Verify on-premises NDES configuration for SCEP certificates in Intune

This article gives troubleshooting steps to help determine whether you have correctly configured your on-premises infrastructure to use Simple Certificate Enrollment Protocol (SCEP) certificates in Microsoft Intune.

Complete these steps to validate your on-premises Network Device Enrollment Service (NDES) configuration.

1. Open the Validate-NDESConfiguration.ps1 script and copy it to your NDES server.

   

2. On the NDES server, run PowerShell as administrator. You may have to change PowerShell ExecutionPolicy to Unrestricted to run the script.

   Note

   Do not forget to change it back to the original setting once done .

3. Values for the following parameters are required:

   • NDESServiceAccount

     This is the account that you created in the Accounts section of the Configure infrastructure to support SCEP with Intune.

     The following format is used: Domain\<username>. For example: contoso\ndes.

     Note

     Do not specify the root domain part of the account such as contoso.lab\ndes as this does not work.

   • IssuingCAServerFQDN

     This is the fully qualified domain name (FQDN) of your issuing certification authority (CA) server such as dc2.consoto.lab.

   • SCEPUserCertTemplate

     This is the template name that is specified in the Configure the certification authority section of the Configure infrastructure to support SCEP with Intune.

     For example:

     

4. The following screenshot occurs when the Validate-NDESConfiguration.ps1 script is run.

   

5. Type Y to continue.

6. The Validate-NDESConfiguration.ps1 script continues and finishes all required checks.

   

7. When the Validate-NDESConfiguration.ps1 script is finished, you are prompted to generate a report.

   

8. Type Y or N to review the reports.