Browsed by

Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

In an Intune / SCCM hybrid configuration with certificate deployment based on Network Device Enrollment Service (NDES) there are some issues. Installing the NDES environment can be done according to the blog of Pieter Wigleven. After this setup the deployment of the certificates did not work entirely. The configuration looks correct but on the mobile devices there are no certificates deployed. To troubleshoot this we’ve setup a Windows 10 desktop and did a MDM enrollment with the Intune / SCCM environment. Why enroll a desktop with MDM? This is because for troubleshooting we’ve more options to find errors, settings and logs in the event viewer, registry and more.

On the Windows 10 desktop we received an error in the event viewer. The error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).” was found.


After this error we look into the config from front to end. First looking into the config in SCCM. We’ve added a Root CA for deployment. This one is deployed to the clients correctly. When opening this in SCCM we see a Certificate Thumbprint, keep this in mind.


We added also a SCEP profile and within this SCEP profile we select the created Root CA.


After this steps we try to deploy this certificates to the device. The Root CA was deployed correctly but the SCEP certificate was not created on the device. What we see is an error on the device. Event id 32 gives the error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).”


On the Windows client we dive into the registry to find the settings which are applied for NDES. We open the registry to find the following key for the NDES policy “HKCU\SOFTWARE\Microsoft\SCEP\MS DM Server\ModelName_ScopeID_ID_ConfigurationPolicy_ID\Install”.


In this registry key the values for NDES server, Root CA Thumbprint and more are displayed. We see that the Root CA Thumbprint does not match the one used with the Root Certificate which is deployed with the Certificate Profile in SCCM. This Root CA Thumbprint is coming from the NDES Server. When looking into the Policy Module installation on the NDES server we discover the same thumbprint as on the client.


In this configuration we had two different Root Certificates and we used the wrong one with the installation of the NDES Policy Module of SCCM. To update the Root Certiciate in teh PolicyModule we did an uninstall of the SCCM PolicyModule for NDES on the NDES Server and reinstall it with the correct settings.

After re-enroll a mobile device there is another error on the client. Event id 32 with error “SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code 0x87d00905).” appears.


And on the same time on the NDES Server we received the event id 29 with error “The password in the certificate request can not be verified. It may have been used already. Obtain a new password to submit with this request.“.


After searching for a while we found a solution for this issue. This issue is related to the settings on the NDES server. In the registry a value is not updated.


In the registry string HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy the value for NDESCertThumbprint has not been updated automatically. This to be done manually. After setting up the correct thumbprint and resetting the IIS Service the certificate deployment is working correctly. Now it’s possible to request a certificate from a mobile device. This certificate can now be used for VPN profiles to connect to the company environment. .

Happy reading and till next time.


Intune/SCCM NDES Certificate deployment not working on IOS devices

Intune/SCCM NDES Certificate deployment not working on IOS devices

I’ve deployed a NDES environment integrated with a hybrid Microsoft Intune and Configuration Manager configuration. In this environment certificate deployment to Android and Windows Phone/Mobile is working fine. But for IOS devices it’s not working.

When we dive into this problem we see errors in the CRP.log.

IOS Cert 3

With this error “key usage in CSR 160 and challenge 224 do not match” we know there is something with the certificate template on the CA Server.


I’ve found te solution on the Coretech Blog ->

After changing the Certificate property for the Key Usage Extension the problem was solved. Below the screenshots for the Certificate Template properties.

Force URL to open in Managed Browser with Intune / SCCM hybrid

Force URL to open in Managed Browser with Intune / SCCM hybrid

I’ve received a question how to force an URL to open in the Managed Browser. In the Intune Standalone configuration this is already possible for a while. But it’s also possible with the Intune hybrid configuration with Configuration Manager (SCCM). In this blogpost I will take you through the steps how to do this.

First of all we’ve to create an Application. In the SCCM console go to the Software Library and open Application Management and create an Application.


In the next window select “Web Application” and fill the “Location” with an URL. The format for this is not the normal http://<path to web app> but this must be http-intunemam://<path to web app> (http can also be https   ).


After this the application can be created with the defaults.

When the application is created deploy the application to an User Collection. When a Phone is enrolled and the Web Application is available you can install it from the company portal. When opening the Company Portal on the phone it looks like:


Screenshot_2016-07-21-10-56-02Install the Web Application and after this is done the Web Clip is available. For IOS it is available on your main screen. For Android you have to add the Web Widget on your screen to open the Web Applications. On an Android device it looks like:


When open this Web Application there is a message that the app is managed by your company.


When selecting “OK” the webpage will be opened in the Managed Browser.


Opening an Web Application (URL) is possible with Intune Standalone and also with Intune and SCCM in hybrid mode. This is working for Android and for IOS devices. In this short blogpost I’ve taken you through the steps how to do this.

The information about creating a Web Application and force it to the Managed Browser was shared on this Technet Article: