MSEndpointMgr

How to renew NDES service certificates for usage with Microsoft Intune

If you’re distributing certificates to managed devices in Microsoft Intune, there’s a good chance that’s it’s done through using the SCEP protocol with NDES in the background enrolling the actual certificate to the device. In the case that your organization is not used SCEP/NDES for certificate distribution, but rather using PKCS certificates instead with the Intune Connector, this post is not for you.

Continue to read this blog post, if this is the first time you’ve ever heard of the NDES service certificates. You’ll want to know what they are and why you need to pay attention to them.

Certificates are not being distributed anymore

When setting up certificate distribution for managed devices with Intune, the Intune Connector software requires you to enroll a certificate to the NDES server from a given certificate template that you’ve crafted. By doing this, you should be aware of that the certificate enrolled to the server needs to be renewed on a given interval depending on your certificate template configuration.

However, in case you’re not fully aware of the complete picture for keeping certificate distribution up and running smoothly, you could very easily find yourself in a situation where the NDES server with the Intune Connector software eventually stops responding and a non-descriptive HTTP error is shown as below:

HTTP Error 500.0 – Internal Server Error

See the picture below for more details and an example

At this point you’ve probably started looking at the IIS server logs and come up empty. A suggestion would have instead been that you download the Validate-NDESConfig.ps1 script created by Microsoft, available here. This would have told you in a second or two that the two NDES service certificates have expired.

What are the NDES service certificates

Something that’s not completely well known to everyone setting this up, is that when you’re installing the NDES feature and configure it, the provided credentials at the time is used to enroll two certificates to the server, more specifically the following certificates:

  • Enrollment agent certificate
    • A certificate from the Exchange Enrollment Agent (Offline Request) certificate template
  • Key exchange certificate
    • A certificate from the CEP Encryption certificate template

Both of these certificates are enrolled into the local computer store, with a purpose of ‘Certificate Request Agent’. and used in the process when distributing certificates. But the Enrollment agent certificate are enrolled from a template that has the Subject Type set as User, it’s not specifically straight forward to the average IT-Pro to know how to renew that certificate once it expires.

What’s covered in this post

This post is intended to provide you with a guided step by step covering the renewal process of the NDES service certificates in the following two scenarios:

Follow the instructions outlined that matches your current state for the NDES service certificates, but most importantly, don’t forget to read and follow the instructions in the section named ‘Final configuration before NDES is operational again’.

Renew non-expired NDES service certificates

As already mentioned, the Enrollment agent certificate is of the User type, meaning it needs to be enrolled in a user context and not in the machine context. Easy enough you think, I’ll just add the ‘Current user’ Certificates mmc snap-in. That’s unfortunately not going to work, since this service certificate needs to be placed into the computer certificate personal store. As for the Key exchange certificate, the process for renewing a non-expired certificate is very straight forward and the same as for any other certificate that you’d renew.

Microsoft has written a support article about this issue and how to work around it using the certreq.exe utility instead. If you want to read the article, you’ll find it below:

https://support.microsoft.com/en-us/help/4045957/you-can-t-issue-scep-certificates-to-devices-in-intune-after-a-certifi

Let’s walk though the steps required for renewing both of the service certificates in a scenario where they’ve yet to expire.

Renew non-expired Key exchange certificate

Before we begin, the following requirements needs to be in order before the certificate can be renewed:

  • Existing Key exchange certificate has not yet expired
  • The server running NDES needs to have been given Read and Enroll permissions on the CEP Encryption certificate template, or added to a group that has been given those same permissions
  • The CEP Encryption certificate template needs to enabled (issued for usage for certificate enrollment)
  • Have the NDES service account name at your disposal

Open a mmc console and add the Certificates snap-in for the computer account.

Locate the certificate that has the CEP Encryption as the certificate template.

Double-click on the certificate or right-click and select Open. Scroll down to the Subject entry and select it in the Details tab. Make a note of the value for this entry, it’s something that you’ll need in just a bit.

Close the Certificate window.

Right-click on the certificate again and select All tasks – Request Certificate with New Key.

Click Next in the Before you begin page of the Certificate Enrollment wizard that appears. Click on the ‘More information is required to enroll for this certificate. Click here to configure settings’ link. Now is when you need to enter what your existing Key exchange certificate had as Subject, to match with the new certificate that will be enrolled. To be frank, I’m not completely sure how import any of the types for the subject name, like organization until, country, location and so on are for NDES service, meaning if it validates it somehow or has it stored away somewhere like in the registry. My assumption here is that what matters is the common name (CN). But as a good practice, replicate what’s in the existing certificate’s subject name and you’ll be fine. In my example, I need to enter the following:

  • Common name
    • SCConfigMgr NDES Intune
  • Organizational unit
    • IT Department
  • Organization
    • SCConfigMgr
  • Locality
    • Stockholm
  • Country
    • US

(Yes, I’m aware that Stockholm is not in the US, I don’t know why I wrote that when I first installed NDES some years back)

Click Enroll.

Click Finish when the certificate has successfully been enrolled. The renewed certificate is now available within the mmc console, like shown below:

It’s now safe to remove the previous Key exchange certificate, however I’d suggest that you export it first for good practice, in case you should ever need it to validate something. Lastly, the private key of the new certificate needs to be configured so that the NDES service account has read permissions to it. Right-click on the certificate and select All tasks – Manage Private Keys.

Click the Add button and browse for the service account used for NDES. Ensure that it’s only given Read permissions and click OK.

You’ve now successfully renewed the Key exchange certificate used for NDES.

Renew non-expired Enrollment agent certificate

Before we begin, the following requirements needs to be in order before the certificate can be renewed:

  • Existing Enrollment agent certificate has not yet expired
  • The user performing the renewal operation outlined below needs to have been given Read and Enroll permissions on the Exchange Enrollment Agent (Offline Request) certificate template, or added to a group that has been given the those permissions
  • The Exchange Enrollment Agent (Offline Request) certificate template needs to enabled (issued for usage for certificate enrollment)

Unfortunately, we can’t utilize the mmc console to renew the Enrollment agent certificate, as already mentioned. Instead we need to use certreq.exe and craft a certificate request file. However, we can utilize the mmc console to retrieve the required thumbprint of the existing Enrollment agent certificate, which is required for this process.

Start by opening a mmc console and add the Certificates snap-in for the computer account.

Locate the certificate that has the Exchange Enrollment Agent (Offline Request) as the certificate template.

Double-click on the certificate or right-click and select Open. Scroll down to the Thumbprint entry and select it in the Details tab. Copy the value for usage later.

Create a new file named EEARequest.inf in e.g. C:\Certificates on the NDES server. Open EEARequest.inf and copy in the following:

[Version]
Signature="$Windows NT$"
[NewRequest]
RenewalCert="<Certificate Hash Thumbprint>"
MachineKeySet=TRUE

Before saving the file, replace the <Certificate Hash Thumbprint> value with the thumbprint value copied from the existing Enrollment agent certificate earlier. Below is an example of how the file should look:

[Version]
Signature="$Windows NT$"
[NewRequest]
RenewalCert="47 d3 7b b0 08 2e 2e 50 78 d1 77 16 7e c7 2e 23 59 1e 3c 77"
MachineKeySet=TRUE

Now, save the file. From an elevated command prompt, browse to the directory where the EEARequest.inf file was saved and run the following command:

certreq.exe -New EEARequest.inf EEACert.req

Click OK in the Certificate List window that appears, as it should contain the certificate details for the existing Enrollment agent certificate. If not, go back and ensure the correct thumbprint was copied.

If everything went well, certreq.exe should output that the request was created and a new file named EEACert.req is created in the C:\Certificates folder.

Run the following command to submit the certificate request to the Certificate Authority:

certreq.exe -Submit EEACert.req EEACert.cer

In the Certification Authority List window that appears, ensure it’s showing the desired Certificate Authority and click OK.

Once successfully in submitting the certificate request, certreq.exe will return that it has retrieved the certificate and two new files named EEACert.cer and EEACert.rsp are created in the C:\Certificates folder.

Run the following command to accept the newly issued certificate:

certreq.exe -Accept EEACert.cer

For this command, there’s no output. We need to go back into the mmc console where we can see that the Enrollment agent certificate is now renewed.

Before you continue, be sure to cleanup the C:\Certificates folder, as you don’t want the certificate file present on disk.

Unlike for the Key exchange certificate, the private key of the renewed Enrollment agent certificate does not need to be configured as the configuration is already in place.

Renew expired NDES service certificates

Hopefully, you should not be reading this, but in case you are, remember to monitor these certificates in the future so you won’t have to re-visit this post.

Renewing the Key exchange certificate, the process for an expired certificate follows the same as you’d request any other certificate. You simply have to request a new certificate from the CEP Encryption certificate template, preferable using the mmc console. As for the Enrollment agent certificate, like discussed earlier, the process is different and the mmc console can’t be used.

Renew expired Key exchange certificate

Before we begin, the following requirements needs to be in order before the certificate can be renewed:

  • Existing Key exchange certificate has expired
  • The server running NDES needs to have been given Read and Enroll permissions on the CEP Encryption certificate template, or added to a group that has been given those same permissions
  • The CEP Encryption certificate template needs to enabled (issued for usage for certificate enrollment)
  • Have the NDES service account name at your disposal

Instead of writing the exact same steps one more time, follow what’s outlined in the section named ‘Renew non-expired Key exchange certificate’ since the process is identical.

Renew expired Enrollment agent certificate

From my knowledge, Microsoft doesn’t provide any guidance on how to renew an expired Enrollment agent certificate. Hence, follow these instructions to successfully renew the certificate.

Before we begin, the following requirements needs to be in order before the certificate can be renewed:

  • Existing Enrollment agent certificate has expired
  • The user performing the renewal operation outlined below needs to have been given Read and Enroll permissions on the Exchange Enrollment Agent (Offline Request) certificate template, or added to a group that has been given the those permissions
  • The Exchange Enrollment Agent (Offline Request) certificate template needs to enabled (issued for usage for certificate enrollment)
  • Have the NDES service account name at your disposal

This process involves using PowerShell to determine the correct subject format required for the renewal in addition to crafting a certificate request file and submitting that to the Certificate Authority using certreq.exe.

Start by opening a mmc console and add the Certificates snap-in for the computer account.

Locate the certificate that has the Exchange Enrollment Agent (Offline Request) as the certificate template. NOTE: As shown in the below screenshot, the certificate that we want to renew is in fact not expired in this environment, however let’s assume it is going forward.

Double-click on the certificate or right-click and select Open. Scroll down to the Thumbprint entry and select it in the Details tab. Copy the value for usage later.

Start an elevated PowerShell console and run the following command, where you replace the thumbprint copied from earlier and remove any kind of spaces in between. The thumbprint string should be similar to ‘12345AB312361266’, again remove the spaces.

Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $PSItem.Thumbprint -like "<INSERT THUMBPRINT HERE>" }

From the return output of the above PowerShell command, copy the value for the Subject property, e.g. CN=SCConfigMgr NDES Intune and so on. Make sure you copy the full value, as it will be required later.

Create a new file named EEARequest.inf in e.g. C:\Certificates on the NDES server. Open EEARequest.inf and copy in the following:

[Version]
Signature="$Windows NT$"
[NewRequest] 
Subject = "<INSERT SUBJECT HERE>"
Exportable = TRUE 
KeyLength = 2048 
KeySpec = 2 
KeyUsage = 0x80 
MachineKeySet = TRUE 
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" 
ProviderType = 1
[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes]
CertificateTemplate = EnrollmentAgentOffline

On row 4, replace the <INSERT SUBJECT HERE> with the saved subject string from the PowerShell command output. The final configuration of the EEARequest.inf file should looks similar to this:

[Version]
Signature="$Windows NT$"
[NewRequest] 
Subject = "CN=SCConfigMgr NDES Intune, OU=IT Department, O=SCConfigMgr, L=Stockholm, C=US"
Exportable = TRUE 
KeyLength = 2048 
KeySpec = 2 
KeyUsage = 0x80 
MachineKeySet = TRUE 
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" 
ProviderType = 1
[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes]
CertificateTemplate = EnrollmentAgentOffline

Save EEARequest.inf.

Open a command prompt, browse to the C:\Certificates folder and run the following:

certutil

From the output of the previous command, copy the value next to the Config entry, it will be used in a little while for running one of the certreq.exe commands:

Run the following command:

certreq.exe -f -new EEARequest.inf EEARequest.req

Click OK in the prompt that appears.

A new file named EEARequest.req is created in C:\Certificates once the command have successfully completed.

Run the following command to submit the certificate request to the Certificate Authority and replace the <Config value> with that you copied from the output of the certutil command:

certreq.exe -submit -config "<Config value>" EEARequest.req EEARequest.cer

Finally, run the following command to accept the newly created EEARequest.cer certificate file into the computer certificate store on the NDES server:

certreq.exe -accept EEARequest.cer

If we now go back to the mmc console for the computer certificate store, the renewed Enrollment agent certificate are now added in additional to the previous one. It’s at this point now safe to remove the previous Enrollment agent certificate, however I’d recommend that you export it to a file before you remove it, just as a precaution in case there’s any information within that you need to retrieve at some point.

Now, don’t go and celebrate just yet, follow the instructions in the last section of this post right below here to get NDES operational again.

Final configuration before NDES is operational again

Regardless of what scenario you followed in this blog post, if the NDES certificates were about to soon expire or already had expired and the HTTP 500.0 error message was haunting you, what you need to do as a final configuration to successfully get NDES back up and running, is to perform an IIS reset.

Simply, open an elevated command prompt on the NDES server and run the following:

iisreset

After this, the good old 403.0 page should return for your NDES server url:

(40040)

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

Add comment

Sponsors