I recently changed my Intune Subscription from SCCM Hybrid to Intune Standalone. Within this change, I face an issue with the NDES, respectively the SCEP, enrollment for the certificates.
After I have configured the SCEP profile within Intune, my Windows 10 Clients show th following error Message within the eventlog:
A security error occurred 0x80072f8f (WinHttp: 12175 ERROR_WINHTTP_SECURE_FAILURE)
This error was thrown because I had misconfigured the HTTPS Certificate of the NDES web site. The webserver Certificate I used was from my PKI, and the client also trusted the PKI, but with an old public key of the PKI. So the Webserver Certificate was created based on a newer PKI Root CA certifiacte, and was therefore not trusted.
After I published the newer Root CA certificate to the client, this error message was gone, but only to show a new one:
The hash value is not correct. 0x80091007 (-2146889721 CRYPT_E_HASH_VALUE)
This error was now based on the SCEP Profile assigned to the clients. I had Uploaded the new Root CA to the Intune Console, within the same profile existed already. But the client still was getting the old thunmbprint of the Root CA certificate. I was led to this conclusion through the following MS article:
You can’t issue SCEP certificates to devices in Intune after a certificate renewal
So I assumed, that the SCEP Profile does not update the Hash from the Certificate trust profile, when updated. I deleted the SCEP profile, and created a new one, and voilà, afterwards the Hash mismatch error was gone.