This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 61%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFC%3C/text%3E%3C/svg%3E)
We want to deploy a new WiFi network for our customer using Android devices, using Endpoint Manager.
We created 4 new configuration profiles:
When we perform these step manually on the Android device it works perfectly.
Something wrong with the deployment?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Frits Compatibill , Thanks for posting in our Q&A. From the information you provided, it seems the PKCS certificate and WiFi profile deployment are not successfully.
For our issue, as the user or device certificate is needed in the WiFi profile, we can firstly check on the PKCS certificate deployment.
In General, when the PKCS certificate profile is deployed to the device, the Intune service will ask Intune Certificate Connector to create the certificate for the user. send the request to CA, CA will issue the certificate and send it to Intune Certificate connector.And this certificate will be uploaded to Intune. Intune will re-encrypt the certificate and send it to the device. After all, the device will report the status to Intune.
To know which stage it is pending, we need log analysis. Here is a link with detailed information for the reference:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-pkcs-certificate-profiles
To ensure your data is protected, if you need any help with log analysis, you can open case which is free to troubleshoot it. Here is a link to guide how to open case for the reference:
https://learn.microsoft.com/en-us/mem/get-support
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Crystal-MSFT , thanks for your reply.
When I try to analyse logging on the Intune Certificate Connector I check the ODJ Connector Service.
Only Event ID 30121 and 30150 occur. I cannot find the NDESConnector_date_time.svclog
On the CA server I don't see any certificates issued/pending/failed which uses the certificate template which is configured in the PKCS certificate profile in Intune.
Looks like the request does not even reach the CA server?
I
@Frits Compatibill , From your description, it seems the request is not created. As the log NDESConnector_date_time.svclog is not created. Could you check the event log under "Application and Services Logs\Microsoft Intune Connector" to see if it function well?
Under Application and Services Logs there is the ODJ Connector Service which only shows the Event ID 30121 and 30150. There is no Microsoft Intune Connector log.
The Windows laptops are also used by this connector. Those work fine.
I have looked in the wrong place.
I found the NDESConnector logging. How to open?
And is there a certain thing to look for?
@Frits Compatibill , Thanks for the reply. I am glad to hear that the log is found. To view the log, we can use Service Trace Viewer Tool.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/service-trace-viewer-tool-svctraceviewer-exe
Here is a link with the log analysis example for the reference:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-configuring-and-troubleshooting-pfx-pkcs/ba-p/516450
Hope it can help.
Where can I find the Service Trace Viewer Tool?
I have downloaded the Microsoft .NET SDK 6.0 but there is no Servic Trace Viewer Tool.
Do you have a direct download to the file?
I have tested with another new WiFi profile for Android Enterprise, basic profile with a WPA-Pre-Shared-Key and no PKCS.
The deployment failed.
@Frits Compatibill , For the tool, you can check if it is under location: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools
For another WiFi Profile with WPA-pre-shared-key, could you confirm if the configuration can work when we configure it manually on the device side? If yes, we can check if the configuration is the same on intune .
Yes I found the tool and I already examined the logs.
A lot of activity, because we also use it to send pkcs certificates to the windows clients for VPN use.
But when I search for "PfxCertRequest ConnectorDownloadMessage received" I find nothing.
The WiFi profile can be made manually on the device side and this works. Configuration settings are the same, they are very basic.
@Frits Compatibill , Maybe you can check the vent Viewer > Application and Service Logs > Microsoft > Intune > Certificate Connectors to see if there's any more finding.
For WiFi profile, when manually configure it, it is working. But not working when deploy via Intune. This can be caused that our SCEP profile certificate is not installed on the device.. we can see more detials in the following link:
https://support.microsoft.com/en-us/topic/troubleshooting-wi-fi-profile-issues-in-microsoft-intune-23c9261f-3b0c-95fa-81e2-b894f645ce97
For such log analysis case, we need full log analysis to troubleshoot. With Q&A limitation, we suggest to open case to handle it which can work in a more efficient way.
https://learn.microsoft.com/en-us/mem/get-support
Thanks for the understanding and have a nice day!
Strangely enough the WiFi profile has been succesfully deployed, I cannot see it on the device because I am not near the WiFi network at the moment I guess.
Have not changed anything only maybe an update on the Android device.
In the troubleshooting link they refer to a SCEP certificate authentication, we use PKCS.
@Frits Compatibill , Yes, this can be a reason. If we have the opportunity to make the device near the WiFi network, we can test to see if it can work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 21%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
May i know what is SN and SAN being used inside PKCS?