Knowledge Base
Home » Knowledge Base

Unable to configure SCEP policy

Problem

You are trying to associate SCEP policy to Windows devices and get an error "Unable to configure SCEP policy"

Cause

This error occurs due to one of the following reasons:

Resolution

SCEP server cannot be contacted

Ensure the server URL specified is in HTTP during profile configuration, if the SCEP server is within the organization. Such SCEP servers are usually configured to be accessible within the organization and hence, uses an internal CA certificate implying the server can be access only through HTTP. 

Invalid Subject Name

Ensure the subject name specified while configuring the policy adheres to the format specified here and the values provided are in double quotes. Example: O="Your Company, Inc."

Mismatch in date-time settings

Ensure the time zone configured in the device and SCEP Server are same. When the SCEP server has a different time zone, it generates certificate with all time-based configurations including expiry, using the wrong time zone. Thus, the certificate might be expired when distributed to the managed device.

Invalid Thumbprint

Ensure the thumbprint specified while configuring the SCEP policy is correct. This can be verified using the thumbprint provided in your Certificate Authority Server(http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll)

Invalid Challenge Password

Ensure the challenge password specified while configuring the SCEP policy is correct. This can be verified using the thumbprint provided in your Certificate Authority Server(http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll)

Connectivity Issues

 

Ensure the device is within the organization, if the SCEP server has been configured within the organization. SCEP servers are usually configured within the organization for security purposes and can be accessed by devices only through the corporate network. 

Invalid CSR

This error occurs due to issues with the certificate signing request. Re-distribute the SCEP policy to the device(s) and/or group(s) again.

NDES Challenge Type Misconfiguration

To ensure successful SCEP profile distribution, the challenge type configured in your MDM SCEP template must align with the challenge type set on the SCEP server. For instance:

  • If the NDES server uses a Static challenge, the MDM SCEP template must also be set to Static.
  • If the server expects Static but the MDM is configured for Dynamic or None, the profile distribution will fail.

Matching these settings is critical for proper authentication during certificate enrollment.

Step 1: Determine Your SCEP Server’s Challenge Type:

Access your NDES admin URL in the format: https://<Your_Domain_Name>/Certsrv/mscep_admin/mscep.dll After authenticating, check the page for one of the following scenarios:

  1. Static Challenge:
    • A fixed enrollment challenge password is displayed (e.g., 1A985B6).
    • Message: "This password can be used multiple times and will not expire."

  2. Dynamic Challenge:
    • A new password is generated each time you refresh the page (e.g., 962).
    • Message: "This password can be used only once and will expire within 60 minutes."

  3. None (No Password):
      • No challenge password is displayed. Only the CA thumbprint appears.

Step 2: Align the SCEP template as either static , Dynamic or None based on the NDES configuration

In MDM SCEP template, configure the challenge type to match the NDES server’s setting:

  • Static: Use the same static password in the MDM template.
  • Dynamic: Ensure MDM requests a new password for each enrollment.
  • None (No Password): Disable the challenge password field in MDM.

Why This Matters?
A mismatch (e.g., MDM set to Dynamic while NDES uses Static) will cause enrollment failures. Consistency between the server and MDM is critical for successful certificate issuance.

 

If the issue persists, contact MDM support with Server logs as explained here.