In this article, we review an error that prevents the successful deployment of SCEP certificates during Device Management implementation.
The errors appear in the Windows Event View Log directory:
- Applications and Services Logs > Microsoft > Windows > DeviceManagement > Enterprise > Diagnostic > Provider > Admin.
Error Message:
SCEP: Certificate enroll failed. Result: (The hash value is not correct.).
Event ID: 32 Task Category: None Level: Error User: DESKTOP-1234567\Oktalab.User Computer: DESKTOP-1234567 Description: SCEP: Certificate enroll failed. Result: (The hash value is not correct.).
The above error may be preceded by error:
SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'https://<OktaSubDomain>.okta.com/<SCEP URL>/pkiclient.exe', CA cert thumbprint 12345678910abcdefghijk1a2b3)
Event ID: 307 Task Category: None Level: Error User: DESKTOP-1234567\Oktalab.user Computer: DESKTOP-1234567 Description: SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'https://<OktaSubDomain>.okta.com/<SCEP URL>/pkiclient.exe', CA cert thumbprint 12345678910abcdefghijk1a2b3)
- Okta Identity Engine (OIE)
- Mobile Device Management (MDM)
- SCEP Configuration Profile Deployment
- Windows Desktop OS
- Event Viewer Logs
This error is known to be caused by a mismatched root CA certificate configured in the Trusted Certificate Profile on the MDM being deployed to the desktop device as an intermediate certificate; hence, the references to "hash value is not correct" and "CA cert thumbprint" in the errors.
Re-download the Okta Certificate Authority x509 certificate or Generate a new x509 Cert from the CA (whichever CA is being implemented for the Device Management deployment), and reconfigure the Trusted Certificate Profile on the MDM to use the fresh copy of the CA Cert.
Using the Okta CA:
- In the Okta Admin Console, navigate to Security > Device integrations.
- Click the Certificate Authority tab.
- In the Actions column for Okta CA, click the Download x509 certificate icon.
- Rename the downloaded file so that it includes a .cer extension.
- Upload the certificate (CER file) to the Trusted Certificate Profile in the MDM.
For the most accurate instructions on configuring the Trusted Certificate Profile for the MDM, including what to do if utilizing a private CA (BYO CA), see our Manual Chapter on "Configure a Certificate Authority ". This manual provides comprehensive instructions to aid in successful implementation:
- For Workspace One for Windows Managed Devices - This would be Task 2 and Task 3.
- For MEM (formally Intune) for Windows or MEM (formally Intune) for macOS - This would be Task 3 and Task 4.
Once the profile is re-configured with a fresh copy of the CA x509 cert, redistribute the profile to the desktop endpoints, and check the Event Viewer again to confirm the errors have cleared.
NOTE: Regarding the NDES server errors, this could indicate the SCEP procedure is failing inside the MDM, outside Okta's purview. For more information on troubleshooting this process in MEM, see:
- Troubleshooting device to NDES server communication for SCEP certificate profiles in Microsoft Intune
- Additionally, it may be helpful to submit a support request to the MDM.
If errors persist after validating the correct CA x509 cert is configured in the trusted cert profile, we suggest reviewing our article Troubleshooting Management Attestation For Desktop Devices (OIE) for further troubleshooting advice.
If more hands-on assistance is required, please connect with the Okta support team: How to Create a Support Case.
