Intune | Windows Hello For Business | SCEP AADJ WHFB Certificate

Oscar 172 Reputation points
2020-10-23T10:55:51.383+00:00

Hello,
I try to apply Windows Hello for Business using this article: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert

At the almost last step "Create a SCEP Certificate Profile" in Intune, receiving an error in Intune portal with status code 500, maybe someone has some idea what to troubleshoot as all rest seems looks fine, error:

{ "error": { "code": "InternalServerError", "message": "{\r\n \"_version\": 3,\r\n \"Message\": \"An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: hidden - Url: https://fef.msub06.manage.microsoft.com/DeviceConfiguration_2010/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations?api-version=5020-08-21\\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}", "innerError": { "date": "2020-10-23T10:25:33", "request-id": "hidden ", "client-request-id": "hidden " } }}

Followed all steps from document, has clean Certificate Authority setup, and clean NDES server.
I can reach a local and external page with no issue like https://serverfqdn(or msappproxy.net)/certsrv/mscep/mscep.dll

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,893 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,694 questions
{count} votes

Accepted answer
  1. Crystal-MSFT 48,591 Reputation points Microsoft Vendor
    2020-10-26T02:06:27.017+00:00

    @Anonymous , From your description, I know the SCEP certificate profiles was failed to be deployed with error. From the error message, it only says "An internal server error has occurrred". A general error.

    To troubleshoot such case, log analysis is necessary. With Q&A limitation, it is not a better channel for log analysis. We suggest to open a case to work on this.
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support

    In addition, share an article for troubleshooting SCEP certificate profiles with Microsoft Intune:
    https://learn.microsoft.com/en-us/mem/intune/protect/troubleshoot-scep-certificate-profiles

    Thanks and have a nice day.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2020-10-26T03:15:31.633+00:00

    @Anonymous You can have a look at the troubleshooting NDES 500 error :
    https://learn.microsoft.com/en-us/mem/intune/protect/troubleshoot-scep-certificate-device-to-ndes#status-code-500

    a)On the NDES server, run secpol.msc to open the Local Security Policy.
    b)Expand Local Policies, and then click User Rights Assignment.
    c)Double-click Impersonate a client after authentication in the right pane.
    d)Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.
    e)Click OK.
    f)Restart the computer, and then try the connection from the device again.

    Since NDES troubleshooting might get deep and need different sets of logs analysis. opening a support case will be helpful for you as suggested by Crystal.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


  2. Mike Stone 1 Reputation point
    2020-12-03T15:01:58.59+00:00

    I'm having this same issue. Any updates on this ?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.