Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)
In an Intune / SCCM hybrid configuration with certificate deployment based on Network Device Enrollment Service (NDES) there are some issues. Installing the NDES environment can be done according to the blog of Pieter Wigleven. After this setup the deployment of the certificates did not work entirely. The configuration looks correct but on the mobile devices there are no certificates deployed. To troubleshoot this we’ve setup a Windows 10 desktop and did a MDM enrollment with the Intune / SCCM environment. Why enroll a desktop with MDM? This is because for troubleshooting we’ve more options to find errors, settings and logs in the event viewer, registry and more.
On the Windows 10 desktop we received an error in the event viewer. The error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).” was found.
After this error we look into the config from front to end. First looking into the config in SCCM. We’ve added a Root CA for deployment. This one is deployed to the clients correctly. When opening this in SCCM we see a Certificate Thumbprint, keep this in mind.
We added also a SCEP profile and within this SCEP profile we select the created Root CA.
After this steps we try to deploy this certificates to the device. The Root CA was deployed correctly but the SCEP certificate was not created on the device. What we see is an error on the device. Event id 32 gives the error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).”
On the Windows client we dive into the registry to find the settings which are applied for NDES. We open the registry to find the following key for the NDES policy “HKCU\SOFTWARE\Microsoft\SCEP\MS DM Server\ModelName_ScopeID_ID_ConfigurationPolicy_ID\Install”.
In this registry key the values for NDES server, Root CA Thumbprint and more are displayed. We see that the Root CA Thumbprint does not match the one used with the Root Certificate which is deployed with the Certificate Profile in SCCM. This Root CA Thumbprint is coming from the NDES Server. When looking into the Policy Module installation on the NDES server we discover the same thumbprint as on the client.
In this configuration we had two different Root Certificates and we used the wrong one with the installation of the NDES Policy Module of SCCM. To update the Root Certiciate in teh PolicyModule we did an uninstall of the SCCM PolicyModule for NDES on the NDES Server and reinstall it with the correct settings.
After re-enroll a mobile device there is another error on the client. Event id 32 with error “SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code 0x87d00905).” appears.
And on the same time on the NDES Server we received the event id 29 with error “The password in the certificate request can not be verified. It may have been used already. Obtain a new password to submit with this request.“.
After searching for a while we found a solution for this issue. This issue is related to the settings on the NDES server. In the registry a value is not updated.
In the registry string HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy the value for NDESCertThumbprint has not been updated automatically. This to be done manually. After setting up the correct thumbprint and resetting the IIS Service the certificate deployment is working correctly. Now it’s possible to request a certificate from a mobile device. This certificate can now be used for VPN profiles to connect to the company environment. .
Happy reading and till next time.
