This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 50%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I´m deploying a SCEP cert for enduser to enable them to run RDP with Windows Hello, following this guide:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs?source=recommendations#deploy-certificates-via-intune
It´s failing on the client side before it sends the request to the SCEP endpoint.
Eventid 32 - SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code: 0x82ab0011).
Eventid 306 - SCEP: CspExecute for UniqueId : (ModelName_AC_d2dbf036-07f2-40e7-a037-8b09d2c83497_LogicalName_cba88808_6ffc_42cf_9b9a_f90b7d72f470_Hash_-312281387) InstallUserSid : (NULL) InstallLocation : (user) NodePath : (clientinstall) KeyProtection: (0x0) Result : (Unknown Win32 Error code: 0x82ab0011).
Eventid 404 - MDM ConfigurationManager: Command failure status. Configuration Source ID: (E8C1809E-5606-4C94-A3BB-A76212A1207E), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (ClientCertificateInstall), Command Type: (Execute), CSP URI: (./User/Vendor/MSFT/ClientCertificateInstall/SCEP/ModelName_AC_d2dbf036-07f2-40e7-a037-8b09d2c83497_LogicalName_cba88808_6ffc_42cf_9b9a_f90b7d72f470_Hash_-312281387/Install/Enroll), Result: (Unknown Win32 Error code: 0x82ab0011).
Some idea?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Mtengmo , Research but not find any description with this error code. I suggest to open case to get more help. Here is a link with the steps to open case for your reference:
https://learn.microsoft.com/en-us/mem/get-support
Is the certificate chain deployed as well? Anything in ndes logs?
Yes, the trusted ca is also deployed (Intune blocks the SCEP profile until it´s also deployed).
Nothing in NDES IIS logfile. The endpoint URL is working fine.
Is the device AAD or HAADJ? What is the status in Intune?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 93%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Did you find the solution to this issue? We have exactly the same problem.
Following along with article https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs
Section: Deploy certificates via Intune
Fresh Win 11 client, No Domain GPO's, Hybrid Joined. We can deploy the cert over same SCEP policy when 'Enroll to TPM, otherwise fail' is selected but fails with below error when selecting 'Enroll to Windows Hello for Business, otherwise fail'.
Certutil tells us Error message text: NGC is managed by GP and cannot be managed by MDM.
MDM ConfigurationManager: Command failure status. Configuration Source ID: (4A67D1AA-371B-4A28-BF50-B17FC23FE1D9), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (ClientCertificateInstall), Command Type: (Execute), CSP URI: (./User/Vendor/MSFT/ClientCertificateInstall/SCEP/ModelName_AC_da9e3999-6c70-4b89-85f5-954cd17e20dc_LogicalName_2a61ad3d_ea2a_4201_b7e4_4ed10bb7e6fc_Hash_-353724946/Install/Enroll), Result: (Unknown Win32 Error code: 0x82ab0011).
SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code: 0x82ab0011).
certutil -error 0x82ab0011 translates this to:
0x82ab0011 (DME: 0x11 DM_NGC_MANAGED_BY_GP) -- 2192244753 (-2102722543)
Error message text: NGC is managed by GP and cannot be managed by MDM.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 46%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
it seems in my case following WHfB setting was breaking it:
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Name 'DisablePostLogonProvisioning' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork' -Name 'Enabled' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
After we disabled the remediation of this setting and removed it from the policy key it worked. Reason I put it there in first place was to do not enfore WHfB to the user...