Recently, a customer raised an issue where their new SCEP User Certificate was stuck pending in Microsoft Intune. So let's jump into troubleshooting.
Troubleshooting
Firstly, we want to check if the device is reaching NDES and if there are logs in the Intune Connector for Certificates.
To check logs for the Intune Connector for Certificates we go to Event Viewer > Application and Service Logs > Intune > Intune connector
We could not see any logs for a certificate request.
Let's see if there is anything in the IIS logs.
%SystemDrive%\inetpub\logs\logfiles\w3svc1
We typically look for logs that look something like this: search the log for entries similar to the following examples. Both examples contain a status 200, which appears near the end:
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACaps&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 186 0.
And
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0
Again nothing in IIS.
Finally, although i knew this was a waste of time, i jumped on the issuing certificate authority to see if there was any failed or pending requests. Which there wasn't.
This was telling me the device was not reaching the infrastructure. So let's jump back to Intune to see if this was something Intune related.
Firstly, the customer has a SCEP Device Certificate that was deploying without issue. So this tells me the NDES template is matching the SCEP certificate. So, i validated the full certificate chain was deployed to the device via Intune e.g. Root and SubCA certificates. Next i validated the SCEP User Certificate was configured correctly against the NDES template e.g. checking Key Usage, Key Size, Extended key usage matched and checked there was no typo in the SCEP URL, which for this customer, the SCEP URL was an Azure AD App Proxy external URL.
We know the Azure AD App Proxy is working because the SCEP Device Certificate is working as expected because for this customer, they have one NDES server. Still always worth checking the AAD Proxy service is still healthy in Azure Active Directory though.
This all looked ok, so what else could it be?
Root Cause
I noticed the SCEP User Template was assigned to All Users in Intune, but the trusted certificates (Root, Sub) was assigned to All Devices. This is one of the quirks with Intune, mismatching group assignments for trusted certificates and SCEP certificates can lead to Pending states.
Solution
I changed the SCEP User Template to a device group, and within a couple of minutes, the issuing certificate authority issued a certificate and the user certificate was present on the device, you can check this by going to certmgr.msc > personal and you should see your NDES template certificate. You can assign users or devices to trusted certificates or SCEP User/Device certificates. Just don't mix and match user/device assignments.