Simple Certificate Enrollment Protocol (SCEP) automates certificate distribution to issue and manage network certificates for users and devices securely. SCEP protocol addresses certificate enrollment without any intervention by end users.
A Mobile Device Management (MDM) solution uses SCEP for its managed devices to push the payload with the SCEP URL and shared secret. The payload helps users self-enroll for a certificate, saving network administrators time and effort. The SCEP URL guides the device to communicate with the PKI using a Gateway API URL. The shared secret ID is a case-sensitive password between the SCEP server and the Certificate Authority (CA).
In this article, we have curated some common scep errors you may encounter while using the scep protocol and troubleshooting methods.
Error: Troubleshoot SCEP Certificate Profile with Intune.
Microsoft Intune lists some scep errors and ways to troubleshoot them.
In a scep certificate deployment, the scep certificate profile and the trusted certificate profile must be assigned to a user or a device in the same order. The table below shows the outcome of a misassignment of the scep and the trusted certificate profiles.
Trusted certificate profile assignment includes User | Trusted certificate profile assignment includes Device | Trusted certificate profile assignment includes User and Device | |
SCEP certificate profile assignment includes User | Success | Failure | Success |
SCEP certificate profile assignment includes Device | Failure | Success | Success |
SCEP certificate profile assignment includes User and Device | Success | Success | Success |
To troubleshoot profile assignment issues, (Note: The troubleshooting employs the same method for Android and iOS. )
- On the Microsoft Intune Admin Center, go to Troubleshooting + Support > Troubleshoot.
- On the Troubleshoot option, set the Assignments to Configuration profiles and validate:
- The user should receive the scep profile.
- Review the user’s network group and ensure that it is the user intended to receive the scep profile.
- Review the last checked device with Intune.
Validating policy receipt on the Windows device
- Open DeviceManagement-Enterprise-Diagnostics-Provider > Admin log, with an event ID 306.
- Run eventvwr.msc to open Windows Event Viewer.
- Expand Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin. Look for Event 306, which resembles the following example:
Event ID: 306
Task Category: None
Level: Information
User: SYSTEM Computer: <Computer Name>
Description: SCEP: CspExecute for UniqueId : (ModelName_<ModelName>_LogicalName_<LogicalName>_Hash_<Hash>) InstallUserSid : (<UserSid>) InstallLocation : (user) NodePath : (clientinstall) KeyProtection: (0x2) Result : (Unknown Win32 Error code: 0x2ab0003).
The error code 0x2ab0003 translates to DM_S_ACCEPTED_FOR_PROCESSING.
Streamline SCEP Certificate Enrollment
Distributing certificates manually is cumbersome, leaving space for errors that can take hours to rectify and involve manpower. SCEP management should thus be managed by a scalable PKI like SecureW2 Cloud Managed PKI to accommodate better certificate management in the long run.
Our Cloud-based PKI helps managed devices self-enroll for certificates using our API Gateway. You can also create user and device profiles by setting unique policies that streamline the authentication process further. A certificate lifecycle management is tedious but would be a breeze when you opt for a PKI with a user-friendly onboarding interface.
SecureW2s Cloud Managed PKI works with major MDM solutions like Jamf, Intune, etc., and can easily integrate with your on-prem or cloud-based network infrastructure, saving you a lot of money to upgrade existing infrastructure.
At SecureW2, we are constantly upgrading our products to give you the best value for your investment. Our features, like auto-revocation of certificates upon expiry, are just one of the features amongst many other unique ones. So, click on this link today to find out how to streamline and strengthen your network security and be at peace.