I've recently created a new Intune SCEP certificate template on my internal CA to allow auto-renewal, but my test device still can't renew.
Environment details:
CA Template v3, using Microsoft Enhanced Cryptographic Provider v1.0(CSP)
Validity 1 Year
Renewal period(CA): 6 weeks
Intune SCEP profile: Renewal threshold 15%
NDES registry Updated (SignatureTemplate, EncryptionTemplate and GeneralPurposeTemplate =IntuneSCEPDevice)
NDES + Intune Certificate Connector restarted
Not Using AD auto-enrollment; only Intune SCEP
Client certificate provider = Microsoft Enhanced Cryptographic Provider v1.0
Test run triggered via Company portal ->Sync
Issue:
The device receives the initial certificate successfully, but renewal fails.
Client shows Event ID 309 in DeviceManagement-Enterprise-Diagnostics-Provider(Admin)
No corresponding Event 36 on NDES (request not reaching CA)
The NDES URL in Intune profile is reachable in a browser and returns the expected "SCEP server does not allow GET" page.
Questions:
Do we need to enable "CA Manager approval required" for Intune SCEP/NDES certificate templates?
Many thanks
Adriana
Share
Report
All responses (
Answers (
236,348
