none
Intune SCEP device cert revocation query RRS feed

  • السؤال

  • Hi folks

    I have a question regards device cert revocation.

    Currently, we are using a 3rd party cloud PKI solution - DigiCert.   We're testing client authentication using Windows SCEP profiles via Intune.  We're trying to understand the revocation process after a device has received the device cert and is reprovisioned via Windows Autopilot.

    Here's the current challenge:

    The endpoint receives the device certificate initially with no problems at all - you can view the certificate deploying the device with success via the Enrollment Status Page.  If we then want to device wipe the endpoint from the Intune Portal as an admin, the device wipes and goes through OOBE into Autopilot - the ESP hangs on the certificate section (but we can continue) and the cert never hits the device again.

    I found this article on Microsoft Docs in respect of cert deletions etc:

    https://docs.microsoft.com/en-us/mem/intune/protect/remove-certificates

    For us to currently resolve this issue, we have to either do two things:

    1) Wipe the device again and immediately delete the device within AAD and Intune portals as if the Device ID is preserved, then no certificate will be received during the Autopilot reprovision

    2) My colleague whom manages the DigiCert PKI solution, deletes the [previous certificate manually from the DigiCert PKI solution

    The current challenge essentially we have, is that when a device is reprovisioned via Autopilot (after it is wiped), my colleague can see within the DigiCert logs that the SCEP request for the cert is not allowing the request to be processed due to a valid device certificate already being present within the DigiCert PKI console.

    Should this process be automatic after device wipe between Intune and the DigiCert PKI solution in respect of reissung device certificates or is this a manual process unless we can automate it as per either 1 or 2 above?

    Thanks

    Rob

    28/رمضان/1441 01:52 م

الإجابات

جميع الردود

  • Hi Rob,
     
    Thanks for the posting.
     
    Based on my research, I find for third party certification authority, the action is a little different. When you unenroll or wipe the device, the certificates are removed but not revoked.  We can see more details in the following link:
    https://docs.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview
     
    So I think we need a manual process to revoke the certificate.
     
    Hope it can help.
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • تم وضع علامة كإجابة بواسطة RDWUK 29/رمضان/1441 07:18 ص
    29/رمضان/1441 01:48 ص
  • Thanks Crystal for the clarification there.  That's how I thought it may be.

    Appreciate the prompt response.

    Regards

    Rob

    29/رمضان/1441 07:18 ص
  • Hi Rob,

    Thanks for marking our reply as answer. I am glad that our information can help. If there's anything else we can help in the future, feel free to post in the forum. here is a summary for our issue:

    Issue definition:
    ==================
    When a device is reprovisioned via Autopilot (after it is wiped), my colleague can see within the DigiCert logs that the SCEP request for the cert is not allowing the request to be processed due to a valid device certificate already being present within the DigiCert PKI console.
    Should this process be automatic after device wipe between Intune and the DigiCert PKI solution in respect of reissung device certificates or is this a manual processunless we can automate it as per either 1 or 2
    1) Wipe the device again and immediately delete the device within AAD and Intune portals as if the Device ID is preserved, then no certificate will be received during the Autopilot reprovision
    2) My colleague whom manages the DigiCert PKI solution, deletes the [previous certificate manually from the DigiCert PKI solution

    Suggestion:
    ==================
    Based on my research, I find for third party certification authority, the action is a little different. When you unenroll or wipe the device, the certificates are removed but not revoked.  We can see more details in the following link:
    https://docs.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview
    So I think we need a manual process to revoke the certificate.

    Thanks for your time and have a nice day!

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    29/رمضان/1441 07:25 ص