搭配 Intune 設定及使用 SCEP 憑證Configure and use SCEP certificates with Intune

此文章說明如何搭配 Intune 設定基礎結構,並建立及指派簡單憑證註冊通訊協定 (SCEP) 憑證設定檔。This article shows how to configure your infrastructure, then create and assign Simple Certificate Enrollment Protocol (SCEP) certificate profiles with Intune.

設定內部部署基礎結構Configure on-premises infrastructure

  • Active Directory 網域:本節所列的所有伺服器 (除了 Web 應用程式 Proxy 伺服器) 均須加入 Active Directory 網域。Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server) must be joined to your Active Directory domain.

  • 憑證授權單位 (CA):在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification Authority (CA): An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported. 如需詳細資料,請參閱安裝憑證授權單位 (機器翻譯)For details, see Install the Certification Authority. 如果您的 CA 執行 Windows Server 2008 R2,您必須 從 KB2483564 安裝 HotfixIf your CA runs Windows Server 2008 R2, you must install the hotfix from KB2483564.

  • NDES 伺服器:在執行 Windows Server 2012 R2 或更新版本的伺服器上,您必須設定網路裝置註冊服務 (NDES)。NDES Server: On a server that runs Windows Server 2012 R2 or later, you must set up the Network Device Enrollment Service (NDES). 在同時執行企業 CA 的伺服器上執行 NDES 時,Intune 便無法支援 NDES。Intune does not support using NDES when it runs on a server that also runs the Enterprise CA. 請參閱網路裝置註冊服務指導方針以取得有關如何設定 Windows Server 2012 R2 來裝載網路裝置註冊服務的指示。See Network Device Enrollment Service Guidance for instructions on how to configure Windows Server 2012 R2 to host the Network Device Enrollment Service. NDES 伺服器必須加入裝載 CA 的網域,但不在與 CA 相同的伺服器上。The NDES server must be domain joined to the domain that hosts the CA, and not be on the same server as the CA. 使用原則模組和網路裝置註冊服務中可以找到將 NDES 伺服器部署至不同樹系、隔離網路或內部網域的詳細資訊。More information about deploying the NDES server in a separate forest, isolated network, or internal domain can be found in Using a Policy Module with the Network Device Enrollment Service.

  • Microsoft Intune 憑證連接器:使用 Azure 入口網站來下載憑證連接器安裝程式 (NDESConnectorSetup.exe)。Microsoft Intune Certificate Connector: Use the Azure portal to download the Certificate Connector installer (NDESConnectorSetup.exe). 然後您可在裝載網路裝置註冊服務 (NDES) 角色,且要安裝憑證連接器的伺服器上執行 NDESConnectorSetup.exeThen you can run NDESConnectorSetup.exe on the server hosting the Network Device Enrollment Service (NDES) role where you want to install the Certificate Connector.

    • NDES 憑證連接器也支援聯邦資訊處理標準 (FIPS) 模式。The NDES Certificate connector also supports Federal Information Processing Standard (FIPS) mode. FIPS 並非必要,但啟用時,可發出及撤銷憑證。FIPS is not required, but you can issue and revoke certificates when it's enabled.
  • Web 應用程式 Proxy 伺服器 (選用)︰使用執行 Windows Server 2012 R2 或更新版本的伺服器做為 Web 應用程式 Proxy (WAP) 伺服器。Web Application Proxy Server (optional): Use a server that runs Windows Server 2012 R2 or later as a Web Application Proxy (WAP) server. 此組態:This configuration:

    • 允許裝置使用網際網路連線接收憑證。Allows devices to receive certificates using an Internet connection.
    • 是裝置連線透過網際網路來接收和更新憑證時的安全性建議。Is a security recommendation when devices connect through the Internet to receive and renew certificates.

AdditionalAdditional

  • 裝載 WAP 伺服器 必須安裝更新 ,以啟用網路裝置註冊服務所使用之長 URL 的支援。The server that hosts WAP must install an update that enables support for the long URLs that are used by the Network Device Enrollment Service. 此更新隨附於 2014 年 12 月更新彙總套件,或個別提供於 KB3011135This update is included with the December 2014 update rollup, or individually from KB3011135.
  • WAP 的伺服器必須有 SSL 憑證,該憑證符合發佈給外部用戶端的名稱,並且信任 NDES 伺服器上使用的 SSL 憑證。The WAP server must have an SSL certificate that matches the name being published to external clients, and trust the SSL certificate used on the NDES server. 這些憑證讓 WAP 伺服器能從用戶端終止 SSL 連線,以及建立與 NDES 伺服器的新 SSL 連線。These certificates enable the WAP server to terminate the SSL connection from clients, and create a new SSL connection to the NDES server.

如需詳細資訊,請參閱規劃 WAP 的憑證 (英文) 和 WAP 伺服器的一般相關資訊 (英文)。For more information, see Plan certificates for WAP and general information about WAP servers.

網路需求Network requirements

從網際網路到周邊網路,允許網際網路上所有主機/IP 位址的連接埠 443 都能連線到 NDES 伺服器。From the Internet to perimeter network, allow port 443 from all hosts/IP addresses on the internet to the NDES server.

從周邊網路到受信任網路,允許在加入網域的 NDES 伺服器上進行網域存取所需的所有連接埠和通訊協定。From the perimeter network to trusted network, allow all ports and protocols needed for domain access on the domain-joined NDES server. NDES 伺服器需要存取憑證伺服器、DNS 伺服器、Configuration Manager 伺服器和網域控制站。The NDES server needs access to the certificate servers, DNS servers, Configuration Manager servers, and domain controllers.

建議您透過 Proxy 發佈 NDES 伺服器,例如 Azure AD 應用程式 ProxyWeb Access Proxy,或是協力廠商 Proxy。We recommend publishing the NDES server through a proxy, such as the Azure AD application proxy, Web Access Proxy, or a third-party proxy.

憑證和範本Certificates and templates

物件Object 詳細資料Details
憑證範本Certificate Template 在發行 CA 上設定此範本。Configure this template on your issuing CA.
用戶端驗證憑證Client authentication certificate 自發行 CA 或公用 CA 所要求的憑證,您會將它安裝於 NDES 伺服器上。Requested from your issuing CA or public CA; you install this certificate on the NDES Server.
伺服器驗證憑證Server authentication certificate 自發行 CA 或公用 CA 所要求的憑證,您會在 NDES 伺服器的 IIS 中安裝並繫結此 SSL 憑證。Requested from your issuing CA or public CA; you install and bind this SSL certificate in IIS on the NDES server.
可信任的根 CA 憑證Trusted Root CA certificate 您會從根 CA (或任何信任根 CA 的裝置) 將此憑證匯出為 .cer 檔案,並使用受信任的 CA 憑證設定檔將它指派給裝置。You export this certificate as a .cer file from the root CA or any device that trusts the root CA, and assign it to devices by using the Trusted CA certificate profile.

您針對每個作業系統平台使用單一受信任根 CA 憑證,並將它與您建立的每個受信任根憑證設定檔產生關聯。You use a single Trusted Root CA certificate per operating system platform, and associate it with each Trusted Root Certificate profile you create.

您可以在需要時使用其他受信任根 CA 憑證。You can use additional Trusted Root CA certificates when needed. 比方說,當您需要向 CA 提供信任,好讓它為您簽署 Wi-Fi 存取點的伺服器驗證憑證時,您可能就會這麼做。For example, you might do this to provide a trust to a CA that signs the server authentication certificates for your Wi-Fi access points.

帳戶Accounts

名稱Name 詳細資料Details
NDES 服務帳戶NDES service account 輸入網域使用者帳戶以做為 NDES 服務帳戶。Enter a domain user account to use as the NDES Service account.

設定基礎結構Configure your infrastructure

在您設定憑證設定檔前,必須先完成下列步驟。Before you can configure certificate profiles, complete the following steps. 執行這些步驟需要對 Windows Server 2012 R2 和更新版本以及 Active Directory 憑證服務 (ADCS) 有一定程度的了解:These steps require knowledge of Windows Server 2012 R2 and later, and Active Directory Certificate Services (ADCS):

步驟 1:建立 NDES 服務帳戶Step 1 - Create an NDES service account

建立網域使用者帳戶以做為 NDES 服務帳戶。Create a domain user account to use as the NDES service account. 在您安裝及設定 NDES 之前,會在發行 CA 上設定範本時輸入此帳戶。You enter this account when you configure templates on the issuing CA before you install and configure NDES. 請確定使用者具有預設權限:[本機登入]、[以服務方式登入] 和 [以批次工作登入] 權限。Make sure the user has the default rights, Logon Locally, Logon as a Service and Logon as a batch job rights. 某些組織擁有停用這些權限的強化原則。Some organizations have hardening policies that disable those rights.

步驟 2:設定憑證授權單位上的憑證範本Step 2 - Configure certificate templates on the certification authority

在此工作中,您要:In this task, you:

  • 設定 NDES 的憑證範本Configure a certificate template for NDES
  • 發行 NDES 的憑證範本Publish the certificate template for NDES
設定憑證授權單位Configure the certification authority
  1. 以企業系統管理員身分登入。Sign in as an enterprise administrator.

  2. 在發行 CA 上,使用 [憑證範本] 嵌入式管理單元來建立新的自訂範本。On the issuing CA, use the Certificate Templates snap-in to create a new custom template. 或者,複製現有範本,然後更新現有範本 (例如使用者範本) 以搭配 NDES 使用。Or, copy an existing template, and then update the existing template (like the User template) for use with NDES.

    注意

    NDES 憑證範本必須根據 v2 憑證範本 (具有 Windows 2003 相容性)。The NDES certificate template must be based off a v2 Certificate Template (with Windows 2003 compatibility).

    範本必須要有下列組態:The template must have the following configurations:

    • 輸入範本的易記「範本顯示名稱」 。Enter a friendly Template display name for the template.

    • 在 [主體名稱] 中,選取 [在要求中提供]In Subject Name, select Supply in the request. (安全性由 NDES 的 Intune 原則模組加強)。(Security is enforced by the Intune policy module for NDES).

    • 在 [延伸] 索引標籤上,確認 [應用程式原則描述] 包含 [用戶端驗證]。In Extensions, confirm the Description of Application Policies includes Client Authentication.

      重要

      針對 iOS 與 macOS 憑證範本,請在 [延伸] 索引標籤上編輯 [金鑰使用方法],並確認未選取 [簽章是原件證明]。For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage, and confirm Signature is proof of origin is not selected.

    • 在 [安全性] 中,新增 NDES 服務帳戶,並提供其 [註冊] 範本的權限。In Security, add the NDES service account, and give it Enroll permissions to the template. 建立 SCEP 設定檔的 Intune 系統管理員需要讀取 權限,讓他們可以在建立 SCEP 設定檔時瀏覽至範本。Intune admins who create SCEP profiles require Read rights so that they can browse to the template when creating SCEP profiles.

      注意

      若要撤銷憑證,NDES 服務帳戶需要憑證設定檔所使用每個憑證範本的發行及管理憑證權限。To revoke certificates, the NDES service account needs Issue and Manage Certificates rights for each certificate template used by a certificate profile.

  3. 檢閱範本 [一般] 索引標籤上的 [有效期間] 。Review the Validity period on the General tab of the template. 根據預設,Intune 使用範本中所設定的值。By default, Intune uses the value configured in the template. 不過,您可以選擇設定 CA 以允許要求者輸入不同的值,然後就可以從 Intune 系統管理員主控台內設定該值。However, you have the option to configure the CA to allow the requester to enter a different value, which you can then set from within the Intune Administrator console. 如果您想要一律使用範本中的值,請略過此步驟中的其餘部分。If you want to always use the value in the template, skip the remainder of this step.

    重要

    iOS 和 macOS 一律會使用範本中的值,而不管您所做的其他組態設定。iOS and macOS always use the value set in the template, regardless of other configurations you make.

範例範本設定:Example template configuration:

範本, 處理要求索引標籤

範本, 主體名稱索引標籤

範本, 安全性索引標籤

範本, 延伸索引標籤

範本, 發行需求索引標籤

重要

針對應用程式原則,僅新增所需的應用程式原則。For Application Policies, only add the application policies required. 向您的安全性系統管理員確認您的選擇。Confirm your choices with your security admins.

設定 CA 以允許要求者輸入有效期間:Configure the CA to allow the requester to enter the validity period:

  1. 在 CA 上執行下列命令:On the CA run the following commands:

    • certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATEcertutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
    • net stop certsvcnet stop certsvc
    • net start certsvcnet start certsvc
  2. 在發行的 CA 上使用 [憑證授權單位] 嵌入式管理單元來發行憑證範本。On the issuing CA, use the Certification Authority snap-in to publish the certificate template. 選取 [憑證範本] 節點,按一下 [動作] > [新增] > [要發出的憑證範本],然後選取您在步驟 2 中建立的範本。Select the Certificate Templates node, click Action > New > Certificate Template to Issue, and then select the template you created in step 2.

  3. 檢視 [憑證範本] 資料夾下的發行範本來加以驗證。Validate that the template published by viewing it under the Certificate Templates folder.

步驟 3:設定 NDES 伺服器上的必要條件Step 3 - Configure prerequisites on the NDES server

在此工作中,您要:In this task, you:

  • 將 NDES 加入至 Windows Server 並設定 IIS 以支援 NDESAdd NDES to a Windows Server and configure IIS to support NDES
  • 將 NDES 服務帳戶加入至 IIS_IUSR 群組Add the NDES Service account to the IIS_IUSR group
  • 設定 NDES 服務帳戶的 SPNSet the SPN for the NDES Service account
  1. 在裝載 NDES 的伺服器上,以企業系統管理員的身分登入,然後使用新增角色及功能精靈來安裝 NDES:On the server that hosts NDES, sign in as an Enterprise Administrator, and then use the Add Roles and Features Wizard to install NDES:

    1. 在精靈中,選取 [Active Directory 憑證服務] 以存取 AD CS 角色服務。In the Wizard, select Active Directory Certificate Services to gain access to the AD CS Role Services. 選取 [網路裝置註冊服務] ,取消核取 [憑證授權單位] ,然後完成精靈。Select the Network Device Enrollment Service, uncheck Certification Authority, and then complete the wizard.

      提示

      在 [安裝進度] 中,不要選取 [關閉]。In Installation progress, do not check Close. 相反地,請選取 [設定目的地伺服器上的 Active Directory 憑證服務] 連結。Instead, select the Configure Active Directory Certificate Services on the destination server link. [AD CS 設定] 精靈隨即開啟,讓您用於下一個工作。The AD CS Configuration wizard opens, which you use for the next task. [AD CS 設定] 開啟之後,您可以關閉 [新增角色及功能精靈]。After AD CS Configuration opens, you can close the Add Roles and Features wizard.

    2. 當 NDES 加入至伺服器時,精靈也會安裝 IIS。When NDES is added to the server, the wizard also installs IIS. 請確定 IIS 具有下列組態:Ensure IIS has the following configurations:

    3. [Web 伺服器] > [安全性] > [要求篩選]Web Server > Security > Request Filtering

    4. [Web 伺服器] > [應用程式開發] > [ASP.NET 3.5]。Web Server > Application Development > ASP.NET 3.5. 安裝 ASP.NET 3.5 時會安裝 .NET Framework 3.5。Installing ASP.NET 3.5 installs .NET Framework 3.5. 安裝 .NET Framework 3.5 時,請安裝核心 [.NET Framework 3.5] 功能和 [HTTP 啟動] 。When installing .NET Framework 3.5, install both the core .NET Framework 3.5 feature and HTTP Activation.

    5. [Web 伺服器] > [應用程式開發] > [ASP.NET 4.5]。Web Server > Application Development > ASP.NET 4.5. 安裝 ASP.NET 4.5 時會安裝 .NET Framework 4.5。Installing ASP.NET 4.5 installs .NET Framework 4.5. 安裝 .NET Framework 4.5 時,請安裝核心 [.NET Framework 4.5] 功能、[ASP.NET 4.5] 與 [WCF 服務] > [HTTP 啟動] 功能。When installing .NET Framework 4.5, install the core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.

    6. [管理工具] > [IIS 6 管理相容性] > [IIS 6 Metabase 相容性]Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility

    7. [管理工具] > [IIS 6 管理相容性] > [IIS 6 WMI 相容性]Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility

    8. 在伺服器上,新增 NDES 服務帳戶成為 IIS_IUSR 群組的成員身分。On the server, add the NDES service account as a member of the IIS_IUSR group.

  2. 在提升權限的命令提示字元中,執行下列命令來設定 NDES 服務帳戶的 SPN:In an elevated command prompt, run the following command to set the SPN of the NDES Service account:

    setspn -s http/<DNS name of NDES Server> <Domain name>\<NDES Service account name>

    例如,如果 NDES 伺服器的名稱為 Server01,您的網域是 Contoso.com,而且服務帳戶是 NDESService,請使用:For example, if your NDES Server is named Server01, your domain is Contoso.com, and the service account is NDESService, use:

    setspn –s http/Server01.contoso.com contoso\NDESService

步驟 4:設定 NDES 以搭配 Intune 使用Step 4 - Configure NDES for use with Intune

在此工作中,您要:In this task, you:

  • 設定 NDES 以便用於發行 CAConfigure NDES for use with the issuing CA
  • 在 IIS 中繫結伺服器驗證 (SSL) 憑證Bind the server authentication (SSL) certificate in IIS
  • 設定 IIS 中的要求篩選Configure Request Filtering in IIS
  1. 在 NDES 伺服器上,開啟 [AD CS 設定] 精靈,然後進行下列設定:On the NDES Server, open the AD CS Configuration wizard, and then make the following updates:

    提示

    如果您按一下前個工作中的連結,此精靈已經開啟。If you clicked the link in the previous task, this wizard is already open. 否則,開啟 [伺服器管理員] 來存取 Active Directory 憑證服務的部署後組態。Otherwise, open Server Manager to access the post-deployment configuration for Active Directory Certificate Services.

    • 在 [角色服務] 中,選取 [網路裝置註冊服務] In Role Services, select the Network Device Enrollment Service
    • 在 [NDES 的服務帳戶] 中,輸入 NDES 服務帳戶In Service Account for NDES, enter the NDES Service Account
    • 在 [NDES 的 CA] 中,按一下 [選取],然後選取您設定憑證範本的發行 CAIn CA for NDES, click Select, and then select the issuing CA where you configured the certificate template
    • 在 [NDES 的密碼編譯] 中,設定符合您公司需求的金鑰長度。In Cryptography for NDES, set the key length to meet your company requirements.
    • 在 [確認] 中,選取 [設定] 來完成精靈。In Confirmation, select Configure to complete the wizard.
  2. 在精靈完成之後,在 NDES 伺服器上更新下列登錄機碼:After the wizard completes, update the following registry key on the NDES Server:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\

    若要更新此機碼,請指出憑證範本的 [目的] (可以在其 [要求處理] 索引標籤上找到)。To update this key, identify the certificate template's Purpose (found on its Request Handling tab). 接著,透過使用您在工作 1 中指定的憑證範本名稱 (而非範本的顯示名稱) 來取代現有資料,以更新對應的登錄項目。Then, update the corresponding registry entry by replacing the existing data with the name of the certificate template (not the display name of the template) that you specified in Task 1. 下表會將憑證範本目的對應到登錄中的值:The following table maps the certificate template purpose to the values in the registry:

    憑證範本目的 (在 [處理要求] 索引標籤上)Certificate template Purpose (On the Request Handling tab) 要編輯的登錄值Registry value to edit SCEP 設定檔的 Intune 管理主控台中看到的值Value seen in the Intune admin console for the SCEP profile
    簽章Signature SignatureTemplateSignatureTemplate 數位簽章Digital Signature
    加密Encryption EncryptionTemplateEncryptionTemplate 金鑰加密Key Encipherment
    簽章和加密Signature and encryption GeneralPurposeTemplateGeneralPurposeTemplate 金鑰加密Key Encipherment
    數位簽章Digital Signature

    例如,如果您的憑證範本目的是 [加密] ,則請將 EncryptionTemplate 值編輯為憑證範本的名稱。For example, if the Purpose of your certificate template is Encryption, then edit the EncryptionTemplate value to be the name of your certificate template.

  3. NDES 伺服器會收到長的 URL (查詢),而這需要您新增兩個登錄項目︰The NDES server receives long URLs (queries), which require you to add two registry entries:

    位置Location Value 類型Type 資料Data
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters MaxFieldLengthMaxFieldLength DWORDDWORD 65534 (十進位)65534 (decimal)
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters MaxRequestBytesMaxRequestBytes DWORDDWORD 65534 (十進位)65534 (decimal)
  4. 在 IIS 管理員中,選取 [預設的網站] > [要求篩選] > [編輯功能設定]。In IIS manager, select Default Web Site > Request Filtering > Edit Feature Setting. 將 [URL 長度上限] 與 [查詢字串上限] 變更為 65534,如下所示:Change the Maximum URL length and Maximum query string to 65534, as shown:

    IIS URL 和查詢長度上限

  5. 重新啟動伺服器。Restart the server. 在伺服器上執行 iisreset 不足以完成這些變更。Running iisreset on the server is not sufficient to finalize these changes.

  6. 瀏覽至 http://*FQDN*/certsrv/mscep/mscep.dllBrowse to http://*FQDN*/certsrv/mscep/mscep.dll. 您應該會看到與下面類似的 NDES 頁面︰You should see an NDES page similar to the following:

    測試 NDES

    如果您收到「503 服務無法使用」,請檢查事件檢視器。If you get a 503 Service unavailable, check the event viewer. 因為遺失 NDES 使用者的權限,所以可能已停止應用程式集區。It's likely that the application pool is stopped due to a missing right for the NDES user. 工作 1 會說明這些權限。Those rights are described in Task 1.

在 NDES 伺服器上安裝並繫結憑證Install and bind certificates on the NDES Server
  1. 在 NDES 伺服器上,要求並安裝來自內部 CA 或公用 CA 的 伺服器驗證 憑證。On your NDES Server, request and install a server authentication certificate from your internal CA or public CA. 然後將此 SSL 憑證繫結在 IIS 中。You then bind this SSL certificate in IIS.

    提示

    在 IIS 中繫結 SSL 憑證之後,安裝用戶端驗證憑證。After you bind the SSL certificate in IIS, install a client authentication certificate. 此憑證可以由 NDES 伺服器所信任的任何 CA 發出。This certificate can be issued by any CA that is trusted by the NDES Server. 雖然不是最佳做法,但您可以使用相同的憑證,進行伺服器和用戶端驗證,只要憑證中同時有雙方的增強金鑰使用方法 (EKU) 即可。Although it's not a best practice, you can use the same certificate for both server and client authentication as long as the certificate has both Enhance Key Usages (EKUs). 請檢閱以下的步驟,以取得這些驗證憑證的相關資訊。Review the following steps for information about these authentication certificates.

    1. 取得伺服器驗證憑證之後,請開啟 [IIS 管理員] 並選取 [預設的網站]。After you get the server authentication certificate, open IIS Manager, and select the Default Web Site. 在 [動作] 窗格中,選取 [繫結]。In the Actions pane, select Bindings .

    2. 選取下 [新增],將 [類型] 設定為 [https],然後確認連接埠是 [443]。Select Add, set Type to https, and then confirm the port is 443. 獨立版 Intune 只支援連接埠 443。Only port 443 is supported for standalone Intune.

    3. 針對 [SSL 憑證],輸入伺服器驗證憑證。For SSL certificate, enter the server authentication certificate.

      注意

      若 NDES 伺服器針對單一網路位址使用外部與內部名稱,則伺服器驗證憑證必須有:If the NDES server uses an external and internal name for a single network address, then the server authentication certificate must have:

      • 具有外部公開伺服器名稱的主體名稱A Subject Name with an external public server name
      • 包含內部伺服器名稱的主體別名A Subject Alternative Name that includes the internal server name
  2. 在 NDES 伺服器上,從內部 CA 或公開憑證授權單位,要求並安裝 用戶端驗證 憑證。On your NDES Server, request and install a client authentication certificate from your internal CA, or a public certificate authority. 這可以是與伺服器驗證憑證相同的憑證,如果該憑證具備兩種功能。This can be the same certificate as the server authentication certificate if that certificate has both capabilities.

    用戶端驗證憑證必須具有下列屬性:The client authentication certificate must have the following properties:

    • 增強金鑰使用方法:這必須包括 [用戶端驗證]Enhanced Key Usage: This value must include Client Authentication

    • 主體名稱:這必須等於您要在其上安裝憑證之伺服器 (NDES 伺服器) 的 DNS 名稱Subject Name: This value must be equal to the DNS name of the server where you are installing the certificate (the NDES Server)

設定 IIS 要求篩選Configure IIS request filtering
  1. 在 NDES 伺服器上,開啟 [IIS 管理員],在 [連線] 窗格中選取 [預設的網站] ,然後開啟 [要求篩選]。On the NDES Server, open IIS Manager, select the Default Web Site in the Connections pane, and then open Request Filtering.

  2. 選取 [編輯功能設定],然後設定下列值:Select Edit Feature Settings, and then set the values:

    • 查詢字串 (位元組) = 65534query string (Bytes) = 65534
    • URL 長度上限 (位元組) = 65534Maximum URL length (Bytes) = 65534
  3. 檢閱下列登錄機碼:Review the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

    確認下列值設定為 DWORD 項目:Confirm the following values are set as DWORD entries:

    • 名稱: MaxFieldLength,具有十進位值 65534Name: MaxFieldLength, with a decimal value of 65534
    • 名稱: MaxRequestBytes,具有十進位值 65534Name: MaxRequestBytes, with a decimal value of 65534
  4. 重新啟動 NDES 伺服器。Reboot the NDES server. 伺服器現在已準備好支援 Certificate Connector。The server is now ready to support the Certificate Connector.

步驟 5:啟用、安裝及設定 Intune 憑證連接器Step 5 - Enable, install, and configure the Intune certificate connector

在此工作中,您要:In this task, you:

  • 啟用 Intune 中的 NDES 支援。Enable support for NDES in Intune.
  • 在您環境中裝載網路裝置註冊服務 (NDES) 角色的伺服器上,下載、安裝及設定憑證連接器。Download, install, and configure the Certificate Connector on the server hosting the Network Device Enrollment Service (NDES) role a server in your environment. 若要增加您組織的 NDES 實作規模,您可以在每部 NDES 伺服器上,搭配 Microsoft Intune 憑證連接器安裝多部 NDES 伺服器。To increase the scale of the NDES implementation in your organization, you can install multiple NDES servers with a Microsoft Intune Certificate Connector on each NDES server.
下載、安裝及設定憑證連接器Download, install, and configure the certificate connector

ConnectorDownload

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 選取 [All services] (所有服務),篩選 [Intune],然後選取 [Microsoft Intune]。Select All services, filter on Intune, and select Microsoft Intune.

  3. 選取 [裝置設定] [憑證授權單位]。Select Device configuration, and then select Certification Authority.

  4. 選取 [新增] 並選取 [下載連接器檔案]。Select Add, and Download the connector file. 將下載項目儲存到要安裝下載項目的伺服器所能存取的位置。Save the download to a location where you can access it from the server where you're going to install it.

  5. 下載完成之後,前往裝載網路裝置註冊服務 (NDES) 角色的伺服器。After the download completes, go to the server hosting the Network Device Enrollment Service (NDES) role. 然後:Then:

    1. 確定已安裝 .NET 4.5 Framework,這對 NDES 憑證連接器是必要的。Be sure .NET 4.5 Framework is installed, as it's required by the NDES Certificate connector. Windows Server 2012 R2 及更新版本會自動隨附 .NET 4.5 Framework。.NET 4.5 Framework is automatically included with Windows Server 2012 R2 and newer versions.
    2. 執行安裝程式 (NDESConnectorSetup.exe)。Run the installer (NDESConnectorSetup.exe). 安裝程式也會安裝 NDES 和 CRP Web 服務的原則模組。The installer also installs the policy module for NDES and the CRP Web Service. CRP Web 服務 CertificateRegistrationSvc 會以 IIS 中的應用程式方式執行。The CRP Web Service, CertificateRegistrationSvc, runs as an application in IIS.

    注意

    當您為獨立版 Intune 安裝 NDES 時,CRP 服務會自動與 Certificate Connector 一起安裝。When you install NDES for standalone Intune, the CRP service automatically installs with the Certificate Connector. 當您使用 Intune 搭配 Configuration Manager 時,將憑證註冊點安裝為個別的網站系統角色。When you use Intune with Configuration Manager, you install the Certificate Registration Point as a separate site system role.

  6. 當提示您提供憑證連接器的用戶端憑證時,請選擇 [選取],然後選取您在工作 3 中,於 NDES 伺服器上安裝的用戶端驗證憑證。When prompted for the client certificate for the Certificate Connector, choose Select, and select the client authentication certificate you installed on your NDES Server in Task 3.

    選取用戶端驗證憑證之後,您會回到 [Microsoft Intune Certificate Connector 的用戶端憑證] 介面。After you select the client authentication certificate, you are returned to the Client Certificate for Microsoft Intune Certificate Connector surface. 雖然未顯示您選取的憑證,請選取 [下一步] 以檢視該憑證的屬性。Although the certificate you selected is not shown, select Next to view the properties of that certificate. 選取 [下一步] [安裝]。Select Next, and then Install.

    重要

    啟用 Internet Explorer 增強式安全性設定的裝置上無法註冊 Intune 憑證連接器。The Intune Certificate Connector can't be enrolled on a device with Internet Explorer Enhanced Security Configuration enabled. 若要使用 Intune 憑證連接器,請停用 IE 增強式安全性設定To use the Intune Certificate Connector, disable IE Enhanced security configuration.

  7. 在精靈完成後,但在關閉精靈之前,按一下 [啟動 Certificate Connector UI]。After the wizard completes, but before closing the wizard, Launch the Certificate Connector UI.

    提示

    如果您在啟動 Certificate Connector UI 之前關閉精靈,您可以藉由執行下列命令重新加以開啟:If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following command:

    <install_Path>\NDESConnectorUI\NDESConnectorUI.exe<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

  8. Certificate Connector UI 中:In the Certificate Connector UI:

    選取 [登入] 並輸入您的 Intune 服務系統管理員認證,或擁有全域系統管理權限的租用戶管理員認證。Select Sign In, and enter your Intune service administrator credentials, or credentials for a tenant administrator with the global administration permission.

    重要

    使用者帳戶必須指派有效的 Intune 授權。The user account must be assigned a valid Intune license. 如果使用者帳戶沒有有效的 Intune 授權,則 NDESConnectorUI.exe 就會失敗。If the user account does not have a valid Intune license, then NDESConnectorUI.exe fails.

    如果您的組織使用 Proxy 伺服器,而且 NDES 伺服器需要該 Proxy 以存取網際網路,請選取 [使用 Proxy 伺服器],然後輸入 Proxy 伺服器名稱、連接埠,以及用以連線的帳戶認證。If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select Use proxy server, and then enter the proxy server name, port, and account credentials to connect.

    選取 [進階] 索引標籤,然後輸入對您的發行憑證授權單位具有 [發行及管理憑證] 權限的帳戶認證。Select the Advanced tab, and then enter credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority. 套用您的變更。Apply your changes.

    您現在可以關閉 Certificate Connector UI。You can now close the Certificate Connector UI.

  9. 開啟命令提示字元,輸入 services.msc EnterOpen a command prompt, enter services.msc, and then Enter. 以滑鼠右鍵按一下 [Intune 連接器服務] [重新啟動]。Right-click the Intune Connector Service, and Restart.

若要驗證服務正在執行,請開啟瀏覽器並輸入下列 URL。To validate that the service is running, open a browser, and enter the following URL. 這應該會傳回 403 錯誤:It should return a 403 error:

http://<FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

注意

NDES 憑證連接器隨附 TLS 1.2 支援。TLS 1.2 support is included with the NDES Certificate connector. 因此,如果安裝 NDES 憑證連接器的伺服器支援 TLS 1.2,則會使用 TLS 1.2。So if the server with NDES Certificate connector installed supports TLS 1.2, then TLS 1.2 is used. 如果伺服器不支援 TLS 1.2,則會使用 TLS 1.1。If the server doesn't support TLS 1.2, then TLS 1.1 is used. 目前,使用 TLS 1.1 在裝置與伺服器之間進行驗證。Currently, TLS 1.1 is used for authentication between the devices and server.

建立 SCEP 憑證設定檔Create a SCEP certificate profile

  1. 在 Azure 入口網站中,開啟 Microsoft Intune。In the Azure portal, open Microsoft Intune.

  2. 選取 [裝置設定] > [設定檔] > [建立設定檔]。Select Device configuration > Profiles > Create profile.

  3. 輸入 SCEP 憑證設定檔的 [名稱] 與 [描述]。Enter a Name and Description for the SCEP certificate profile.

  4. 從 [平台] 下拉式清單中,選取此 SCEP 憑證的裝置平台。From the Platform drop-down list, select the device platform for this SCEP certificate. 您目前可選取下列平台之一,進行裝置限制設定︰Currently, you can select one of the following platforms for device restriction settings:

    • AndroidAndroid
    • iOSiOS
    • macOSmacOS
    • Windows Phone 8.1Windows Phone 8.1
    • Windows 8.1 及更新版本Windows 8.1 and later
    • Windows 10 及更新版本Windows 10 and later
  5. 從 [設定檔類型] 下拉式清單中,選取 [SCEP 憑證]。From the Profile type drop-down list, select SCEP certificate.

  6. 在 [SCEP 憑證] 窗格中,進行以下設定:On the SCEP Certificate pane, configure the following settings:

    • 憑證有效期間:如果您已在發行 CA 上執行 certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE 命令以允許自訂有效期間,就可以輸入憑證到期之前的剩餘時間長度。Certificate validity period: If you ran the certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you can enter the amount of remaining time before the certificate expires.
      您可以輸入一個比憑證範本中指定的有效期間更低,而不是更高的值。You can enter a value that is lower than the validity period in the certificate template, but not higher. 例如,如果憑證範本中的憑證有效期間為兩年,您可以輸入一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can enter a value of one year, but not a value of five years. 該值也必須低於發行 CA 憑證的剩餘有效期。The value must also be lower than the remaining validity period of the issuing CA's certificate.

    • 金鑰儲存提供者 (KSP) (Windows Phone 8.1、Windows 8.1、Windows 10):輸入儲存憑證金鑰的位置。Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, Windows 10): Enter where the key to the certificate is stored. 選擇下列其中一個值:Choose from one of the following values:

      • 註冊至受信任平台模組 (TPM) KSP (如果存在),否則註冊至軟體 KSPEnroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
      • 註冊至信賴平台模組 (TPM) KSP,否則失敗Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
      • 註冊至 Passport,否則失敗 (Windows 10 及更新版本)Enroll to Passport, otherwise fail (Windows 10 and later)
      • 註冊至軟體 KSPEnroll to Software KSP
    • 主體名稱格式:從清單中選取 Intune 如何自動在憑證要求中建立主體名稱。Subject name format: From the list, select how Intune automatically creates the subject name in the certificate request. 如果憑證是針對使用者,您也可以在主體名稱中包含使用者的電子郵件地址。If the certificate is for a user, you can also include the user's email address in the subject name. 從下列選項進行選擇:Choose from:

      • 未設定Not configured

      • 一般名稱Common name

      • 包括電子郵件的一般名稱Common name including email

      • 一般名稱及電子郵件地址Common name as email

      • IMEI (國際行動設備識別)IMEI (International Mobile Equipment Identity)

      • 序號Serial number

      • 自訂:當您選取此選項時,會顯示另一個下拉式欄位。Custom: When you select this option, another drop-down field is displayed. 您可以使用此欄位輸入自訂主體名稱格式。Use this field to enter a custom subject name format. 自訂格式支援兩個變數: (CN)電子郵件 (E)Custom format supports two variables: Common Name (CN) and Email (E). 一般名稱 (CN) 可以設定為下列任何變數:Common Name (CN) can be set to any of the following variables:

        • CN={{UserName}} 使用者的使用者主體名稱,例如 janedoe@contoso.comCN={{UserName}}: The user principle name of the user, such as janedoe@contoso.com

        • CN={{AAD_Device_ID}} 當您在 Azure Active Directory (AD) 中註冊裝置時指派的識別碼。CN={{AAD_Device_ID}}: An ID assigned when you register a device in Azure Active Directory (AD). 此識別碼通常用於向 Azure AD 驗證。This ID is typically used to authenticate with Azure AD.

        • CN={{SERIALNUMBER}}:通常由製造商用於識別裝置的唯一序號 (SN)CN={{SERIALNUMBER}}: The unique serial number (SN) typically used by the manufacturer to identify a device

        • CN={{IMEINumber}}:用於識別行動電話的國際行動設備識別碼 (IMEI)CN={{IMEINumber}}: The International Mobile Equipment Identity (IMEI) unique number used to identify a mobile phone

        • CN={{OnPrem_Distinguished_Name}} 由逗號分隔的相對辨別名稱序列,例如 CN=Jane Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=comCN={{OnPrem_Distinguished_Name}}: A sequence of relative distingushed names separated by comma, such as CN=Jane Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=com

          若要使用 {{OnPrem_Distinguished_Name}} 變數,請務必將使用 Azure AD Connectonpremisesdistingishedname 使用者屬性與 Azure AD 同步。To use the {{OnPrem_Distinguished_Name}} variable, be sure to sync the onpremisesdistingishedname user attribute using Azure AD Connect to your Azure AD.

        • CN={{onPremisesSamAccountName}}:系統管理員可使用 Azure AD 連線到稱為 onPremisesSamAccountName 的屬性,將 Active Directory 的 samAccountName 屬性與 Azure AD 同步。CN={{onPremisesSamAccountName}}: Admins can sync the samAccountName attribute from Active Directory to Azure AD using Azure AD connect into an attribute called onPremisesSamAccountName. Intune 可將該變數替換為 SCEP 憑證主體中憑證發行要求的一部分。Intune can substitute that variable as part of a certificate issuance request in the subject of a SCEP certificate. samAccountName 屬性是使用者登入名稱,用於支援舊版 Windows 客戶端和伺服器 (Windows 2000 以前的版本)。The samAccountName attribute is the user logon name used to support clients and servers from a previous version of Windows (pre-Windows 2000). 使用者登入名稱的格式為:DomainName\testUser,或僅 testUserThe user logon name format is: DomainName\testUser, or only testUser.

          若要使用 {{onPremisesSamAccountName}} 變數,請務必將使用 Azure AD ConnectonPremisesSamAccountName 使用者屬性與 Azure AD 同步。To use the {{onPremisesSamAccountName}} variable, be sure to sync the onPremisesSamAccountName user attribute using Azure AD Connect to your Azure AD.

        透過使用一或多個這些變數與靜態字串的組合,您可以建立自訂主體名稱格式,例如:CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=USBy using a combination of one or many of these variables and static strings, you can create a custom subject name format, such as: CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US.
        在此範例中,您建立的主體名稱格式除了有 CN 與 E 變數之外,還會使用組織單位、組織、位置、狀態及國家/地區值的字串。In this example, you created a subject name format that, in addition to the CN and E variables, uses strings for Organizational Unit, Organization, Location, State, and Country values. CertStrToName 函式 說明此函式和它支援的字串。CertStrToName function describes this function, and its supported strings.

  • 主體別名:輸入 Intune 如何在憑證要求中,自動建立主體別名 (SAN) 的值。Subject alternative name: Enter how Intune automatically creates the values for the subject alternative name (SAN) in the certificate request. 例如,如果您選取使用者憑證類型,就可以在主體別名中包含使用者主體名稱 (UPN)。For example, if you select a user certificate type, you can include the user principal name (UPN) in the subject alternative name. 如果用戶端憑證將用來驗證網路原則伺服器,您必須將主體別名設定成 UPN。If the client certificate is used to authenticate to a Network Policy Server, you must set the subject alternative name to the UPN.
  • 金鑰使用方法:輸入憑證的金鑰使用方法選項。Key usage: Enter the key usage options for the certificate. 選項包括:Your options:
    • 金鑰編密:只允許在金鑰加密後交換金鑰Key encipherment: Allow key exchange only when the key is encrypted
    • 數位簽章:只允許在以數位簽章協助保護金鑰後交換金鑰Digital signature: Allow key exchange only when a digital signature helps protect the key
  • 金鑰大小 (位元):選取金鑰中要包含的位元數Key size (bits): Select the number of bits contained in the key
  • 雜湊演算法 (Android、Windows Phone 8.1、Windows 8.1、Windows 10):選取其中一種可用的雜湊演算法類型,搭配此憑證使用。Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, Windows 10): Select one of the available hash algorithm types to use with this certificate. 選取連線中裝置所支援的最強安全性層級。Select the strongest level of security that the connecting devices support.
  • 根憑證:選擇您先前所設定並指派到使用者或裝置的根 CA 憑證設定檔。Root Certificate: Choose a root CA certificate profile you previously configured and assigned to the user or device. 此 CA 憑證必須是發行憑證 (您在此憑證設定檔中設定) 之 CA 的根憑證。This CA certificate must be the root certificate for the CA that issues the certificate that you are configuring in this certificate profile.
  • 擴充金鑰使用方法:選擇 [新增] 以新增憑證使用目的值。Extended key usage: Add values for the certificate's intended purpose. 在大部分情況下,憑證需要 [用戶端驗證],使用者或裝置才能向伺服器進行驗證。In most cases, the certificate requires Client Authentication so that the user or device can authenticate to a server. 不過,您可以視需要新增任何其他金鑰使用方式。However, you can add any other key usages as required.
  • 註冊設定Enrollment Settings
    • 更新閾值 (%):輸入裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%): Enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
    • SCEP 伺服器 URL:輸入 一或多個將透過 SCEP 發行憑證的 NDES 伺服器 URL。SCEP Server URLs: Enter one or more URLs for the NDES Servers that issues certificates via SCEP.
    • 選取 [確定]然後選取 [建立] 以建立您的設定檔。Select OK, and Create your profile.

設定檔隨即建立,並出現在 [設定檔清單] 窗格上。The profile is created and appears on the profiles list pane.

指派憑證設定檔Assign the certificate profile

將憑證設定檔指派給群組之前,請考慮下列事宜︰Consider the following before you assign certificate profiles to groups:

  • 當您指派憑證設定檔給群組時,來自受信任 CA 憑證設定檔的憑證檔案,即會安裝在裝置上。When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is installed on the device. 裝置會使用 SCEP 憑證設定檔來建立裝置所要求的憑證。The device uses the SCEP certificate profile to create a certificate request by the device.

  • 憑證設定檔只會安裝在執行於您建立設定檔時所用的平台裝置上。Certificate profiles install only on devices running the platform you use when you created the profile.

  • 您可以將憑證設定檔指派到使用者集合或裝置集合。You can assign certificate profiles to user collections or to device collections.

  • 若要在裝置註冊之後快速將憑證發行至裝置,請將憑證設定檔指派到使用者群組,而不是裝置群組。To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. 如果您將它指派至裝置群組,便必須先執行完整的裝置註冊,裝置才能接收原則。If you assign to a device group, a full device registration is required before the device receives policies.

  • 雖然您會分別指派每個設定檔,但仍需指派受信任的根 CA 以及 SCEP 或 PKCS 設定檔。Although you assign each profile separately, you also need to assign the Trusted Root CA and the SCEP or PKCS profile. 否則,SCEP 或 PKCS 憑證原則會失敗。Otherwise, the SCEP or PKCS certificate policy fails.

    注意

    針對 iOS,如果您部署多個使用相同憑證設定檔的資源設定檔,就應該會在管理設定檔中看到多個憑證複本。For iOS, you should expect to see multiple copies of the certificate in the management profile if you deploy multiple resource profiles that use the same certificate profile.

如需如何指派設定檔的資訊,請參閱指派裝置設定檔For information about how to assign profiles, see assign device profiles.

Intune 連接器設定驗證和疑難排解Intune Connector setup verification and troubleshooting

若要針對問題進行疑難排解及驗證 Intune 連接器設定,請參閱 Certificate Authority script samples (憑證授權單位指令碼範例)To troubleshoot issues and verify the Intune Connector setup, see Certificate Authority script samples

Intune 連接器事件和診斷碼Intune Connector events and diagnostic codes

從 6.1806.x.x 版開始,Intune 連接器服務會在 [事件檢視器] ([應用程式及服務記錄檔] > [Microsoft Intune 連接器]) 中記錄事件。Starting with version 6.1806.x.x, the Intune Connector Service logs events in the Event Viewer (Applications and Services Logs > Microsoft Intune Connector). 您可以使用這些事件來協助對 Intune 連接器設定中的潛在問題進行疑難排解。Use these events to help troubleshoot potential issues in the configuration of the Intune Connector. 這些事件會記錄作業的成功與失敗,還會包含診斷碼及訊息,以協助 IT 系統管理員進行疑難排解。These events log successes and failures of an operation, and also contain diagnostic codes with messages to help the IT admin troubleshoot.

事件識別碼和描述Event IDs and descriptions

注意

如需每個事件相關診斷碼的詳細資料,請使用診斷碼資料表 (在本文中)。For details on the Related Diagnostic Codes for each event, use the Diagnostic codes table (in this article).

事件識別碼Event ID 事件名稱Event Name 事件描述Event Description 相關的診斷碼Related Diagnostic Codes
1001010010 StartedConnectorServiceStartedConnectorService 已啟動連接器服務Connector service started 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
1002010020 StoppedConnectorServiceStoppedConnectorService 已停止連接器服務Connector service stopped 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
1010010100 CertificateRenewal_SuccessCertificateRenewal_Success 已成功更新連接器註冊憑證Connector enrollment certificate successfully renewed 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
1010210102 CertificateRenewal_FailureCertificateRenewal_Failure 連接器註冊憑證無法更新。Connector enrollment certificate failed to renew. 請重新安裝連接器。Reinstall the connector. 0x00000000、0x00000405、0x0FFFFFFF0x00000000, 0x00000405, 0x0FFFFFFF
1030210302 RetrieveCertificate_ErrorRetrieveCertificate_Error 無法從登錄中擷取連接器註冊憑證。Failed to retrieve the connector enrollment certificate from the registry. 請檢閱與此事件相關之憑證指紋的事件詳細資料。Review event details for the certificate thumbprint related to this event. 0x00000000、0x00000404、0x0FFFFFFF0x00000000, 0x00000404, 0x0FFFFFFF
1030110301 RetrieveCertificate_WarningRetrieveCertificate_Warning 檢查事件詳細資料中的診斷資訊。Check diagnostic information in event details. 0x00000000、0x00000403、0x0FFFFFFF0x00000000, 0x00000403, 0x0FFFFFFF
2010020100 PkcsCertIssue_SuccessPkcsCertIssue_Success 已成功發行 PKCS 憑證。Successfully issued a PKCS certificate. 請檢閱與此事件相關之裝置識別碼、使用者識別碼、CA 名稱、憑證範本名稱和憑證指紋的事件詳細資料。Review event details for the device ID, user ID, CA name, certificate template name, and certificate thumbprint related to this event. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2010220102 PkcsCertIssue_FailurePkcsCertIssue_Failure 無法發行 PKCS 憑證。Failed to issue a PKCS certificate. 請檢閱與此事件相關之裝置識別碼、使用者識別碼、CA 名稱、憑證範本名稱和憑證指紋的事件詳細資料。Review event details for the device ID, user ID, CA name, certificate template name, and certificate thumbprint related to this event. 0x00000000、0x00000400、0x00000401、0x0FFFFFFF0x00000000, 0x00000400, 0x00000401, 0x0FFFFFFF
2020020200 RevokeCert_SuccessRevokeCert_Success 已成功撤銷憑證。Successfully revoked the certificate. 請檢閱與此事件相關之裝置識別碼、使用者識別碼、CA 名稱、憑證序號的事件詳細資料。Review event details for the device ID, user ID, CA name, and certificate serial number related to this event. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2020220202 RevokeCert_FailureRevokeCert_Failure 無法撤銷憑證。Failed to revoke the certificate. 請檢閱與此事件相關之裝置識別碼、使用者識別碼、CA 名稱、憑證序號的事件詳細資料。Review event details for the device ID, user ID, CA name, and certificate serial number related to this event. 如需額外資訊,請參閱 NDES SVC 記錄檔。For additional information, see the NDES SVC Logs. 0x00000000、0x00000402、0x0FFFFFFF0x00000000, 0x00000402, 0x0FFFFFFF
2030020300 Upload_SuccessUpload_Success 已成功上傳憑證的要求或撤銷資料。Successfully uploaded the certificate’s request or revocation data. 請檢閱上傳詳細資料的事件詳細資料。Review the event details for the upload details. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2030220302 Upload_FailureUpload_Failure 無法上傳憑證的要求或撤銷資料。Failed to upload the certificate’s request or revocation data. 請檢閱事件詳細資料 > 上傳狀態,以判斷失敗點。Review the event details > Upload State to determine the point of failure. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2040020400 Download_SuccessDownload_Success 已成功下載簽署憑證、下載用戶端憑證或撤銷憑證的要求。Successfully downloaded request to sign a certificate, download a client certificate, or revoke a certificate. 請檢閱下載詳細資料的事件詳細資料。Review the event details for the download details. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2040220402 Download_FailureDownload_Failure 無法下載簽署憑證、下載用戶端憑證或撤銷憑證的要求。Failed to download request to sign a certificate, download client certificate, or revoke a certificate. 請檢閱下載詳細資料的事件詳細資料。Review the event details for the download details. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2050020500 CRPVerifyMetric_SuccessCRPVerifyMetric_Success 憑證登錄點已成功驗證用戶端挑戰Certificate Registration Point successfully verified a client challenge 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2050120501 CRPVerifyMetric_WarningCRPVerifyMetric_Warning 憑證登錄點已完成,但拒絕要求。Certificate Registration Point completed but rejected the request. 請參閱診斷碼和訊息,以取得詳細資料。See diagnostic code and message for more details. 0x00000000、0x00000411、0x0FFFFFFF0x00000000, 0x00000411, 0x0FFFFFFF
2050220502 CRPVerifyMetric_FailureCRPVerifyMetric_Failure 憑證登錄點無法驗證用戶端挑戰。Certificate Registration Point failed to verify a client challenge. 請參閱診斷碼和訊息,以取得詳細資料。See diagnostic code and message for more details. 請參閱對應至挑戰之裝置識別碼的事件訊息詳細資料。See event message details for the Device ID corresponding to the challenge. 0x00000000、0x00000408、0x00000409、0x00000410、0x0FFFFFFF0x00000000, 0x00000408, 0x00000409, 0x00000410, 0x0FFFFFFF
2060020600 CRPNotifyMetric_SuccessCRPNotifyMetric_Success 憑證登錄點已成功完成通知程序,並已將憑證傳送到用戶端裝置。Certificate Registration Point successfully finished notify process and has sent the certificate to the client device. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF
2060220602 CRPNotifyMetric_FailureCRPNotifyMetric_Failure 憑證登錄點無法完成通知程序。Certificate Registration Point failed to finish notify process. 請參閱事件訊息詳細資料,以取得要求的相關資訊。See the event message details for information on the request. 請驗證 NDES 伺服器與 CA 之間的連線。Verify connection between the NDES server and the CA. 0x00000000、0x0FFFFFFF0x00000000, 0x0FFFFFFF

診斷碼Diagnostic codes

診斷碼Diagnostic Code 診斷名稱Diagnostic Name 診斷訊息Diagnostic Message
0x000000000x00000000 成功Success 成功Success
0x000004000x00000400 PKCS_Issue_CA_UnavailablePKCS_Issue_CA_Unavailable 憑證授權單位無效或無法連線。Certification authority is not valid or is unreachable. 請確認憑證授權單位可用,且您的伺服器可以與其通訊。Verify that the certification authority is available, and that your server can communicate with it.
0x000004010x00000401 Symantec_ClientAuthCertNotFoundSymantec_ClientAuthCertNotFound 本機憑證存放區中找不到 Symantec 用戶端驗證憑證。Symantec Client Auth certificate was not found in the local cert store. 請參閱安裝 Symantec 註冊驗證憑證一文,以取得詳細資料。See the article Install the Symantec registration authorization certificate for more information.
0x000004020x00000402 RevokeCert_AccessDeniedRevokeCert_AccessDenied 指定的帳戶無權撤銷來自 CA 的憑證。The specified account does not have permissions to revoke a certificate from CA. 請參閱事件訊息詳細資料中的 CA 名稱欄位,以判斷發行的 CA。See CA Name field in the event message details to determine the issuing CA.
0x000004030x00000403 CertThumbprint_NotFoundCertThumbprint_NotFound 找不到符合您輸入的憑證。Could not find a certificate that matched your input. 請註冊憑證連接器,然後再試一次。Enroll the certificate connector and try again.
0x000004040x00000404 Certificate_NotFoundCertificate_NotFound 找不到符合所提供輸入的憑證。Could not find a certificate that matched the input supplied. 請重新註冊憑證連接器,然後再試一次。Re-enroll the certificate connector and try again.
0x000004050x00000405 Certificate_ExpiredCertificate_Expired 憑證已過期。A certificate expired. 請重新註冊憑證連接器以更新憑證,然後再試一次。Re-enroll the certificate connector to renew the certificate and try again.
0x000004080x00000408 CRPSCEPCert_NotFoundCRPSCEPCert_NotFound 找不到 CRP 加密憑證。CRP Encryption certificate could not be found. 請確認 NDES 和 Intune 連接器已正確設定。Verify that NDES and the Intune Connector is setup correctly.
0x000004090x00000409 CRPSCEPSigningCert_NotFoundCRPSCEPSigningCert_NotFound 無法擷取簽署憑證。Signing certificate could not be retrieved. 請確認 Intune 連接器服務已設定正確,且 Intune 連接器服務正在執行。Verify the Intune Connector Service is configured correctly, and the Intune Connector Service is running. 另請確認憑證下載事件已成功。Verify also that the certificate download events were successful.
0x000004100x00000410 CRPSCEPDeserialize_FailedCRPSCEPDeserialize_Failed 無法還原序列化 SCEP 挑戰要求。Failed to deserialize SCEP challenge request. 請確認 NDES 和 Intune 連接器已正確設定。Verify the NDES and Intune Connector is setup correctly.
0x000004110x00000411 CRPSCEPChallenge_ExpiredCRPSCEPChallenge_Expired 由於憑證挑戰過期,已拒絕要求。Request denied due to expired certificate challenge. 用戶端裝置可以在從管理伺服器取得新挑戰之後重試。The client device can retry after obtaining a new challenge from the management server.
0x0FFFFFFFF0x0FFFFFFFF Unknown_ErrorUnknown_Error 我們無法完成您的要求,因為發生伺服器端錯誤。We are unable to complete your request because a server-side error occurred. 請再試一次。Please try again.

接下來的步驟Next steps

使用 PKCS 憑證,或從 Symantec PKI Manager Web 服務發行 PKCS 憑證Use PKCS certificates, or issue PKCS certificates from a Symantec PKI manager web wervice.