Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Troubleshooting Common SCEP Errors

Key Points
  • SCEP (Simple Certificate Enrolment Protocol) automates certificate distribution, allowing devices to self-enroll securely while lowering network managers' efforts.
  • Common SCEP failures, such as profile assignment issues in Microsoft Intune, can be fixed using correct validation and troubleshooting techniques.
  • SecureW2's Cloud Managed PKI simplifies certificate management by improving network security and streamlining enrollment operations.

Simple Certificate Enrollment Protocol (SCEP) automates certificate distribution to issue and manage network certificates for users and devices securely. SCEP protocol addresses certificate enrollment without any intervention by end users. 

A Mobile Device Management (MDM) solution uses SCEP for its managed devices to push the payload with the SCEP URL and shared secret. The payload helps users self-enroll for a certificate, saving network administrators time and effort. The SCEP URL guides the device to communicate with the PKI using a Gateway API URL. The shared secret ID is a case-sensitive password between the SCEP server and the Certificate Authority (CA).

In this article, we have curated some common scep errors you may encounter while using the scep protocol and troubleshooting methods.

Error: Troubleshoot SCEP Certificate Profile with Intune. 

Microsoft Intune lists some scep errors and ways to troubleshoot them. 

In a  scep certificate deployment, the scep certificate profile and the trusted certificate profile must be assigned to a user or a device in the same order. The table below shows the outcome of a misassignment of the scep and the trusted certificate profiles. 

Trusted certificate profile assignment includes User Trusted certificate profile assignment includes Device Trusted certificate profile assignment includes User and Device  
SCEP certificate profile assignment includes User Success Failure Success
SCEP certificate profile assignment includes Device Failure Success Success
SCEP certificate profile assignment includes User and Device Success Success Success

To troubleshoot profile assignment issues, (Note: The troubleshooting employs the same method for Android and iOS. )

  1. On the Microsoft Intune Admin Center, go to Troubleshooting + Support > Troubleshoot.
  2. On the Troubleshoot option, set the Assignments to Configuration profiles and validate:
  • The user should receive the scep profile.
  • Review the user’s network group and ensure that it is the user intended to receive the scep profile.
  • Review the last checked device with Intune.

Validating policy receipt on the Windows device

  1. Open DeviceManagement-Enterprise-Diagnostics-Provider > Admin log, with an event ID 306.
  2. Run eventvwr.msc to open Windows Event Viewer.
  3. Expand Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin. Look for Event 306, which resembles the following example:

Event ID: 306 

Task Category: None 

Level: Information 

User: SYSTEM Computer: <Computer Name> 

Description: SCEP: CspExecute for UniqueId : (ModelName_<ModelName>_LogicalName_<LogicalName>_Hash_<Hash>) InstallUserSid : (<UserSid>) InstallLocation : (user) NodePath : (clientinstall) KeyProtection: (0x2) Result : (Unknown Win32 Error code: 0x2ab0003).

The error code 0x2ab0003 translates to DM_S_ACCEPTED_FOR_PROCESSING.

Streamline SCEP Certificate Enrollment

Distributing certificates manually is cumbersome, leaving space for errors that can take hours to rectify and involve manpower. SCEP management should thus be managed by a scalable PKI like SecureW2 Cloud Managed PKI to accommodate better certificate management in the long run.

Our Cloud-based PKI helps managed devices self-enroll for certificates using our API Gateway. You can also create user and device profiles by setting unique policies that streamline the authentication process further. A certificate lifecycle management is tedious but would be a breeze when you opt for a PKI with a user-friendly onboarding interface.

SecureW2s Cloud Managed PKI works with major MDM solutions like Jamf, Intune, etc., and can easily integrate with your on-prem or cloud-based network infrastructure, saving you a lot of money to upgrade existing infrastructure. 

At SecureW2, we are constantly upgrading our products to give you the best value for your investment. Our features, like auto-revocation of certificates upon expiry, are just one of the features amongst many other unique ones. So, click on this link today to find out how to streamline and strengthen your network security and be at peace.

Learn about this author

Anusha Harish

Anusha is a copywriter with a passion for telling stories through her writing. With a law degree and keen research skills, she writes articles to help customers make informed decisions. A movie buff and a bookworm, she can be found tucked away with a book and a cup of coffee mostly.

Troubleshooting Common SCEP Errors