SCEP Certificate Failing to Install via Intune

Question

I'm attempting to deploy a SCEP Certificate which will attest to my Okta environment whether a device is managed by MDM or not. For some context, I'm following the instructions found on this Okta documentation:

https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/okta-ca-delegated-scep-win-intune.htm

I have registered AAD app credentials, successfully deployed the Trusted Certificate Profile, but the SCEP is failing to install every time!

I'm getting the following error codes from Event Viewer:

SCEP: Failed LogError Message : (SCEPLogDisposition:Got Failure from SCEP response message) 

SCEP: Failed LogError Message : (SCEPLogDisposition:Transaction not permitted or supported) 

SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to log disposition. Error 0x87d00905) 

SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code: 0x87d00905).

Can somebody please reach out to help me troubleshoot? I've attempted this multiple times on a number of machines, each time I'm deleting everything, wiping the machine, and starting again. It's really frustrating that the error log is unable to give more details to work with.

TL;DR for the Okta document instructions:

• Task 1: Register the AAD app credentials for Okta in Microsoft Azure
• Task 2: Configure management attestation and generate a SCEP URL in Okta
• Task 3: Download the x509 certificate from Okta
• Task 4: Create a Trusted Certificate profile in MEM
• Task 5: Create a SCEP profile in MEM
• Task 6: Verify the certificate installation on a Windows computer

Answer 1

@Mark Chadwick Thanks for posting in our Q&A.

Certificate issue is complex and this error message is not recorded in our official article. So, more logs are needed to get to find the root cause. There are some troubleshooting logs in the following article can be a reference.

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-scep-certificate-profiles#logs-for-on-premises-infrastructure

Q&A is not a good channel for such issue. It is suggested to create an online support ticket to analyze logs based on your specific environment. Here is the support link:

https://learn.microsoft.com/en-us/mem/get-support

Thanks for your understanding and hope everything goes well with you.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

I have the same issue. Was there any resolution on this?

Answer 3

I came across this issue today after our App Registration secret expired on Azure (SCEP certificate deployments were understandably failing). I had to generate a new secret on Azure and enter it on the Okta side (Device Integrations > Endpoint management). You should take care to ensure that, on the Okta side, you are entering in the Azure Application Client ID (not the secret ID) as the 'AAD Client ID' and not the 'Secret ID' of the secret that you've just generated. I made that mistake briefly and then thankfully re-read the documentation!