Thank you for this informative content. I am hoping you can shed some light on steps 2 and 3. How exactly does the connectivity work for Intune to reach out to NDES for a challenge generation? is there a reverse tunnel over the connector? How can I see the traffic? Can NDES log the challenge generation? I do not see any mscep_admin requests in my IIS logs. Thanks.
Thanks for detailed video. Can you share information on how challenge password can be made static instead of dynamic ? (I changed MSCEP registry "UseSinglePassword" but since I have ADS user tied to it. Not able to get it working.
Hi. I appreciate the time and effort. Very helpful. I noticed with the SCEP iOS configuration profile two certificates get issued one after the other for each iPhone. Please Advise why that is. Thanks.
Yes it’s expected behaviour of the ios operating system. The 1st certificate gets issues as expected. Now if there is a vpn/wifi profile linked with the SCEP cert, then another certificate gets issued to the device. This behaviour has always existed with the iOS operating system and it’s not exactly an “issue”.
@@everythingaboutintune1713 One more question. Is there a way to change the SCEP Device Identity Certificate name (ModelName=AC_...) before/after installed on the iPhone? I understand the SCEP CA Template is set to "Supply in the Request" but wondering if that can be changed.
Amazing video you have absolute great content and your in depth overview is the best out there! Gad I found your YT and Site. I followed your guide and having some challenges with SCEP for iOS certificate being deployed to my test Intune devices. I don't see logs in IIS, Certificate Authority with regards to them issuing/processing the request. While I review and troubleshoot any others out there experience this?
I figured out my issue: 1. I had changed my PKI Infrastructure from SHA1 to SHA256 and had to replace my root ca certificate in Intune Admin Portal 2. The SCEP URLs I had put the internal NDES link instead of the Entra ID App Proxy link Glad I found your video again as it helped me get this implemented in my Lab environment and next milestone is Production.
Thanks for clear understanding again. KUDOS. One Question: Why you are using for SSL Certificate the "Default Computer Template" instead of "Web Server Template" which requires additional info like: Common name: FQDN NDES and DNS: FQDN NDES & Extenal URL
The SSL certificate can be requested from ANY template as long as it has the Server auth EKU...(and other needed attributes) I chose the Computer Template as it was already published and the NDES server had the access to request for a certificate from it....Web server template can also be definitely used... Providing the Common Name as you suggested is not mandatory(as you can see in my setup it works fine without providing it)... but its definitely recommended and is a best practice.
Its not mandatory.. thats why i didnot do it in the demo(and over complicate things)... however in some specific scenarios i have had the need to add it...
Hi Saurabh, I must say that your video content is really good and helping understand the background process in depth. So thank you for creating these educational videos. Question - CA has been relocated to a new server so SCEP stopped working with “Internal Error 500” on NDES web page. I believe because it is no longer validating RA certs? Can they be reissued or need to reinstall the NDES? Devices that already had cert issued successfully in the past now shows “revoke issued” on Intune SCEP Profile status. Does it break anything if we get NDES working again? Thanks in advance for your help.
I have done another video on ndes(few years back) which is present in this channel. It’s working is a little old but there I have explained in detail how to fix the 500 error in ndes. You may wanna check that out!
At 22.56 mins of this video there is a diagram but you did not mention the scep server role as in the previous diagram you talked about the scep server and its blue and red endpoints. How is a device request for getcacaps and getcarequest as i know scep profile contain only the url of scep server and challenge password coming to device by intune and intune got it from ndes. So i question is how the device knows about the ndes server or about app proxy. Scep url is address of app proxy ?
Thanks Saurabh for refreshers. Could you help with More videos on Wifi, Email, VPN authentication after NDES,SCEP Profile setup is done.
Thank you for this informative content. I am hoping you can shed some light on steps 2 and 3. How exactly does the connectivity work for Intune to reach out to NDES for a challenge generation? is there a reverse tunnel over the connector? How can I see the traffic? Can NDES log the challenge generation? I do not see any mscep_admin requests in my IIS logs. Thanks.
Amazing again. Happy new year Saurabh! Thanks for sharing your vast knowledge with us!
Thanks for detailed video. Can you share information on how challenge password can be made static instead of dynamic ? (I changed MSCEP registry "UseSinglePassword" but since I have ADS user tied to it. Not able to get it working.
Great video ❤
yes ! another video !
Hi. I appreciate the time and effort. Very helpful.
I noticed with the SCEP iOS configuration profile two certificates get issued one after the other for each iPhone.
Please Advise why that is.
Thanks.
Yes it’s expected behaviour of the ios operating system.
The 1st certificate gets issues as expected. Now if there is a vpn/wifi profile linked with the SCEP cert, then another certificate gets issued to the device. This behaviour has always existed with the iOS operating system and it’s not exactly an “issue”.
@@everythingaboutintune1713 One more question. Is there a way to change the SCEP Device Identity Certificate name (ModelName=AC_...) before/after installed on the iPhone? I understand the SCEP CA Template is set to "Supply in the Request" but wondering if that can be changed.
@@martinm.alfrido9926 I am not sure, but I don’t think so.
@@everythingaboutintune1713 I appreciate your time and help, Sir.
Amazing video you have absolute great content and your in depth overview is the best out there! Gad I found your YT and Site.
I followed your guide and having some challenges with SCEP for iOS certificate being deployed to my test Intune devices. I don't see logs in IIS, Certificate Authority with regards to them issuing/processing the request.
While I review and troubleshoot any others out there experience this?
I figured out my issue:
1. I had changed my PKI Infrastructure from SHA1 to SHA256 and had to replace my root ca certificate in Intune Admin Portal
2. The SCEP URLs I had put the internal NDES link instead of the Entra ID App Proxy link
Glad I found your video again as it helped me get this implemented in my Lab environment and next milestone is Production.
Let's go for it! 🎉
Thanks for clear understanding again. KUDOS.
One Question: Why you are using for SSL Certificate the "Default Computer Template" instead of "Web Server Template" which requires additional info like:
Common name: FQDN NDES and DNS: FQDN NDES & Extenal URL
The SSL certificate can be requested from ANY template as long as it has the Server auth EKU...(and other needed attributes)
I chose the Computer Template as it was already published and the NDES server had the access to request for a certificate from it....Web server template can also be definitely used...
Providing the Common Name as you suggested is not mandatory(as you can see in my setup it works fine without providing it)... but its definitely recommended and is a best practice.
Friend, Schannel dword registry entries is not required right?
Its not mandatory.. thats why i didnot do it in the demo(and over complicate things)... however in some specific scenarios i have had the need to add it...
Hi Saurabh, I must say that your video content is really good and helping understand the background process in depth. So thank you for creating these educational videos. Question - CA has been relocated to a new server so SCEP stopped working with “Internal Error 500” on NDES web page. I believe because it is no longer validating RA certs? Can they be reissued or need to reinstall the NDES? Devices that already had cert issued successfully in the past now shows “revoke issued” on Intune SCEP Profile status. Does it break anything if we get NDES working again? Thanks in advance for your help.
I have done another video on ndes(few years back) which is present in this channel.
It’s working is a little old but there I have explained in detail how to fix the 500 error in ndes. You may wanna check that out!
Video bhalle hi 4-5 hrs ki ho
But ek baar koi dekh le toh Dil Jeet lette ho ap
I have a request to you please come up with one video for the VPN
At 22.56 mins of this video there is a diagram but you did not mention the scep server role as in the previous diagram you talked about the scep server and its blue and red endpoints.
How is a device request for getcacaps and getcarequest as i know scep profile contain only the url of scep server and challenge password coming to device by intune and intune got it from ndes.
So i question is how the device knows about the ndes server or about app proxy.
Scep url is address of app proxy ?
Great video, highly thankful for this ❤❤