Is the certificate chain deployed as well? Anything in ndes logs?
Intune - Deploy Scep profile for Windows Hello is failing
I´m deploying a SCEP cert for enduser to enable them to run RDP with Windows Hello, following this guide:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs?source=recommendations#deploy-certificates-via-intune
It´s failing on the client side before it sends the request to the SCEP endpoint.
Eventid 32 - SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code: 0x82ab0011).
Eventid 306 - SCEP: CspExecute for UniqueId : (ModelName_AC_d2dbf036-07f2-40e7-a037-8b09d2c83497_LogicalName_cba88808_6ffc_42cf_9b9a_f90b7d72f470_Hash_-312281387) InstallUserSid : (NULL) InstallLocation : (user) NodePath : (clientinstall) KeyProtection: (0x0) Result : (Unknown Win32 Error code: 0x82ab0011).
Eventid 404 - MDM ConfigurationManager: Command failure status. Configuration Source ID: (E8C1809E-5606-4C94-A3BB-A76212A1207E), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (ClientCertificateInstall), Command Type: (Execute), CSP URI: (./User/Vendor/MSFT/ClientCertificateInstall/SCEP/ModelName_AC_d2dbf036-07f2-40e7-a037-8b09d2c83497_LogicalName_cba88808_6ffc_42cf_9b9a_f90b7d72f470_Hash_-312281387/Install/Enroll), Result: (Unknown Win32 Error code: 0x82ab0011).
Some idea?
5 answers
Sort by: Most helpful
-
-
Mtengmo 1 Reputation point
2022-11-29T21:46:11.88+00:00 Yes, the trusted ca is also deployed (Intune blocks the SCEP profile until it´s also deployed).
Nothing in NDES IIS logfile. The endpoint URL is working fine. -
Rahul Jindal [MVP] 9,151 Reputation points MVP
2022-11-30T08:00:48.377+00:00 Is the device AAD or HAADJ? What is the status in Intune?
-
Matt Holland 0 Reputation points
2023-03-12T10:03:03.02+00:00 Did you find the solution to this issue? We have exactly the same problem.
Following along with article https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs
Section: Deploy certificates via Intune
Fresh Win 11 client, No Domain GPO's, Hybrid Joined. We can deploy the cert over same SCEP policy when 'Enroll to TPM, otherwise fail' is selected but fails with below error when selecting 'Enroll to Windows Hello for Business, otherwise fail'.
Certutil tells us Error message text: NGC is managed by GP and cannot be managed by MDM.
MDM ConfigurationManager: Command failure status. Configuration Source ID: (4A67D1AA-371B-4A28-BF50-B17FC23FE1D9), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (ClientCertificateInstall), Command Type: (Execute), CSP URI: (./User/Vendor/MSFT/ClientCertificateInstall/SCEP/ModelName_AC_da9e3999-6c70-4b89-85f5-954cd17e20dc_LogicalName_2a61ad3d_ea2a_4201_b7e4_4ed10bb7e6fc_Hash_-353724946/Install/Enroll), Result: (Unknown Win32 Error code: 0x82ab0011). SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code: 0x82ab0011). certutil -error 0x82ab0011 translates this to: 0x82ab0011 (DME: 0x11 DM_NGC_MANAGED_BY_GP) -- 2192244753 (-2102722543) Error message text: NGC is managed by GP and cannot be managed by MDM.
-
Stephannn 11 Reputation points
2023-07-21T10:30:19.77+00:00 Hi,
it seems in my case following WHfB setting was breaking it:
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Name 'DisablePostLogonProvisioning' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue; New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Name 'Enabled' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
After we disabled the remediation of this setting and removed it from the policy key it worked. Reason I put it there in first place was to do not enfore WHfB to the user...