intune SCEP NDES 500 Error

If the relevant certificates are in an expired state, were deleted, or revoked from the issuing CA for any causes, the NDES service will fail to start resulting in the Intune SCEP HTTP Error 500 – Internal Server Error.

This is what expired on our SCEP server:



The certificates were the CEP Encryption and the Exchange Enrolment Agent, now the renewal can be a little bit of fun depending on how you have our certificates templates setup, both of these certificates need to be valid in order for SCEP to work.

CEP Encryption

This certificate will need to be generated as a local computer certificate, so brose the certificate authority on the MMC and connect to the CA giving the CA for you, once there right click on the "Certificate Template" option and choose manage



Once that loads find your certificates which is this case is "CEP Encryption"



Once you have this certificate you will need to right click and choose properties, if then then pop on to the security tab you will notice that these are the permissions:


Which strikes me as a little odd as there are only "user" accounts in here, not computers accounts, and if you are renewing the certificates as a computer account you will need to ensure you have "Domain Computers" in here, or if you would like to be more secure add only the computers that provide SCEP in this ACL, for this example I will add the computer accounts for only the SCEP servers



Note to add computers when you click the add button in "object types" ensure you tick "Computers" else it will not work and you will get an error, and once you have done this and given ADDS a little bit of time to replicate.....

Right click on the expired certificate then choose All Tasks > Advanced Operations > Renew the Certificate with the Same Key.......


Due to the fact its expired, you will get this option, as you need to enter some certificate details.....


This will only take a moment where you need to enter some basic information like this:



Then once you click OK you will notice that you can now enrol the certificate as it now says Available like this:



Once you click Enrol you will have a new certificate ready to go, however ensure you delete the old certificate as having old expired certificates hanging around is a bad idea generally, if you do not want to delete it, you can move it to a sub-folder like "Web Hosting" just get it out the local computer personal store.

That concludes that certificate now on to the next one.

Exchange Enrolment Agent

Now, remember this is a user certificate so you cannot do this from using "certlm.msc" as you need to do this as a user, so to complete this open "mmc" then add the Certificate snap-in for the user account



Once you have the user account added to the MMC, navigate to the personal store right click that option and choose All Tasks > Request New Certificate



This will show you a list of certificates of which you need to find the Exchange Enrolment Agent like this:



Once again the "more information" triangle means we need to add the CN and other attributes to the certificate however once these have been added, ensure you navigate to the "Private Key" tab and click the Mark private key exportable option.......


This will generate the certificate to your user store, then all you need to do is export that certificate with the private key which means you will get a PFX, then import that certificate into the "certlm.msc" personal computer store.

Then you are done, you have now renewed the certificates correctly and SCEP should now start working once again.

To confirm this is working if you visit the URL shown below:

https://bearscep.bears.io//certsrv/mscep/mscep.dll

You should no longer get a HTTP500 but more a HTTP403 - this means you have fixed this particular issue with the NDES server.