Azure VPN Client - SCEP Certificate deployed by Intune cannot be selected

Question

Hi there,

I have recently set up an Azure VPN Gateway (openSSL) and SCEP device certificates (using SCEPman).

Together with the Azure VPN Client it is basically working fine on Windows 10 with AAD Authentication.

However Certificate Authentication is behaving differently on different systems:

The Device Certificate and the Trusted Root CA get automatically enrolled by Intune to the Azure AD to all machines. After installation of the client from the Microsoft Store I click: Add -> Select “Certificate” as Authentication Type.

1) Windows 10 VM:

The SCEPman issued certificate is available for selection (also all other available certs)

2) Windows 10 Notebook

But on my physical notebook the behavior is strange: The certificate is not available for selection. I tried to issue a selfsigned certificate via Powershell and those show up immediately in the dropdown.

The SCEP certificates are correctly enrolled and visible in certmgr.msc on both machines.

I have tried to experiment with the Properties of the Device configuration profile in Intune and changed the Key storage provider, key size and hash algorithm to different values but that did not fix the problem. I still suspect that it has to do something with the KSP, but I have no clue what else to try.

Maybe someone else has experienced this issue also or knows what the reason could be.

Thanks and best regards,

Martin

See also: https://social.technet.microsoft.com/Forums/de-DE/000be68f-479a-4469-a1aa-2aa777ae6d3a/scep-certificate-deployed-by-intune-cannot-be-selected-in-azure-vpn-client?forum=win10itprosecurity

Answer 1

There are multiple moving parts here, both with the OS, the Azure VPN Client, and the intune certificate. Your best bet for further troulbeshooting is by a Support Request to look at both the Azure VPN Client, and the OS. If you do not have a support plan, please let me know.