Always On VPN administrators deploying on-premises enterprise PKI certificates using Microsoft Intune with PKCS may encounter a scenario where a certificate fails to be issued to a user or device. In this post, I’ll share some things to investigate when troubleshooting this issue.
Event 1001
To begin, open the Event Log and navigate to Applications and Services > Microsoft > Intune > CertificateConnectors > Admin. You will likely find an event ID 1001 from the CertificateConnectors source with the following error message.
Failed to process PKCS request.
Prerequisites
Validate the following prerequisites have been met on the issuing Certification Authority (CA) server.
Certificate Template
Ensure the certificate template used for PKCS has the correct permissions and is published on an issuing CA server. Open the Certificate Templates management console (certtmpl.msc), right-click the certificate template, choose Properties, and then click on the Security tab. The certificate template must grant the Intune Certificate connector server’s computer account (or the PKCS connector’s service account if running as a service and not SYSTEM) the Read and Enroll permissions on the template.
CA Permissions
In addition to the permissions on the certificate template, ensure the correct permissions have been configured on the issuing CA itself. Right-click on the CA in the Certification Authority management console (certsrv.msc) and choose Security. Ensure the Intune Certificate connector server’s computer account (or the PKCS connector’s service account, if running as a service and not SYSTEM) is granted The Issue and Manage Certificates and Request Certificates permissions.
Intune Policy
Ensure the Intune device configuration policy is configured correctly. These three fields are critical and can result in failed PKCS certificate deployment if misconfigured.
Certification Authority
Enter the fully qualified domain name (FQDN) of the on-premises issuing CA server in this field.
Certification Authority Name
Enter the common name of the issuing CA in this field. You will find this information by running the following command on any domain-joined Windows system.
certutil.exe -dump
Certificate Template Name
Enter the name of the certificate template in Active Directory. Be aware that the template name and template display name are two different things. The template name is usually the template display name without spaces. However, that’s not a guarantee. On the General tab of the certificate template, look at the template name field on the certificate template to confirm.
Summary
This article is not a comprehensive troubleshooting guide for problems associated with failed PKCS certificate deployment using the Microsoft Intune Certificate connector and PKCS. However, it covers some of the more common problems administrators will likely encounter. If you cannot provision PKCS certificates correctly, drop me a note and I’ll provide further guidance.
Additional Information
Troubleshooting Failed Intune Certificate Connector Configuration – Part 1
Troubleshooting Failed Intune Certificate Connector Configuration – Part 2
Intune Certificate Connector Service Account and PKCS
Damian Baryła
/ June 24, 2024Hello, do you have experience setting up a random walk request to two different CAs? Do the ‘Certification Authority’ and ‘Certification Authority Name’ fields support multiple values separated by commas?
Richard M. Hicks
/ June 24, 2024Unfortunately, those fields accept only a single entry. If you want to specify a different issuing CA you would have to create a new device configuration policy.