Share via

Intune PKCS configuration profile certificate request key size issue

Yachi Leo 0 Reputation points
2025-02-05T19:46:21.86+00:00

We are trying to deploy the device certificate from Intune using PKCS configuration. As required by MS documentation, we have defined the minimum key size in the certificate template as 2048 (our root CA certification key size is 4096, if this matters).

The devices get errors, as the logs from our AD CS say: "Active Directory Certificate Services denied request 8526 because the public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH). The request was for CN=4a00a37f-3e90-4e10-bf51-1a5ecead823b. Additional information: Denied by Policy Module." We can see that the key sizes requested from this Intune policy are all 1024 bits, thus failing the 2048 bits defined in the template.

As troubleshooting, We can eliminate this issue by lowering the key size from 2048 to 1024, but this is not the desired key size.

We are clueless at this point because the PKCS policy does not allow us to change the key size. However, we can reproduce the same successful requests from manual requests.

Can anybody help with this, or do you have the same issue?

ThanksScreenshot 2025-02-05 143631

image (5)

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,570 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 53,811 Reputation points Microsoft External Staff
    2025-02-06T02:34:03.01+00:00

    @Yachi Leo, Thanks for posting in Q&A. From the error message, I find the certificate template which used to request certificate configuring key size as 2048. But from the Intune certificate request, it uses 1024 which not meet the certificate template request. Therefore, it is failed.

    From the PKCS certificate profile, there's no place to configure the key size.

    In PKCS certificate workflow. I know the certificate request is created on the server host Intune Certificate Connector

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/certificates/troubleshoot-pkcs-certificate-profiles#pkcs-communication-overview

    After researching, the key size may be different on different windows server version. For our windows server which installed the Intune certificate connector, please ensure windows server is with the latest version and with the latest update installed. If not, please upgrade it to see if the issue can be fixed.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Yachi Leo 0 Reputation points
    2025-04-22T18:36:08.7433333+00:00

    After a ticket was opened with MS support for almost six months, the issue was finally fixed by checking this box in the certificate template:

    preview url image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.