<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Verifying Device Management SCEP Certificate Installed Successfully on Desktop OS
Jun 10, 2025
Devices and Mobility
Okta Identity Engine
Overview

This article details how to verify if Device Management SCEP certificates have been successfully deployed to desktop devices for management attestation.

Applies To
  • Okta Identity Engine (OIE)
  • Device Management 
  • Desktop Operating Systems
  • Mobile Device Management (MDM)
Solution

Once SCEP profiles are confirmed successfully deployed, we can expect an Intermediate Certificate for the CA and a Device Management Certificate to be installed on the target local machine. To confirm the certificates exist in Windows, we can review logs and/or check the certificate store.


Windows

To confirm a SCEP certificate has been successfully deployed to a Windows Desktop Device by reviewing logs:

  1. Click Start, type Event Viewer, and then click Event Viewer.
  2. Expand Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise > Admin.
  3. In the Actions field, or by right-clicking the Admin Log - Selection Find... and search for: 
    • SCEP: Certificate installed successfully.
      • This entry would have an Event ID = 39. 
        Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date:          6/1/2024 6:06:06 PM
Event ID:      39
Task Category: None
Level:         Information
Keywords:      
User:          DESKTOP-A1B2C3D\Oktalab.User
Computer:      DESKTOP-A1B2C3D
Description:
SCEP: Certificate installed successfully.
    • SCEP: Certificate request generated successfully
      • This entry would have an Event ID = 36. 
        Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date:          6/1/2024 06:06:06 PM
Event ID:      36
Task Category: None
Level:         Information
Keywords:      
User:          DESKTOP-A1B2C3D\Oktalab.User
Computer:      DESKTOP-A1B2C3D
Description:
SCEP: Certificate request generated successfully. Enhanced Key Usage: (1.3.6.1.5.5.7.3.2), NDES URL: (https://<YOUROKTASUBDOMAIN>.okta.com/pki/CE9C7A5742DE4CF2A4E31BF9B00000000000000/scep/racfaxkx00000000000/pkiclient.exe), Container Name: (), KSP Setting: (0x2), Store Location: (0x1).


These two entries usually log at the same time. 

 

To confirm the certificate exists in the Windows certificate store:

  • Click the Windows Key, or click the Windows Logo Start button, and search:

    • Manage User Certificates 
      • Use this if the SCEP profiles were configured to deploy to the User certificate store.
        • Installed in Certificates - Current UserPersonal Certificates.

or,

    • Manage Computer Certificates
      • Use this if the SCEP profiles were configured to deploy to the Device/System certificate store. 
        • Installed in Local Machine :: Personal Certificates.

"Manage User Certificates" search   OR "Manage Computer Certificates" search  

  • In the Certificate Manager, under Certificates - Current User:: Personal > Certificates.
    • The "Issued To" would be expected to reflect the "Subject name format" configured in the SCEP Profile.
  • OR System profiles - Usually under - Local Machine: Personal Certificates.
    • NOTE: To identify the certificate, the name shown in the "Issued To" field is expected to reflect the "Subject name format" configured in the SCEP Profile.
      • In the example below, we used the Subject Name Format given in the "Configure a Certificate Authority" manual chapter: CN=$EMAIL managementAttestation $UDID - which produced a certificate that appears like this:

Subject Name Format 

The Intermediate Certificate (CA Cert used when configuring the Trusted Certificate Configuration Profile in the MDM) can be found in either:

  • Certificates - Current User or Certificates 

or,

  • Certificates - Local Computer 
    • In Intermediate Certification Authorities > Certificates.

Certificates 
 

  • NOTE: Certificates may be further identified or confirmed by double-clicking the certificate and selecting the Details tab to review the Issuer details:

Issuer




macOS

To confirm the certificate exists in the System Keychain:

  1. Open System Preferences > Profiles > Keychain > Login.
    NOTE: If selected User level in MDM SCEP configuration, the certificate will be in the Login section. If "Computer" level is selected, the certificate is installed in the System section of Keychain.
  2. Verify that a client certificate and associated private key exist.

client certificate and associated private key

  • NOTE: To identify the certificate, the name shown in the "Name" field is expected to reflect the "Subject name format" configured in the SCEP Profile. Additionally, the certificate may be identified by double-clicking it or right-clicking and choosing "Get Info" and reviewing the Details.

 


Related References

 

Recommended content

Still looking for help?
Loading
Verifying Device Management SCEP Certificate Installed Successfully on Desktop OS