One of the most significant challenges that most enterprises experience when installing certificates is the smooth issuance of these certificates, especially when there are many devices to care for. Since most of these enterprises rely on MDMs such as Intune or Jamf, it is critical to properly configure the interaction between these MDMs and the Certificate Authority (CA) for effective certificate issuance.
SCEP (Simple Certificate Enrollment Protocol) is a protocol that automates this procedure by enrolling managed devices with digital certificates without requiring end-user intervention. But that’s easier said than done, you might encounter frequent SCEP Certificate Enrollment errors in the onboarding process, and we are here to assist you in resolving these errors.
Error: SCEP Certificate Enrollment Initialization for Workgroup
Before trying anything too technical, you must try implementing the following instructions from Microsoft support whenever you face some minor glitches or issues involving SCEP certificate requests.
1st Remedy
- Open the Services snap-in on the connector-installed server. To do so, open the Start menu, type msc into the search box, and then choose Services from the results list.
- Restart the Intune Connector Service from the Services snap-in.
- Check the HKLMSoftwareMicrosoftMicrosoftIntuneNDESConnector registry subkey to ensure that the registry keys were generated in the manner shown in the figure.
2nd Remedy
- Open the registry on the NDES machine and look for the following subkey:
HKEY LOCAL Machine\Software\Microsoft\Cryptography\MSCEP
- Restart the server after changing the template values to the default (IPSECIntermediateOffline).
- Check the HKEY_LOCAL_Machine\Software\Microsoft\MicrosoftIntune\NDESConnector when the server restarts. The signing certificates should now be visible.
- Change the template name under HKEY_LOCAL_Machine\Software\Microsoft\Cryptography\MSCEP to the custom template name that was established for SCEP and NDES when the keys were created.
Error Caused due to TPM Upgrade
A TPM (Trusted Platform Module) is a cryptoprocessor that enhances the security of any hardware-based system by generating and securely storing cryptographic keys. It is usually located on your system’s hardware (primarily the motherboard), occasionally independent from the memory and the primary CPU.
You might also face SCEP Certificate enrollment issues while switching to Windows 11, as TPM 2.0 has been made mandatory for installing/migrating to Windows by Microsoft in their latest hardware requirements list.
There is a fair chance that this error can be resolved with the latest update of the Dev-Build in your operating system. Meanwhile, you can cross-examine all the hardware associated with the new operating system, including the latest update of the associated drivers.
It is always advisable to follow some latest guidelines to troubleshoot the TPM errors before escalating it to Microsoft Support.
- You can reset the TPM to its factory default settings and let Windows re-initialize it. This can be done by clearing all the keys from the TPM.
- If you are using TPM 2.0 and are not identified by Windows, ensure that your computer hardware has a Trusted Computing Group-compliant Unified Extensible Firmware Interface (UEFI). Also, verify that the TPM is not deactivated from the operating system in the UEFI settings.
- If you are using TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, the TPM could well be switched off and must be reactivated, as stated in Turn on the TPM. When you restart it, Windows will re-initialize it.
- Check which TPM driver is installed on the machine if you’re attempting to set up BitLocker with the TPM. Microsoft recommends always using one of the TPM drivers provided by them that is BitLocker protected.
- If you install a non-Microsoft TPM driver, it may prevent the default TPM driver from launching and cause BitLocker to indicate that there is no TPM on the system. Remove any non-Microsoft drivers before allowing the operating system to initialize the TPM.
Smooth SCEP Certificate Enrollment
To effectively manage the entire SCEP certificate onboarding and minimize configuration errors, your organization must be backed by a reliable PKI for certificate enrollment (and future management). Otherwise, you’ll probably end up manually installing each certificate, which may be time-consuming and error-prone like the ones we previously encountered.
The good news is that Securew2’s Cloud Managed PKI integrates with all major vendors, including Intune and Jamf. It’s also designed to work with your existing architecture, minimizing errors and avoiding costly infrastructure upgrades.
Our PKI automatically enrolls managed devices in certificate-based authentication and can issue certificates through any MDM using our efficient API Gateways. Furthermore, our user-friendly management interface enables you to address the whole certificate lifecycle by providing several certificate management features. In our management portal, you can even modify your certificates with dozens of policies, providing the perfect authentication solution for your unique needs.
The list does not end here; we also provide industry-unique enhancements for your favorite MDMs like Intune and Jamf – our most recent upgrade is a certificate auto revocation on expiry feature. We believe in constantly upgrading ourselves in order to retain our ever-expanding consumer base. If you’re willing to broaden your cybersecurity horizons, check out our prices to learn more.
