Verify on-premises NDES configuration for SCEP certificates in Intune
This article gives troubleshooting steps to help determine whether you have correctly configured your on-premises infrastructure to use Simple Certificate Enrollment Protocol (SCEP) certificates in Microsoft Intune.
Complete these steps to validate your on-premises Network Device Enrollment Service (NDES) configuration.
Open the Validate-NDESConfiguration.ps1 script and copy it to your NDES server.
On the NDES server, run PowerShell as administrator. You may have to change PowerShell ExecutionPolicy to Unrestricted to run the script.
Note
Do not forget to change it back to the original setting once done .
Values for the following parameters are required:
NDESServiceAccountThis is the account that you created in the Accounts section of the Configure infrastructure to support SCEP with Intune.
The following format is used: Domain\<username>. For example: contoso\ndes.
Note
Do not specify the root domain part of the account such as contoso.lab\ndes as this does not work.
IssuingCAServerFQDNThis is the fully qualified domain name (FQDN) of your issuing certification authority (CA) server such as dc2.consoto.lab.
SCEPUserCertTemplateThis is the template name that is specified in the Configure the certification authority section of the Configure infrastructure to support SCEP with Intune.
For example:
The following screenshot occurs when the Validate-NDESConfiguration.ps1 script is run.
Type Y to continue.
The Validate-NDESConfiguration.ps1 script continues and finishes all required checks.
When the Validate-NDESConfiguration.ps1 script is finished, you are prompted to generate a report.
Type Y or N to review the reports.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for