOS, there is error saying "Not found in keychain". Documentationhttps://learn.microsoft.com/en-us/mem/intune/protect/remove-certificatessaying exactly following: Manually deleted certificates Manual deletion of a certificate is a scenario that applies across platforms and certificates provisioned by SCEP or PKCS certificate profiles. For example, a user might delete a certificate from a device, when the device remains targeted by a certificate policy. In this scenario, after the certificate is deleted, the next time the device checks in with Intune it's found to be out of compliance as it is missing the expected certificate. Intune then issues a new certificate to restore the device to compliance. No other action is needed to restore the certificate. So it means that if user delete SCEP User certificate from keychain, doesn't matter if it was intention or accident, as long as I keep SCEP Configuration profile within Intune for exact device and user, Intune must initiate re-enrolling/re-generating new certificate based on this profile. This is not happening on our macOS's laptops and only workaround I've got from MS Support is to remove device from Configuration profile and then return it back... But imagine when you have 1000 macOS laptops and 100 users (extreme example, but could happen, i.e. developers trying things) delete their certificates from Keychain. Whole action to removing devices and users from that profile is time wasting. first create special groups to include affected devices and affected users, then add that group to exclusion, wait a long for sync of all macOS's, then starting to removing those devices and users from group to return configuration profile back. Also comment from MS Support was, that they cannot escalate the case to different team, because I have selected exact time zone and only they are responsible for that time zone (what a bullshit???) and that my case is already escalated withing his team manager. But his team manager is same low-skilled incompetent as engineer got my support case. And if certificate is returned when I remove and re-add config profile, then case is finished (what another bullshit????) - but from my point of view it's not finished because it's not a fix, it's workaround and very complex, time and money wasting workaround. Note to Microsoft: Please STOP hiring ! low-skilled incompetent Indian support teams, just because they costs less then European or United States engineers!!!! You are wasting our money, our time, our patience and you want more and more money for your subscriptions and we are getting less and worst services.138Views1like0CommentsIntune certificate connector redundancy configuration
Hello everyone. Although I am new participating in the Community, I have been using Microsoft tools for some time and more specifically Intune. I come to the Community to ask for help to improve our system. In my organization we have been using Intune for more than a year for the distribution of certificates for authentication in the corporate wi-fi. For this we have an offline certifier and a certifier that issues certificates (2 Tier structure); and a second server where we have installed the NDES service, and that same server has the Intune certificate connector; using an Intune SCEP template we distribute the certificates to the computers. This configuration works correctly and during this time we have not detected any failures or problems in the system; but we are aware that we have a single point of failure if the Intune connector or the server that hosts the NDES service are offline the certificates will never reach the clients (another point of failure can also be the server that contains the certification authority). For this we are thinking about a redundant system and this is when our questions arise. After reading documentation and reading that the Intune connector allows to have more than one instance installed it occurs to me that the best way would be to install a second server with NDES and with another Intune connector. So far I understand that it would be to follow the procedure that we have used to implement the first server, is this correct or should I take into account some other issue? I have noticed that in the Intune SCEP template you can add more than one connection point (SCEP Server URLs) so we could add this second connector URL in that template. Would this be the correct way to proceed, or would I have to add a second certificate distribution template? We also have questions about the possibility of including a second certification authority to issue certificates, in that case, how should I proceed? The NDES service only allows to connect to one certification authority, installing a second certification authority could make each of the servers with NDES point to one of those certification authorities. In that case, how should I configure the template in Intune, should it be two different templates or could I include it in the same template? In this second configuration I also have questions about the revocation of the certificates, currently I have a public IIS server that is responsible for this function, the logic tells me that in that server should be the revocations of the two certification authorities and that the OSCP configuration should include the two certification authorities, is this right? Would there be any other issue that I should take into account when implementing this installation? Thank you very much in advance.1.3KViews0likes2CommentsmacOS SCEP certificate is not stored to login keychain
With macOS, Intune can distribute SCEP profiles, and we can specify certificate type as "Device" or "User". However, the certificate will be stored in the System keychain if I specify the "User" certificate type. Is it occurred in my environment? And, it is a spec? nayuta,2.3KViews1like1CommentAndroid Enterprise SCEP user and device issuing errors
Hi, We are attempting to deliver Android Enterprise SCEP certificates (both user and device based) and both seem to fail. We have our environment set up for iOS SCEP and Android Device Admin SCEP certificates and they work fine. Using the same settings in the Android Enterprise profiles they fail with the error of "0 (No error code)" Does anyone know of anything that might be causing this? I reached out to the networking team to look in the logs, but they don't see any that sticks out that would cause this to fail.9.8KViews2likes7CommentsAndroid Enterprise Wifi deployment using SCEP Cert problems
Hi all, I am trying to setup android phones to connect to the wifi through a wifi profile. We use SCEP certificates. The trusted root certificate and the SCEP certificate deploy successfully to the device via Intune. The trusted root CA automatically gets put into the User store (dont know if this is causing the issue as its not in system store). However, we cant see the deployed SCEP certificate on the phone without using an app called 'My Certificates'. This confirms that both the CA and SCEP certificate are on the device. The Wifi profile is then sent to the device and again this says successful on intune but the phone doesnt connect to the wifi. The SSID it is trying to connect to appears but it doesn't connect. Looks like it tries connecting and then fails. Nothing can be seen on the networks ISE servers so it doesnt even look like its getting that far. Then tried to add the wifi manually. WPA2 enterprise. When I select the option to select a certificate, it shows the ssid name (mustve got this from the wifi profile deployment) with '_NULL' at the end? Dont understand what this is or what it means? Tried selecting the null certificate but this doesnt connect either. Connection we want to use is EAP-TLS. We DONT use the Company portal. The android phones are fully managed corporate devices. The above method to deploy the Certs and wifi profile works fine with iOS devices but not android Any help would be greatly appreciated Thanks SA2.8KViews0likes1CommentiOS: SCEP Enrollment - Certificate Renewal
Dear Community, We successfully created a SCEP Policy to push certificates to our iOS devices. It uses a OnPremise NDES Server and Microsoft PKI (via Azure Application Proxy). Certificates have a lifetime of 1 year. Does anyone know, if Intune automatically starts a renew process before expiration date? I received information from one consultant that they are not automatically renewed. But this would mean I have to manually monitor each expiration date and trigger somehow the renewal. Can't image that this is the desired behaviour. THanks a lot, ChrisSolved4.5KViews0likes4CommentsTrusted certificate profile in Intune Stuck at Pending
We need to deploy our Root CA and subordinate issuing CA Certificates to our Intune managed AAD only devices to support SCEP. We created atrusted certificate profilein Intune to provision these certs but however comma this profile is stuck at pending... How do I troubleshootwhat is going on? Microsoft how have I failed you 😞 Intune supports use of the Simple Certificate Enrollment Protocol (SCEP) toauthenticate connections to your apps and corporate resources. SCEP uses the Certification Authority (CA) certificate to secure the message exchange for the Certificate Signing Request (CSR). When your infrastructure supports SCEP, you can use IntuneSCEP certificateprofiles (a type of device profile in Intune) to deploy the certificates to your devices. Configure infrastructure to support SCEP certificate profiles with Microsoft Intune | Microsoft Learn To use a SCEP certificate profile, devices must trust your Trusted Root Certification Authority (CA). Use atrusted certificate profilein Intune to provision the Trusted Root CA certificate to users and devices.2.2KViews0likes2CommentsMicrosoft Intune Certificate Connector causes high CPU Usage
Hi all we have setup SCEP with our On-Prem Environment and Intune, which is working fine so far. We discovered that the the Process"Microsoft.Intune.Connectors.PkiRevoke" is eating up all CPU. We are just using SCEP and the Revoke Part from the Connector, not PKCS. Does anybody know, what could cause this issue? Many thanks for your help Best regards, Marc10KViews1like19CommentsiOS SCEP Device Certificate Bereitstellung schlägt fehl
Hallo in die Runde, ich bin kompletter Intune Neuling und versuche gerade auf unseren MacOS und iOS Geräten ein Zertifikat via Intune zu verteilen, mit dem die WLAN Verbindung hergestellt werden soll. Auf den MacBooks funktioniert dies auch inzwischen. Auf den iOS Geräten bekomme ich es leider nicht zum laufen. Die habe vier Configuration Profiles für iOS: 1.) Root-CA 2.) Intermediate-CA 3.) SCEP Device Certificate 4.) WiFi Die beiden ersten Profile bekomme ich verteilt. Ich sehe auch, dass auf dem Gerät das Root und das Intermediate CA installiert wird. Profile 3 und 4 haben aber den Status Error. Beim SCEP Device wird gar keine Fehlermeldung angezeigt, beim WiFi:-2016314109 (22003:Invalid RAResponse) Ich könnte mir vorstellen, das der Fehler vom WiFi-Profil ein Folgefehler vom fehlenden SCEP Certificate ist. Kann mir hier irgendwer weiterhelfen? Hatte jemand schon ähnliche Probleme? Wo finde ich Logfiles in denen ich mehr Informationen finden kann? Matthias2.6KViews0likes3CommentsAndroid Enterprise (Device Owner) profile delivery
Is anyone else experiencing issues with Device Owner SCEP and WiFi profile delivery? It's failing for newly enrolled devices as of this week, but was being delivered successfully previously. State Details: 0 (No error code)Solved1.5KViews0likes3Comments