Question solved, see the Intune SCEP API Github on how.
0x8010002c: Requested certificate does not exist during Intune SCEP Win10 enrollment
Hi, I am trying to integrate a Third-party CA with Intune for SCEP. Using the following guide: https://learn.microsoft.com/en-us/mem/intune/protect/scep-libraries-apis
I have created a Azure trial account and have successfully created the App registration with the secret key and SCEP permissions.
In the Azure Endpoint manager I have created a Certificate Profile of type Trusted Certificate, where I have added my root CA.
In the Azure Endpoint manager I have created a Certificate Rrofile of type SCEP Profile, and configured it as required.
When trying to enroll my Windows 10 machine using the option 'Settings -> Account -> Access work or school -> Connect' it says that it enrolls successfully. However, when looking in the Azure Endpoint manager it finds the device, but it says error on the SCEP certificate profile. Looking in the Windows 10 Event Viewer under 'Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider' it gives the following two errors:
Event 307: SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'http://{url}/scep/intune/pkiclient.exe', CA cert thumbprint '2FCF40...CEF1' and server )
Event 32: SCEP: Certificate enroll failed. Result: (The requested certificate does not exist.). [HRESULT: 0x8010002c]
The CA cert thumbprint matches the thumbprint of my Root CA. Worth to note is that the Win10 machine sends two calls to the Third Party CA, It sends the GetCACaps operation and following that the GetCACertChain operation. After which the error above occurs. This points to something in the trust not being correct, but trying the GetCACertChain request in browser delivers the full chain in PKCS#7 format with the RootCA, Intermediate CA and RA certificate included. Viewing the certificate store for the Win10 computer using 'mmc.exe -> Certificates -> Local Computer' and the Root CA is in the Trust Root Certification and the Intermediate Certification contains the Intermediate CA.
Does anyone know how to resolve this error, no matter how many Trusted Certificate profiles I create of the Root CA, and Intermediate CA and the RA certificate it results in no success.
I have also tried following this guide: https://doc.primekey.com/ejbca/ejbca-integration/integrating-with-third-party-applications/microsoft-intune-device-certificate-enrollment/configure-intune
Which is an approved Third party CA for Intune according to the Microsoft documentation (see https://learn.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview), but it results in this same error.
Best regards,
Gustav Mattsson
1 additional answer
Sort by: Most helpful
-
AndyLiu-MSFT 586 Reputation points
2020-08-20T03:52:15.31+00:00 Please make sure you have created two trusted root profiles, in which you need to upload the Root CA certificate and Intermediate CA. After then, please monitor the deployment status. If they are deployed successfully, you can view the certificates in the cert store locally.
Plus, since this is a development problem, I would recommend to submit a new question on Intune SCEP API GitHub repository site for better support.