Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

Microsoft Intune NDES Connector Setup Wizard Ended PrematurelyA Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients. In addition, the Microsoft Intune Connector must be installed and configured on the NDES server to allow Intune-managed clients to request and receive certificates from the on-premises Certification Authority (CA) server.

Setup Wizard Ended Prematurely

When installing the Microsoft Intune Connector, the administrator may encounter a scenario where the setup wizard fails with the following error message.

“Microsoft Intune Connector Setup Wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard.”

Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

Cryptographic Service Provider

This error can occur if the NDES server certificate template is configured to use the Key Storage Provider cryptography service provider (CSP). When configuring the certificate template for the NDES server, the Legacy Cryptography Service Provider must be used, as shown here.

Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

Additional Information

Deploying Windows 10 Always On VPN with Intune using Custom ProfileXML

Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune

Deploying Windows 10 Always On VPN with Microsoft Intune

 

Leave a comment

6 Comments

  1. Nat

     /  November 11, 2019

    Yes, I’ve seen this exact same thing as well in my lab.

    It was a long time ago, I had separate server and client certificates, and seem to recall when I changed the client certificate template back to legacy, re issued that cert and tried the install it all sprung to life and the connector install completed.

    Reply
    • Exactly. When I was searching for information on this particular error I wasn’t able to find any solid information on this. That’s what prompted this blog post. 🙂

      Reply
  2. Victor

     /  November 11, 2019

    Hello Richard, thanks for your insight as always!!. referencing your statement “A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients” i have these questions:

    1. Can non-Microsoft Clients (E.g. Android Devices) be used with a Full Microsoft Stack AONVPN setup i.e. RRAS, NPS, ADCS? i have a client who is planning to roll out android devices but not sure if this will work with AONVPN.

    2. If the above is possible, is the experience “Always On”?

    I read somewhere where you state that Always ON VPN does not support any other clients except windows 10 (Not even windows 7), so this particular scenario you are describing seems a bit confusing. hope yo can help shed more light

    Reply
    • Windows 10 Always On VPN is strictly a Microsoft Windows 10 solution. However, if you’ve configured the VPN server to support IKEv2, which is a public standard, it is interoperable with many platforms including Android. However, the “Always On” bit is exclusive to Windows 10. While you can configure a non-Microsoft device to connect to the same VPN server as Windows 10 Always On VPN clients (assuming you are using the same authentication scheme) the non-Windows clients will not connect automatically (unless those platforms have something similar, of course).

      Reply
  1. Microsoft Intune NDES Connector Error 0x80004003 | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: