Yet despite everything looking correct, certificate enrollment and EAP\u2011TLS authentication continue to fail \u2014 a lesson learned the hard way. <\/p>\n\n\n\n
The underlying issue turns out to be deceptively simple: a missing or outdated trust relationship on the device following the Root CA renewal, even though the key pair itself did not change. <\/p>\n\n\n\n
This post walks through the environment setup, the symptoms, the root cause, and the validated fix, helping avoid a common SCEP failure that often only surfaces after certificates stop deploying. <\/p>\n\n\n\n
Overview of the Setup <\/h2>\n\n\n\n
This issue commonly appears in environments using Microsoft Intune, SCEP, and a third\u2011party Network Access Control (NAC) platform for certificate\u2011based network authentication. <\/p>\n\n\n\n
Intune\u2019s role <\/h3>\n\n\n\n\n- Deploys the trusted Root CA certificate <\/li>\n\n\n\n
- Deploys SCEP\u2011issued certificates (device or user)<\/li>\n\n\n\n
- Deploys the Wi\u2011Fi profile using EAP\u2011TLS<\/li>\n\n\n\n
- Provides device identity and trust<\/li>\n\n\n\n
- Does not enforce network access <\/li>\n<\/ul>\n\n\n\n
3rd\u2011party NAC\u2019s role<\/h3>\n\n\n\n\n- Acts as the RADIUS server for 802.1X authentication <\/li>\n\n\n\n
- Validates certificates during EAP\u2011TLS<\/li>\n\n\n\n
- Enforces network access policies:\n
\n- VLANs<\/li>\n\n\n\n
- Roles<\/li>\n\n\n\n
- ACLs<\/li>\n\n\n\n
- Quarantine \/ remediation<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally evaluates Intune compliance or posture <\/li>\n<\/ul>\n\n\n\n
Authentication flow <\/h3>\n\n\n\n\n- Intune installs: \n
\n- Root CA certificate <\/li>\n\n\n\n
- SCEP\u2011issued certificate <\/li>\n\n\n\n
- Wi\u2011Fi profile (EAP\u2011TLS) <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Device connects to the network using EAP\u2011TLS <\/li>\n\n\n\n
- NAC validates the certificate chain and attributes <\/li>\n\n\n\n
- NAC grants or denies network access <\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2026\/04\/root-cert-renewal-img-111-1024x704.png\" "\\"\\"")
<\/figure>\n\n\n\nCommon patterns <\/h3>\n\n\n\n\n- Device\u2011based certificates (most common) \n
\n- Best for corporate devices and pre\u2011logon access <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- User\u2011based certificates \n
\n- Typically used for BYOD <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Hybrid approaches \n
\n- Certificate authentication plus Intune compliance checks <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Note<\/h3>\n\n\n\n
Intune provisions and configures certificates; the NAC authenticates and enforces access. <\/p>\n\n\n\n
This separation of responsibility is crucial to understanding the failure. <\/p>\n\n\n\n
The Problem <\/h2>\n\n\n\n
After renewing the Root CA or Issuing CA certificate, SCEP certificate deployment to Windows devices begins to fail. <\/p>\n\n\n\n
No Intune configuration changes were made, yet: <\/p>\n\n\n\n
\n- New certificates are not issued<\/li>\n\n\n\n
- Devices fail EAP\u2011TLS authentication<\/li>\n\n\n\n
- Network access is denied<\/li>\n\n\n\n
- Intune reports SCEP profile failures <\/li>\n<\/ul>\n\n\n\n
Symptoms <\/h2>\n\n\n\n
Following the CA renewal, administrators observe: <\/p>\n\n\n\n
\n- Failed SCEP certificate deployments in Intune <\/li>\n\n\n\n
- Windows devices unable to enroll for certificates <\/li>\n\n\n\n
- Errors appearing locally on the device after renewal <\/li>\n\n\n\n
- Existing certificates continuing to work until expiry <\/li>\n\n\n\n
- Newly enrolled or reprovisioned devices failing network authentication <\/li>\n<\/ul>\n\n\n\n
This is commonly seen in environments using: <\/p>\n\n\n\n
\n- NDES <\/li>\n\n\n\n
- Intune Certificate Connector <\/li>\n\n\n\n
- A third\u2011party NAC relying on certificate trust <\/li>\n<\/ul>\n\n\n\n
Error Observed on the Device<\/h3>\n\n\n\n
On affected Windows devices, the error is visible in Event Viewer at: <\/p>\n\n\n\n
Applications and Services Logs \u2192 Microsoft \u2192 Windows \u2192 DeviceManagement\u2011Enterprise\u2011Diagnostics\u2011Provider \u2192 Admin <\/code><\/pre>\n\n\n\nIn this log, the device records Event ID 307 errors during SCEP enrollment. <\/p>\n\n\n\n![\"\"](\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2026\/04\/image-1024x495.png\" "\\"\\"")
<\/figure>\n\n\n\nRoot Cause <\/h2>\n\n\n\n
The issue is caused by certificate trust not being refreshed on Windows devices after the Root CA renewal, even when the renewal is performed using the existing key pair. <\/p>\n\n\n\n
When a Root CA or Issuing CA certificate is renewed: <\/p>\n\n\n\n
\n- The certificate validity period and metadata change <\/li>\n\n\n\n
- The renewed certificate is published and used by NDES and the Intune Certificate Connector<\/li>\n\n\n\n
- Windows devices do not automatically update or re\u2011trust the renewed CA certificate <\/li>\n<\/ul>\n\n\n\n
Even though the private\/public key pair remains the same, the renewed certificate is still treated as a new certificate instance from a trust perspective. If the updated certificate is not redeployed to devices: <\/p>\n\n\n\n
\n- The SCEP server certificate chain cannot be fully validated <\/li>\n\n\n\n
- SCEP enrollment fails during certificate issuance <\/li>\n\n\n\n
- Intune reports the SCEP profile as failed <\/li>\n\n\n\n
- The NAC never receives a valid certificate to authenticate <\/li>\n<\/ul>\n\n\n\n
This confirms the issue is not related to key pair changes, but rather to certificate trust distribution and lifecycle handling on managed devices.<\/p>\n\n\n\n
Note<\/h3>\n\n\n\n
Renewing a Root CA with the existing key pair does not eliminate the need to redeploy the trusted certificate to endpoints. <\/p>\n\n\n\n
Devices must explicitly trust the renewed certificate, regardless of whether the key pair changed. <\/p>\n\n\n\n
Why Network Access Breaks <\/h2>\n\n\n\n
EAP\u2011TLS authentication is entirely dependent on trust: <\/p>\n\n\n\n
\n- The device must trust the CA <\/li>\n\n\n\n
- The NAC must trust the same CA <\/li>\n\n\n\n
- Any mismatch breaks authentication <\/li>\n<\/ul>\n\n\n\n
After renewal, the NAC often trusts the updated CA, while Windows devices do not, creating a one\u2011sided trust failure that prevents SCEP enrollment and network access. <\/p>\n\n\n\n
The Fix <\/h2>\n\n\n\n
To resolve the issue.\u00a0<\/p>\n\n\n\n
Reinstall both the Network Device Enrollment Service (NDES) server role and the Microsoft Intune Certificate Connector on the NDES server. <\/p>\n\n\n\n
During reinstallation <\/strong><\/h3>\n\n\n\n\n- New RA (Registration Authority) certificates are automatically reissued <\/li>\n\n\n\n
- NDES is re\u2011registered with the renewed CA certificate <\/li>\n\n\n\n
- Trust is re\u2011established between: \n
\n- NDES <\/li>\n\n\n\n
- The Certificate Authority <\/li>\n\n\n\n
- Microsoft Intune <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the RA certificates are refreshed, SCEP certificate deployment to Windows devices resumes successfully. <\/p>\n\n\n\n
Important: Update the MSCEP Registry Configuration <\/h3>\n\n\n\n
After the NDES and Intune Certificate Connector installation wizard completes, do not forget to update the MSCEP registry configuration on the NDES server. <\/p>\n\n\n\n
Registry Location<\/h3>\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MSCEP\\ <\/code><\/pre>\n\n\n\nWhat Needs to Be Updated<\/h3>\n\n\n\n
NDES maps SCEP requests to certificate templates using registry values. These values must match the certificate template name (not the display name) used by your SCEP profile in Intune. <\/p>\n\n\n\n
To update the registry: <\/p>\n\n\n\n
\n- Identify the Purpose of the certificate template (found on the Request Handling tab of the template) <\/li>\n\n\n\n
- Update the corresponding registry value with the template name<\/li>\n<\/ul>\n\n\n\n
Certificate Template Purpose Mapping <\/h3>\n\n\n\nCertificate Template Purpose <\/strong> <\/td>Registry Value to Edit<\/strong> <\/td>Value Seen in Intune SCEP Profile<\/strong> <\/td><\/tr>Signature <\/td> SignatureTemplate <\/td> Digital Signature <\/td><\/tr> Encryption <\/td> EncryptionTemplate <\/td> Key Encipherment <\/td><\/tr> Signature and encryption <\/td> GeneralPurposeTemplate <\/td> Digital Signature \/ Key Encipherment <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nWhat Happens If the Registry Is Not Updated <\/h2>\n\n\n\n
If the MSCEP (Microsoft Simple Certificate Enrollment Protocol) registry values are not updated after reinstalling NDES and the Microsoft Intune Certificate Connector, the environment may appear to be fully functional again but authentication will still fail. <\/p>\n\n\n\n
In this scenario: <\/p>\n\n\n\n
\n- NDES and the Intune Certificate Connector are installed successfully <\/li>\n\n\n\n
- RA certificates are reissued <\/li>\n\n\n\n
- Intune SCEP, Trusted Certificate, and Wi\u2011Fi profiles are successfully delivered to the device <\/li>\n\n\n\n
- The device receives a certificate <\/li>\n\n\n\n
- Wi\u2011Fi authentication using EAP\u2011TLS still fails <\/li>\n<\/ul>\n\n\n\n
This can be misleading, as Intune shows no deployment errors, yet the device cannot authenticate to the network. <\/p>\n\n\n\n
Evidence on the NDES Server (Wrong Template Used) <\/strong><\/h3>\n\n\n\nWhen this occurs, the issue is visible in Event Viewer on the NDES server, under: Event Viewer<\/p>\n\n\n\n
Applications and Services Logs \u2192 Microsoft \u2192 Intune \u2192 CertificateConnectors \u2192 Operational <\/code><\/pre>\n\n\n\nIn this log, Event ID 4004 entries show that the SCEP request was processed successfully, but the wrong certificate template was used. The event details include a line similar to:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.insentragroup.com\/au\/wp-content\/uploads\/sites\/22\/2026\/04\/image-1-1024x609.png\" "\\"\\"")
<\/figure>\n\n\n\nThis indicates that: <\/p>\n\n\n\n
\n- NDES is processing SCEP requests <\/li>\n\n\n\n
- The request is valid <\/li>\n\n\n\n
- The certificate is being issued using an unexpected or incorrect template <\/li>\n\n\n\n
- The template does not match the one configured for the Intune SCEP profile <\/li>\n<\/ul>\n\n\n\n
As a result, the issued certificate does not meet the requirements for EAP\u2011TLS authentication, and network access is denied. <\/p>\n\n\n\n
Why This Fix Works <\/h3>\n\n\n\n\n- RA certificates are tightly bound to the CA certificate state <\/li>\n\n\n\n
- NDES does not automatically regenerate RA certificates after a CA renewal <\/li>\n\n\n\n
- Reinstalling NDES and the Intune Certificate Connector is the only supported method to force RA certificate reissuance <\/li>\n<\/ul>\n\n\n\n
Even when the Root CA is renewed using the existing key pair, RA certificates can still become invalid from a trust perspective. <\/p>\n\n\n\n
Key Takeaways <\/h2>\n\n\n\n\n- Renewing a Root CA is not a zero\u2011impact operation for Intune SCEP <\/li>\n\n\n\n
- Using the existing key pair does not prevent failures <\/li>\n\n\n\n
- SCEP failures after CA renewal can originate on the NDES server, not the device <\/li>\n\n\n\n
- The Microsoft\u2011supported fix is to reinstall NDES and the Intune Certificate Connector <\/li>\n\n\n\n
- Plan CA renewals with NDES remediation steps included <\/li>\n<\/ul>\n\n\n\n
Insentra\u2019s Modern Workplace team helps organisations get ahead of challenges across the Microsoft stack before they become critical issues. Whether you are planning a CA renewal, resolving SCEP failures, or building robust runbooks for the future, we are here to help. Contact<\/a> our team to ensure your environment is secure, resilient and ready for what comes next. <\/p>\n\n\n\nReference <\/h2>\n\n\n\n
Microsoft official guidance: SCEP deployment to Windows 10 devices fails after you renew the CA certificate<\/a> <\/p>\n\n\n\n
3rd\u2011party NAC\u2019s role<\/h3>\n\n\n\n\n- Acts as the RADIUS server for 802.1X authentication <\/li>\n\n\n\n
- Validates certificates during EAP\u2011TLS<\/li>\n\n\n\n
- Enforces network access policies:\n
\n- VLANs<\/li>\n\n\n\n
- Roles<\/li>\n\n\n\n
- ACLs<\/li>\n\n\n\n
- Quarantine \/ remediation<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally evaluates Intune compliance or posture <\/li>\n<\/ul>\n\n\n\n
Authentication flow <\/h3>\n\n\n\n\n- Intune installs: \n
\n- Root CA certificate <\/li>\n\n\n\n
- SCEP\u2011issued certificate <\/li>\n\n\n\n
- Wi\u2011Fi profile (EAP\u2011TLS) <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Device connects to the network using EAP\u2011TLS <\/li>\n\n\n\n
- NAC validates the certificate chain and attributes <\/li>\n\n\n\n
- NAC grants or denies network access <\/li>\n<\/ol>\n\n\n\n<\/figure>\n\n\n\n
Common patterns <\/h3>\n\n\n\n\n- Device\u2011based certificates (most common) \n
\n- Best for corporate devices and pre\u2011logon access <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- User\u2011based certificates \n
\n- Typically used for BYOD <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Hybrid approaches \n
\n- Certificate authentication plus Intune compliance checks <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Note<\/h3>\n\n\n\n
Intune provisions and configures certificates; the NAC authenticates and enforces access. <\/p>\n\n\n\n
This separation of responsibility is crucial to understanding the failure. <\/p>\n\n\n\n
The Problem <\/h2>\n\n\n\n
After renewing the Root CA or Issuing CA certificate, SCEP certificate deployment to Windows devices begins to fail. <\/p>\n\n\n\n
No Intune configuration changes were made, yet: <\/p>\n\n\n\n
\n- New certificates are not issued<\/li>\n\n\n\n
- Devices fail EAP\u2011TLS authentication<\/li>\n\n\n\n
- Network access is denied<\/li>\n\n\n\n
- Intune reports SCEP profile failures <\/li>\n<\/ul>\n\n\n\n
Symptoms <\/h2>\n\n\n\n
Following the CA renewal, administrators observe: <\/p>\n\n\n\n
\n- Failed SCEP certificate deployments in Intune <\/li>\n\n\n\n
- Windows devices unable to enroll for certificates <\/li>\n\n\n\n
- Errors appearing locally on the device after renewal <\/li>\n\n\n\n
- Existing certificates continuing to work until expiry <\/li>\n\n\n\n
- Newly enrolled or reprovisioned devices failing network authentication <\/li>\n<\/ul>\n\n\n\n
This is commonly seen in environments using: <\/p>\n\n\n\n
\n- NDES <\/li>\n\n\n\n
- Intune Certificate Connector <\/li>\n\n\n\n
- A third\u2011party NAC relying on certificate trust <\/li>\n<\/ul>\n\n\n\n
Error Observed on the Device<\/h3>\n\n\n\n
On affected Windows devices, the error is visible in Event Viewer at: <\/p>\n\n\n\n
Applications and Services Logs \u2192 Microsoft \u2192 Windows \u2192 DeviceManagement\u2011Enterprise\u2011Diagnostics\u2011Provider \u2192 Admin <\/code><\/pre>\n\n\n\nIn this log, the device records Event ID 307 errors during SCEP enrollment. <\/p>\n\n\n\n<\/figure>\n\n\n\nRoot Cause <\/h2>\n\n\n\n
The issue is caused by certificate trust not being refreshed on Windows devices after the Root CA renewal, even when the renewal is performed using the existing key pair. <\/p>\n\n\n\n
When a Root CA or Issuing CA certificate is renewed: <\/p>\n\n\n\n
\n- The certificate validity period and metadata change <\/li>\n\n\n\n
- The renewed certificate is published and used by NDES and the Intune Certificate Connector<\/li>\n\n\n\n
- Windows devices do not automatically update or re\u2011trust the renewed CA certificate <\/li>\n<\/ul>\n\n\n\n
Even though the private\/public key pair remains the same, the renewed certificate is still treated as a new certificate instance from a trust perspective. If the updated certificate is not redeployed to devices: <\/p>\n\n\n\n
\n- The SCEP server certificate chain cannot be fully validated <\/li>\n\n\n\n
- SCEP enrollment fails during certificate issuance <\/li>\n\n\n\n
- Intune reports the SCEP profile as failed <\/li>\n\n\n\n
- The NAC never receives a valid certificate to authenticate <\/li>\n<\/ul>\n\n\n\n
This confirms the issue is not related to key pair changes, but rather to certificate trust distribution and lifecycle handling on managed devices.<\/p>\n\n\n\n
Note<\/h3>\n\n\n\n
Renewing a Root CA with the existing key pair does not eliminate the need to redeploy the trusted certificate to endpoints. <\/p>\n\n\n\n
Devices must explicitly trust the renewed certificate, regardless of whether the key pair changed. <\/p>\n\n\n\n
Why Network Access Breaks <\/h2>\n\n\n\n
EAP\u2011TLS authentication is entirely dependent on trust: <\/p>\n\n\n\n
\n- The device must trust the CA <\/li>\n\n\n\n
- The NAC must trust the same CA <\/li>\n\n\n\n
- Any mismatch breaks authentication <\/li>\n<\/ul>\n\n\n\n
After renewal, the NAC often trusts the updated CA, while Windows devices do not, creating a one\u2011sided trust failure that prevents SCEP enrollment and network access. <\/p>\n\n\n\n
The Fix <\/h2>\n\n\n\n
To resolve the issue.\u00a0<\/p>\n\n\n\n
Reinstall both the Network Device Enrollment Service (NDES) server role and the Microsoft Intune Certificate Connector on the NDES server. <\/p>\n\n\n\n
During reinstallation <\/strong><\/h3>\n\n\n\n\n- New RA (Registration Authority) certificates are automatically reissued <\/li>\n\n\n\n
- NDES is re\u2011registered with the renewed CA certificate <\/li>\n\n\n\n
- Trust is re\u2011established between: \n
\n- NDES <\/li>\n\n\n\n
- The Certificate Authority <\/li>\n\n\n\n
- Microsoft Intune <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the RA certificates are refreshed, SCEP certificate deployment to Windows devices resumes successfully. <\/p>\n\n\n\n
Important: Update the MSCEP Registry Configuration <\/h3>\n\n\n\n
After the NDES and Intune Certificate Connector installation wizard completes, do not forget to update the MSCEP registry configuration on the NDES server. <\/p>\n\n\n\n
Registry Location<\/h3>\n\n\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MSCEP\\ <\/code><\/pre>\n\n\n\nWhat Needs to Be Updated<\/h3>\n\n\n\n
NDES maps SCEP requests to certificate templates using registry values. These values must match the certificate template name (not the display name) used by your SCEP profile in Intune. <\/p>\n\n\n\n
To update the registry: <\/p>\n\n\n\n
\n- Identify the Purpose of the certificate template (found on the Request Handling tab of the template) <\/li>\n\n\n\n
- Update the corresponding registry value with the template name<\/li>\n<\/ul>\n\n\n\n
Certificate Template Purpose Mapping <\/h3>\n\n\n\nCertificate Template Purpose <\/strong> <\/td>Registry Value to Edit<\/strong> <\/td>Value Seen in Intune SCEP Profile<\/strong> <\/td><\/tr>Signature <\/td> SignatureTemplate <\/td> Digital Signature <\/td><\/tr> Encryption <\/td> EncryptionTemplate <\/td> Key Encipherment <\/td><\/tr> Signature and encryption <\/td> GeneralPurposeTemplate <\/td> Digital Signature \/ Key Encipherment <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nWhat Happens If the Registry Is Not Updated <\/h2>\n\n\n\n
If the MSCEP (Microsoft Simple Certificate Enrollment Protocol) registry values are not updated after reinstalling NDES and the Microsoft Intune Certificate Connector, the environment may appear to be fully functional again but authentication will still fail. <\/p>\n\n\n\n
In this scenario: <\/p>\n\n\n\n
\n- NDES and the Intune Certificate Connector are installed successfully <\/li>\n\n\n\n
- RA certificates are reissued <\/li>\n\n\n\n
- Intune SCEP, Trusted Certificate, and Wi\u2011Fi profiles are successfully delivered to the device <\/li>\n\n\n\n
- The device receives a certificate <\/li>\n\n\n\n
- Wi\u2011Fi authentication using EAP\u2011TLS still fails <\/li>\n<\/ul>\n\n\n\n
This can be misleading, as Intune shows no deployment errors, yet the device cannot authenticate to the network. <\/p>\n\n\n\n
Evidence on the NDES Server (Wrong Template Used) <\/strong><\/h3>\n\n\n\nWhen this occurs, the issue is visible in Event Viewer on the NDES server, under: Event Viewer<\/p>\n\n\n\n
Applications and Services Logs \u2192 Microsoft \u2192 Intune \u2192 CertificateConnectors \u2192 Operational <\/code><\/pre>\n\n\n\nIn this log, Event ID 4004 entries show that the SCEP request was processed successfully, but the wrong certificate template was used. The event details include a line similar to:<\/p>\n\n\n\n<\/figure>\n\n\n\nThis indicates that: <\/p>\n\n\n\n
\n- NDES is processing SCEP requests <\/li>\n\n\n\n
- The request is valid <\/li>\n\n\n\n
- The certificate is being issued using an unexpected or incorrect template <\/li>\n\n\n\n
- The template does not match the one configured for the Intune SCEP profile <\/li>\n<\/ul>\n\n\n\n
As a result, the issued certificate does not meet the requirements for EAP\u2011TLS authentication, and network access is denied. <\/p>\n\n\n\n
Why This Fix Works <\/h3>\n\n\n\n\n- RA certificates are tightly bound to the CA certificate state <\/li>\n\n\n\n
- NDES does not automatically regenerate RA certificates after a CA renewal <\/li>\n\n\n\n
- Reinstalling NDES and the Intune Certificate Connector is the only supported method to force RA certificate reissuance <\/li>\n<\/ul>\n\n\n\n
Even when the Root CA is renewed using the existing key pair, RA certificates can still become invalid from a trust perspective. <\/p>\n\n\n\n
Key Takeaways <\/h2>\n\n\n\n\n- Renewing a Root CA is not a zero\u2011impact operation for Intune SCEP <\/li>\n\n\n\n
- Using the existing key pair does not prevent failures <\/li>\n\n\n\n
- SCEP failures after CA renewal can originate on the NDES server, not the device <\/li>\n\n\n\n
- The Microsoft\u2011supported fix is to reinstall NDES and the Intune Certificate Connector <\/li>\n\n\n\n
- Plan CA renewals with NDES remediation steps included <\/li>\n<\/ul>\n\n\n\n
Insentra\u2019s Modern Workplace team helps organisations get ahead of challenges across the Microsoft stack before they become critical issues. Whether you are planning a CA renewal, resolving SCEP failures, or building robust runbooks for the future, we are here to help. Contact<\/a> our team to ensure your environment is secure, resilient and ready for what comes next. <\/p>\n\n\n\nReference <\/h2>\n\n\n\n
Microsoft official guidance: SCEP deployment to Windows 10 devices fails after you renew the CA certificate<\/a> <\/p>\n\n\n\n
- \n
- VLANs<\/li>\n\n\n\n
- Roles<\/li>\n\n\n\n
- ACLs<\/li>\n\n\n\n
- Quarantine \/ remediation<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally evaluates Intune compliance or posture <\/li>\n<\/ul>\n\n\n\n
Authentication flow <\/h3>\n\n\n\n
- \n
- Intune installs: \n
- \n
- Root CA certificate <\/li>\n\n\n\n
- SCEP\u2011issued certificate <\/li>\n\n\n\n
- Wi\u2011Fi profile (EAP\u2011TLS) <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Device connects to the network using EAP\u2011TLS <\/li>\n\n\n\n
- NAC validates the certificate chain and attributes <\/li>\n\n\n\n
- NAC grants or denies network access <\/li>\n<\/ol>\n\n\n\n<\/figure>\n\n\n\n
Common patterns <\/h3>\n\n\n\n
- \n
- Device\u2011based certificates (most common) \n
- \n
- Best for corporate devices and pre\u2011logon access <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- User\u2011based certificates \n
- \n
- Typically used for BYOD <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Hybrid approaches \n
- \n
- Certificate authentication plus Intune compliance checks <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Note<\/h3>\n\n\n\n
Intune provisions and configures certificates; the NAC authenticates and enforces access. <\/p>\n\n\n\n
This separation of responsibility is crucial to understanding the failure. <\/p>\n\n\n\n
The Problem <\/h2>\n\n\n\n
After renewing the Root CA or Issuing CA certificate, SCEP certificate deployment to Windows devices begins to fail. <\/p>\n\n\n\n
No Intune configuration changes were made, yet: <\/p>\n\n\n\n
- \n
- New certificates are not issued<\/li>\n\n\n\n
- Devices fail EAP\u2011TLS authentication<\/li>\n\n\n\n
- Network access is denied<\/li>\n\n\n\n
- Intune reports SCEP profile failures <\/li>\n<\/ul>\n\n\n\n
Symptoms <\/h2>\n\n\n\n
Following the CA renewal, administrators observe: <\/p>\n\n\n\n
- \n
- Failed SCEP certificate deployments in Intune <\/li>\n\n\n\n
- Windows devices unable to enroll for certificates <\/li>\n\n\n\n
- Errors appearing locally on the device after renewal <\/li>\n\n\n\n
- Existing certificates continuing to work until expiry <\/li>\n\n\n\n
- Newly enrolled or reprovisioned devices failing network authentication <\/li>\n<\/ul>\n\n\n\n
This is commonly seen in environments using: <\/p>\n\n\n\n
- \n
- NDES <\/li>\n\n\n\n
- Intune Certificate Connector <\/li>\n\n\n\n
- A third\u2011party NAC relying on certificate trust <\/li>\n<\/ul>\n\n\n\n
Error Observed on the Device<\/h3>\n\n\n\n
On affected Windows devices, the error is visible in Event Viewer at: <\/p>\n\n\n\n
Applications and Services Logs \u2192 Microsoft \u2192 Windows \u2192 DeviceManagement\u2011Enterprise\u2011Diagnostics\u2011Provider \u2192 Admin <\/code><\/pre>\n\n\n\nIn this log, the device records Event ID 307 errors during SCEP enrollment. <\/p>\n\n\n\n
<\/figure>\n\n\n\nRoot Cause <\/h2>\n\n\n\n
The issue is caused by certificate trust not being refreshed on Windows devices after the Root CA renewal, even when the renewal is performed using the existing key pair. <\/p>\n\n\n\n
When a Root CA or Issuing CA certificate is renewed: <\/p>\n\n\n\n
- \n
- The certificate validity period and metadata change <\/li>\n\n\n\n
- The renewed certificate is published and used by NDES and the Intune Certificate Connector<\/li>\n\n\n\n
- Windows devices do not automatically update or re\u2011trust the renewed CA certificate <\/li>\n<\/ul>\n\n\n\n
Even though the private\/public key pair remains the same, the renewed certificate is still treated as a new certificate instance from a trust perspective. If the updated certificate is not redeployed to devices: <\/p>\n\n\n\n
- \n
- The SCEP server certificate chain cannot be fully validated <\/li>\n\n\n\n
- SCEP enrollment fails during certificate issuance <\/li>\n\n\n\n
- Intune reports the SCEP profile as failed <\/li>\n\n\n\n
- The NAC never receives a valid certificate to authenticate <\/li>\n<\/ul>\n\n\n\n
This confirms the issue is not related to key pair changes, but rather to certificate trust distribution and lifecycle handling on managed devices.<\/p>\n\n\n\n
Note<\/h3>\n\n\n\n
Renewing a Root CA with the existing key pair does not eliminate the need to redeploy the trusted certificate to endpoints. <\/p>\n\n\n\n
Devices must explicitly trust the renewed certificate, regardless of whether the key pair changed. <\/p>\n\n\n\n
Why Network Access Breaks <\/h2>\n\n\n\n
EAP\u2011TLS authentication is entirely dependent on trust: <\/p>\n\n\n\n
- \n
- The device must trust the CA <\/li>\n\n\n\n
- The NAC must trust the same CA <\/li>\n\n\n\n
- Any mismatch breaks authentication <\/li>\n<\/ul>\n\n\n\n
After renewal, the NAC often trusts the updated CA, while Windows devices do not, creating a one\u2011sided trust failure that prevents SCEP enrollment and network access. <\/p>\n\n\n\n
The Fix <\/h2>\n\n\n\n
To resolve the issue.\u00a0<\/p>\n\n\n\n
Reinstall both the Network Device Enrollment Service (NDES) server role and the Microsoft Intune Certificate Connector on the NDES server. <\/p>\n\n\n\n
During reinstallation <\/strong><\/h3>\n\n\n\n
- \n
- New RA (Registration Authority) certificates are automatically reissued <\/li>\n\n\n\n
- NDES is re\u2011registered with the renewed CA certificate <\/li>\n\n\n\n
- Trust is re\u2011established between: \n
- \n
- NDES <\/li>\n\n\n\n
- The Certificate Authority <\/li>\n\n\n\n
- Microsoft Intune <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Once the RA certificates are refreshed, SCEP certificate deployment to Windows devices resumes successfully. <\/p>\n\n\n\n
Important: Update the MSCEP Registry Configuration <\/h3>\n\n\n\n
After the NDES and Intune Certificate Connector installation wizard completes, do not forget to update the MSCEP registry configuration on the NDES server. <\/p>\n\n\n\n
Registry Location<\/h3>\n\n\n\n
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MSCEP\\ <\/code><\/pre>\n\n\n\nWhat Needs to Be Updated<\/h3>\n\n\n\n
NDES maps SCEP requests to certificate templates using registry values. These values must match the certificate template name (not the display name) used by your SCEP profile in Intune. <\/p>\n\n\n\n
To update the registry: <\/p>\n\n\n\n
- \n
- Identify the Purpose of the certificate template (found on the Request Handling tab of the template) <\/li>\n\n\n\n
- Update the corresponding registry value with the template name<\/li>\n<\/ul>\n\n\n\n
Certificate Template Purpose Mapping <\/h3>\n\n\n\n
Certificate Template Purpose <\/strong> <\/td> Registry Value to Edit<\/strong> <\/td> Value Seen in Intune SCEP Profile<\/strong> <\/td><\/tr> Signature <\/td> SignatureTemplate <\/td> Digital Signature <\/td><\/tr> Encryption <\/td> EncryptionTemplate <\/td> Key Encipherment <\/td><\/tr> Signature and encryption <\/td> GeneralPurposeTemplate <\/td> Digital Signature \/ Key Encipherment <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n What Happens If the Registry Is Not Updated <\/h2>\n\n\n\n
If the MSCEP (Microsoft Simple Certificate Enrollment Protocol) registry values are not updated after reinstalling NDES and the Microsoft Intune Certificate Connector, the environment may appear to be fully functional again but authentication will still fail. <\/p>\n\n\n\n
In this scenario: <\/p>\n\n\n\n
- \n
- NDES and the Intune Certificate Connector are installed successfully <\/li>\n\n\n\n
- RA certificates are reissued <\/li>\n\n\n\n
- Intune SCEP, Trusted Certificate, and Wi\u2011Fi profiles are successfully delivered to the device <\/li>\n\n\n\n
- The device receives a certificate <\/li>\n\n\n\n
- Wi\u2011Fi authentication using EAP\u2011TLS still fails <\/li>\n<\/ul>\n\n\n\n
This can be misleading, as Intune shows no deployment errors, yet the device cannot authenticate to the network. <\/p>\n\n\n\n
Evidence on the NDES Server (Wrong Template Used) <\/strong><\/h3>\n\n\n\n
When this occurs, the issue is visible in Event Viewer on the NDES server, under: Event Viewer<\/p>\n\n\n\n
Applications and Services Logs \u2192 Microsoft \u2192 Intune \u2192 CertificateConnectors \u2192 Operational <\/code><\/pre>\n\n\n\nIn this log, Event ID 4004 entries show that the SCEP request was processed successfully, but the wrong certificate template was used. The event details include a line similar to:<\/p>\n\n\n\n
<\/figure>\n\n\n\nThis indicates that: <\/p>\n\n\n\n
- \n
- NDES is processing SCEP requests <\/li>\n\n\n\n
- The request is valid <\/li>\n\n\n\n
- The certificate is being issued using an unexpected or incorrect template <\/li>\n\n\n\n
- The template does not match the one configured for the Intune SCEP profile <\/li>\n<\/ul>\n\n\n\n
As a result, the issued certificate does not meet the requirements for EAP\u2011TLS authentication, and network access is denied. <\/p>\n\n\n\n
Why This Fix Works <\/h3>\n\n\n\n
- \n
- RA certificates are tightly bound to the CA certificate state <\/li>\n\n\n\n
- NDES does not automatically regenerate RA certificates after a CA renewal <\/li>\n\n\n\n
- Reinstalling NDES and the Intune Certificate Connector is the only supported method to force RA certificate reissuance <\/li>\n<\/ul>\n\n\n\n
Even when the Root CA is renewed using the existing key pair, RA certificates can still become invalid from a trust perspective. <\/p>\n\n\n\n
Key Takeaways <\/h2>\n\n\n\n
- \n
- Renewing a Root CA is not a zero\u2011impact operation for Intune SCEP <\/li>\n\n\n\n
- Using the existing key pair does not prevent failures <\/li>\n\n\n\n
- SCEP failures after CA renewal can originate on the NDES server, not the device <\/li>\n\n\n\n
- The Microsoft\u2011supported fix is to reinstall NDES and the Intune Certificate Connector <\/li>\n\n\n\n
- Plan CA renewals with NDES remediation steps included <\/li>\n<\/ul>\n\n\n\n
Insentra\u2019s Modern Workplace team helps organisations get ahead of challenges across the Microsoft stack before they become critical issues. Whether you are planning a CA renewal, resolving SCEP failures, or building robust runbooks for the future, we are here to help. Contact<\/a> our team to ensure your environment is secure, resilient and ready for what comes next. <\/p>\n\n\n\n
Reference <\/h2>\n\n\n\n
Microsoft official guidance: SCEP deployment to Windows 10 devices fails after you renew the CA certificate<\/a> <\/p>\n\n\n\n
- Certificate authentication plus Intune compliance checks <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Device\u2011based certificates (most common) \n
- Intune installs: \n