Share via

How to issue user certificates via Intune?

Aurelijus Daujotis 0 Reputation points
2024-01-16T12:52:10.2033333+00:00

I have configured on-prem CA, NDES server (installed Intune certificate connector and Azure application proxy), configured "Configuration profiles":
User's image

All profiles are assigned to devices, except "SCEP certificate - Windows User". Where can be the problem?
User's image

User's image

If I check the profile check-in status - 0 messages.
User's image

The configuration of profile:
User's image

User's image

Cert templates:
User's image

CA successfully issues device certificates minutes after adding device to assigned group.
Done hundreds of restarts, sign-off/sign-in, sync.. Nothing... Any suggestions?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,110 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 48,931 Reputation points Microsoft Vendor
    2024-01-17T01:55:04.6233333+00:00

    @Aurelijus Daujotis, Thanks for posting in Q&A. Based as I know, the following registry key on the computer that hosts the NDES service determine which certificate template we can request.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\

    For your issue, it can be that "SCEP certificate - Windows User" and "SCEP certificate - Windows Device" set with the same purpose and we only configure "SCEP certificate - Windows device" in the above registry key. So the device can only receive the certificate with "SCEP certificate - Windows Device"

    https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#configure-the-ndes-service

    You can update the registry key value with the certificate template "SCEP certificate - Windows User" to get the certificate.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Aurelijus Daujotis 0 Reputation points
    2024-01-17T05:32:45.3433333+00:00

    @Crystal-MSFT Thank you for your detailed instructions what to check.
    To configure NDES server I followed the documentation and https://www.youtube.com/watch?v=4EZRszjsZJs
    What is configured:
    Configuration profile for User certificate
    User's image

    Configuration profile for Device certificate
    User's image

    NDES server registry
    User's image

    Certificate Template Request Handling
    User's image

    Certificate Template Extensions
    User's image

    In all the examples this kind of certificate template is able to handle device and user certificate requests.
    Do you suggest to use different Certificate templates for User certificates and Device certificates?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.