This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 60%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIC%3C/text%3E%3C/svg%3E)
I am getting the below information on the event log under ERROR.
SCEP Certificate enrollment initialization for WORKGROUP\ACONIS5$ via https://NTC-Keyld-61d19da22b4f88fee2aec41146dee86715d1ca15,microsoftaik.azure.net/templates/Aik/scep failed:
GetCACaps
Method: GET(62ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
This is a local server with no access to the internet. I have multiple computers doing the same thing with the same/similar error in the Event Log. Any help would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 50%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hello,
Below are some steps and considerations that may help resolve the issue:
• Check the certificate enrollment configuration (whether via Group Policy, MDM settings, or other mechanisms) to make sure the SCEP enrollment URL is entered correctly.
• Notice that your URL uses a comma (“,”) between what appears to be a host identifier and “microsoftaik.azure.net.” Often, a period (“.”) is expected here. Confirm that the intended hostname is correct. If it should be
NTC-Keyld-61d19da22b4f88fee2aec41146dee86715d1ca15.microsoftaik.azure.net
instead of
NTC-Keyld-61d19da22b4f88fee2aec41146dee86715d1ca15,microsoftaik.azure.net
then correct the configuration.
• With your system being on a local network that does not have Internet access, the configured SCEP URL may not resolve if it points to an externally hosted server.
• Ensure that if you need to use an external SCEP service, your DNS is set up correctly to resolve that name. Alternatively, if external access is not intended or possible, you may need to update the configuration to point to an internal certificate authority or SCEP server.
• Determine whether your environment is supposed to use this external SCEP service (for example, if you are using a cloud-based certificate authority via Intune or another MDM solution) or if it is misconfigured.
• If you are not intended to reach an external SCEP server, review your certificate auto-enrollment or MDM certificate profile settings and remove or adjust the reference to the external SCEP URL.
• If this configuration was pushed via policy or a configuration tool, consider updating the settings so that they refer to a resolvable and reachable SCEP server.
• If you need to use certificate auto-enrollment but do not have Internet access, you might need to install and configure a local SCEP server or use an alternative certificate enrollment method appropriate for your network.
• After making changes, run a manual certificate enrollment test on one of the affected computers to verify that it can now reach the SCEP server and retrieve the CA’s capabilities.
• Monitor the event logs to see if the error persists.
By following these checks and updating the configuration as needed, you should be able to remove the DNS resolution error during certificate enrollment. If the URL is simply a misconfiguration (for example, due to a typo or an unintended external reference), correcting it should resolve the error.
If the Answer is helpful, please click "Accept Answer" and upvote it.