Hi, I was advised to create an issue here after I created an Intune ticket in the Microsoft Q&A forums (https://docs.microsoft.com/en-us/answers/questions/70809/0x8010002c-request-certificate-does-not-exist-duri.html)

I am trying to integrate a Third-party CA to work with Intune SCEP to issue certificates according to https://docs.microsoft.com/en-us/mem/intune/protect/scep-libraries-apis. I am using the CsrValidation api for Java to integrate.

My issue is not really with the CsrValidation API.

I have setup the following Configuration profiles in Azure Endpoint manager:
Trusted Certificate: Computer store - Root (Root CA)
Trusted Certificate: Computer store - Intermediate (Root CA)
Trusted Certificate: Computer store - Intermediate (Intermediate CA)
SCEP Certificate: Windows 10.

All 3 Trusted Certificate Profiles are successfully deployed to the WIN10 device.

To enrol the Windows 10 Device I go to 'Settings -> Account -> Access work or school -> Connect'. The Windows UI says that the connection is successful.

However, when looking in the Windows 10 Event Viewer under 'Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider' it gives the following two errors:

Event 307: SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'http://{url}/scep/intune/pkiclient.exe', CA cert thumbprint '2FCF40...CEF1' and server )

Event 32: SCEP: Certificate enroll failed. Result: (The requested certificate does not exist.). [HRESULT: 0x8010002c]

These 2 errors occurs after the 'GetCACertChain' call has been made from the WIN10 device and the CA SCEP RA has returned the chain in PKCS#7 format containing the Root CA, Intermediate CA and the RA certificate.

The thumbprint in Event 307 is the same as the thumbprint of my Root CA.

Any ideas on what I have misconfigured to get this error?

I have managed to create the certificate, and when I run Get-IntuneUserPfxCertificate, I can see the entry. However, when I create the device configuration profile in Intune for a PKCS imported Certificate, I cannot see the cert in the Certificates list. Is there any way I can validate this behavior since the certs are not deploying to my devices.

Similarly, and apologies for a non-dev question, I wish to use these certs to connect to an Azure App reg (MS Warehouse Management) on Android Dedicated devices (no user affinity). Since these are user certs, how can I engineer this to work?

hello

I have two questions about methods within the IntuneRevocationClient class.

(1) About the DownloadCARevocationRequests method

I am executing a POST request to DOWNLOADREVOCATIONREQUESTS_URL (CertificateAuthorityRequests/downloadRevocationRequests) within the method, is there an API specification for the downloadRevocationRequests endpoint? .
What specific values ​​should I set for the request parameters? , what value is returned as a response? I would like to know the details.

(2) About the UploadRevocationResults method

I am executing a POST request to the UPLOADREVOCATIONRESULTS_URL (CertificateAuthorityRequests/uploadRevocationResults) within the method, is there an API specification for the uploadRevocationResults endpoint? .
What specific values ​​should I set for the request parameters? , what value is returned as a response? I would like to know the details.
I would also like to know what to call this method when I want to do it.

Thank you.

@tynidev
I started seeing this issue on a newly created app registration. (Existing apps are working fine)

During this new app registration process, I can't assign Azure Active Directory Graph API permissions to the app as mentioned in the https://docs.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview

I see a depreciation message in the Azure portal for adding API permissions and Azure Active Directory Graph is disabled under Legacy APIs

This results in an error
Did not find service named 'ScepRequestValidationFEService' listed in Microsoft.Graph discovery service list.

Could you please provide info on how do I map Active Directory Graph > Application > ReadAll permissions to a the new Microsoft Graph APIs permissions?

I noticed a similar issue #85 but that was a config issue. My issue persists beyond the resolution workarounds suggested there.

① I would like to know the original processing specifications, such as the request parameter specifications and response data return conditions (what state of certificate is being returned as a response), etc., so I would like to know.
https://github.com/microsoft/Intune-Resource-Access/blob/master/src/CsrValidation/java/lib/src/main/java/com/microsoft/intune/scepvalidation/IntuneRevocationClient.java
・CertificateAuthorityRequests/downloadRevocationRequests

The whole bloody thing is not working in Visual Studio Code - open the SLN file and what?
When I try to run it, it tells me that it doesn't know the code language despite C# extensions are installed. What the hell do you mean with select build configuration, this does not exist.

Not able import the PS Module either, but if already the first step isn't working.

The only thing, what needs to be done is publishing a bloody certificate to a AzureAD group, but admins now need to piss around and need developer accounts, and all kind of crap - seriously?

Any other MDM solution allows you to import certificates, but not this, no, you need a degree in Visual Studio - no useful documentation on any Microsoft site, and on GitHub it is assumed you know everything....

I have the PFX file, can "install" it manually on the laptop, but can't deploy it using Intune!

Please add the functionality to authenticate with the application itself and not delegated permissions.
This will enable authentication via certificate instead of username/password.

ErrorCode doesn't support BadDeviceTypeInChallenge

System.Exception: Requested value 'BadDeviceTypeInChallenge' was not found.
   at System.Enum.TryParseEnum(Type enumType, String value, Boolean ignoreCase, EnumResult& parseResult)
   at System.Enum.Parse(Type enumType, String value, Boolean ignoreCase)
   at Microsoft.Intune.IntuneScepServiceException..ctor(String errorCode, String errorDescription, String transactionId, Guid activityId, TraceSource trace) in C:\bitbucket\aeg\src\Intune.ScepValidation\IntuneScepServiceException.cs:line 120
   at Microsoft.Intune.IntuneScepValidator.<PostAsync>d__13.MoveNext() in 

I have the module built and imported, but when I go to authenticate to AAD, I receive the following:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application

I have been unable to find the answer in the Readme or in the source files themselves. I did see that the reply URL points to a hash table /common but I have been unsuccessful in getting authentication to work.

Can you provide an example of the reply URL that is supposed to be listed in the Enterprise App?

Thanks

The IntuneClient class seems to only support ClientCredential. We would like to do certificate-based authentication, using AsymmetricKeyCredential. This seems to be straight-forward, but i wonder if there is a reason only the ClientCredential path is implemented?

The csr-validation library fetches a new access token for each request:

AuthenticationResult authResult = this.authClient.getAccessTokenFromCredential(this.intuneResourceUrl);

There are even unit tests that verify this method is called every time. But if authResult is a standard access token with an expiry date, shouldn't it be reusable? Implementing this is easy, but of course breaks the tests. Is there a reason the library acquires a new token every time?

Dear Team,

I have followed rigorously your documentation to make stuff work.
But when I look at the content $userPFXObject compare to the result return by Get-IntuneUserPfxCertificate

On the $userPFXObject side :

PS C:> $userPFXObject
Id :
Thumbprint : 6ab7__removed info__62c87
IntendedPurpose : Unassigned
UserPrincipalName : removed info
StartDateTime : 24-03-23 09:28:40 +00:00
ExpirationDateTime : 24-03-24 09:28:40 +00:00
ProviderName : Microsoft Software Key Storage Provider
KeyName : PFXEncryptionKey
PaddingScheme : OaepSha512
EncryptedPfxBlob : {48, 130, 25, 207...}
EncryptedPfxPassword : ZY2gu__removed info__UO0rg==
CreatedDateTime : 11-03-24 15:01:47 +00:00
LastModifiedDateTime : 11-03-24 15:01:47 +00:00

On the Get-IntuneUserPfxCertificate

PS C:> Get-IntuneUserPfxCertificate
Id : 3a7fb__removed info__62c87
Thumbprint : 6ab7__removed info__62c87
IntendedPurpose : Unassigned
UserPrincipalName : removed info
StartDateTime : 24-03-23 09:28:40 +00:00
ExpirationDateTime : 24-03-24 09:28:40 +00:00
ProviderName : Microsoft Software Key Storage Provider
KeyName : PFXEncryptionKey
PaddingScheme : OaepSha512
EncryptedPfxBlob : {0}
EncryptedPfxPassword :
CreatedDateTime : 11-03-24 15:01:47 +00:00
LastModifiedDateTime : 11-03-24 15:02:21 +00:00

Is-it expected that the value returned by EncryptedPfxBlob and EncryptedPfxPassword looks like empty ?

I try to import GlobalSign S/MIME Certificate but looks like I missed something...

Many thanks for your time,

Attempt to instantiate IntuneScepServiceClient fails without error message.

The best I can tell, the cause seems to be the value of intuneResourceUrl, which is set in the IntuneClient -class (line 83): https://api.management.microsoft.com

That domain no longer exists. I guess it has been replaced by the Microsoft's Graph API?

Will there be an update to the csrValidation -library that fixes this issue?

When calling ValidateRequestAsync I get an internal server error being returned. This is how I am making the call.

`var transId = Guid.NewGuid();
var validator = new IntuneScepValidator(
properties,
trace: new TraceSource("log")

try
{
validator.ValidateRequestAsync(transId.ToString(), Convert.ToBase64String(envelopedCms.ContentInfo.Content)).Wait();
}
catch (Exception ex)
{
Logger.log.WriteLog(LogLevel.Debug, "InTune validation failed");
Logger.log.WriteLog(LogLevel.Debug, ex.Message);
Logger.log.WriteLog(LogLevel.Debug, ex.InnerException.Message);
p.WriteFailure();
return;
}`

And this is what I get on the console:

log Information: 0 : Refreshing service map from Microsoft.Graph log Error: 0 : Failed to contact intune service with URL: https://fef.msuc02.manage.microsoft.com/RACerts/ScepRequestValidationFEService/Gateway/StatelessScepRequestValidationService/ScepActions/validateRequest; Response status code does not indicate success: 500 (Internal Server Error). log Error: 0 : { "error":{ "code":"InternalError","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Method 'get_CertStoreFactory' in type 'Microsoft.Management.Services.Deployment.Certificates.ServiceRuntime.CertRuntimeStoreConfiguration' from assembly 'Microsoft.Management.Services.Deployment.Certificates.ServiceRuntime, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' does not have an implementation. - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: d798ddce-f2d1-4e3f-8cad-7ae979ff9b0d - Url: https://fef.msuc02.manage.microsoft.com/RACerts/StatelessScepRequestValidationService/ScepActions/validateRequest\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}" } } InTune validation failed One or more errors occurred. Response status code does not indicate success: 500 (Internal Server Error).

Is something broken or am I doing something wrong here? The error message doesn't give me any information that helps me. I have checked that the csr is valid (if it isn't I get a different error) and that the properties variable contains the correct information.

Cheers
Simon

I am following the script, I've built the app, imported the module and ran the command Add-IntuneKspKey but getting the following error. I've tried this on two machines.

Hi.
Is it possible to extract Public Key from encProvider in pem format?

IntuneScepServiceClient.java

From the documentation, I've understood that the certificate will be processed by the certificate authority after it is issued as follows:

1. Client certificate is issued,
2. The required information on the issued client certificate is gathered and Intune is notified with the SendSuccessNotification method
3. (If the method finishes successfully) The certificate is distributed to mobile devices

Is this understanding correct?
*We understand that swapping 2) and 3) is a deprecated order.

Hi,

I'm calling the Java Intune Resource Access API method DownloadCARevocationRequests with "issuerName" parameter set, but it's not returning any requests.

My issuing CA certificate's subject is "cn=My Issuing CA,c=SE", and I'm trying to pass the issuerName value as "cn=My Issuing CA,c=SE", but I'm still receiving an empty list of revocation requests.

If I pass the issuerName parameter value as an empty string or as null, then I do receive the expected revocation requests correctly.

Is the format I'm using for issuerName wrong, or could there be a problem in how the issuerName is handled?

Full disclosure, I have never used Visual Studio. My skills lie with PowerShell with coding from VSCode. I am using the community edition of Visual Studio 17.7.3. .NET Framework version is 4.8.09032. Following the directions step-by-step, I am getting these errors during the build process. I could use some help resolving them so that I can get to importing certs into Intune:

Hi,

when I try to import the module I'm getting this error:

Import-Module : The specified module 'IntunePfxImport.psd1' was not loaded because no valid module file was found in any module directory.
At line:1 char:1

• Import-Module IntunePfxImport.psd1

•   + CategoryInfo          : ResourceUnavailable: (IntunePfxImport.psd1:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  

I'm a PS noob but should there not be anywhere the Microsoft.Management.Powershell.PFXImport.dll file?

Thanks for help and best regards
Jakob

IntuneScepServiceClient.java

・ PROVIDER_NAME_AND_VERSION = "Information used to identify the product and its version"
We checked that this value is used in the source code as User-Agent in the SCEP Intune API.
Therefore, I think AAD and Intune are pulling this value.
However in testing, it was not available to view on any screens accessible from the Intune, AAD management screens.
Is there a screen or function where Intune administrators can see where PROVIDER_NAME_AND_VERSION is being used?

Hello.

Intune: Create SCEP Certificate Profile on Tenant A
AzureAD: Register application in Tenant B
In this state, when I called ValidateRequest, I got the following error response (BadTenantIdInChallenge).

<ValidateRequest,>
https://learn.microsoft.com/ja-jp/mem/intune/protect/scep-libraries-apis#validaterequest-method

2022-10-23 16:05:32,001  INFO PkiItService -[ajp-nio-8049-exec-8] - transactionId : 4e89b80dcbf3a79d1c281fd7796228066046aac1
2022-10-23 16:05:32,002  INFO IntuneClient -[ajp-nio-8049-exec-8] - Refreshing service map from Microsoft.Graph
2022-10-23 16:05:33,085  INFO IntuneScepServiceClient -[ajp-nio-8049-exec-8] - Activity 0bd7ef94-23f9-45da-b4b0-134d8d954020 has completed.
2022-10-23 16:05:33,085  INFO IntuneScepServiceClient -[ajp-nio-8049-exec-8] - {"code":"BadTenantIdInChallenge","errorDescription":"Failed to parse the tenant id in the challenge.tenantId in challenge does not match tenantId from security token.","@odata.context":"https://fef.msuc05.manage.microsoft.com/RACerts/StatelessScepRequestValidationService/641b43b0-ffff-9953-0915-102113131035/$metadata#microsoft.management.services.scepRequestValidationService.api.scepActionResult"}
2022-10-23 16:05:33,086  WARN IntuneScepServiceException -[ajp-nio-8049-exec-8] - Error Code value not expected: BadTenantIdInChallenge
2022-10-23 16:05:33,086  WARN IntuneScepServiceClient -[ajp-nio-8049-exec-8] - ActivityId:0bd7ef94-23f9-45da-b4b0-134d8d954020,TransactionId:4e89b80dcbf3a79d1c281fd7796228066046aac1,ErrorCode:BadTenantIdInChallenge,ErrorDescription:Failed to parse the tenant id in the challenge.tenantId in challenge does not match tenantId from security token.

When does this error occur? What are the specifications?

Trying to use this code for SCEP issuance with Intune and EJBCA. What should the service name be to report this to Microsoft Graph since ScepRequestValidationFEService is not present?

2020-07-08 14:50:25,802 INFO [com.microsoft.intune.scepvalidation.IntuneClient] (EJB default - 7) Refreshing service map from Microsoft.Graph
2020-07-08 14:50:25,803 INFO [com.microsoft.aad.adal4j.AuthenticationAuthority] (pool-31-thread-1) [Correlation ID: d257b9f3-7e20-43b1-b1ba-3bbc44e0cd04] Instance discovery was successful
2020-07-08 14:50:25,975 DEBUG [com.microsoft.aad.adal4j.AuthenticationContext] (pool-31-thread-1) [Correlation ID: d257b9f3-7e20-43b1-b1ba-3bbc44e0cd04] Access Token was returned
2020-07-08 14:50:26,158 INFO [com.microsoft.intune.scepvalidation.IntuneClient] (EJB default - 7) Could not find endpoint for service 'ScepRequestValidationFEService'
2020-07-08 14:50:26,158 INFO [com.microsoft.intune.scepvalidation.IntuneClient] (EJB default - 7) ServiceMap:
2020-07-08 14:50:26,158 ERROR [com.microsoft.intune.scepvalidation.IntuneClient] (EJB default - 7) Did not find service named 'ScepRequestValidationFEService' listed in Microsoft.Graph discovery service list.: com.microsoft.intune.scepvalidation.IntuneServiceNotFoundException: Did not find service named 'ScepRequestValidationFEService' listed in Microsoft.Graph discovery service list.
at com.microsoft.intune.scepvalidation.IntuneClient.PostRequest(IntuneClient.java:288)
at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.PostRequest(IntuneScepServiceClient.java:40)
at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.Post(IntuneScepServiceClient.java:231)
at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.ValidateRequest(IntuneScepServiceClient.java:121)

② I would like to know the processing specifications of this API (purpose of use, processing content, necessity of calling, etc.) as I do not understand them in the first place.
https://github.com/microsoft/Intune-Resource-Access/blob/master/src/CsrValidation/java/lib/src/main/java/com/microsoft/intune/scepvalidation/IntuneRevocationClient.java
・CertificateAuthorityRequests/uploadRevocationResults

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

In V1.1, after importing PFX certificate(s) (via Import-IntuneUserPfxCertificate) for a user X a consecutive call GetIntuneUserId for user Y is failing with error “One or more errors occurred”.

Hi!

I am trying to setup a new test environment for Intune to allow us to implement the Intune Revocation workflow as described in this example

After having setup App Registration, SCEP Profile, Trusted Certificate profiles, etc. and then trying to enroll an end-user Windows 10 device, we get the following error on our server side:

2021-09-29 14:51:27.514 INFO: Refreshing service map from Microsoft.Graph 2021-09-29 14:51:27.529 INFO: [Correlation ID: 1d5d2c6b-3829-475e-86ef-e4a9dabe9e6e] Instance discovery was successful 2021-09-29 14:51:28.548 SEVERE: Request to: https://graph.windows.net/nexusgo.onmicrosoft.com/servicePrincipalsByAppId/0000000a-0000-0000-c000-000000000000/serviceEndpoints?api-version=1.6 returned: HTTP/1.1 403 Forbidden com.microsoft.intune.scepvalidation.IntuneClientHttpErrorException: {"odata.error":{"date":"2021-09-29T14:51:28","code":"Authorization_RequestDenied","requestId":"fe36e250-b195-4663-8d97-7f41161dd500","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}} at com.microsoft.intune.scepvalidation.IntuneClient.ParseResponseToJSON(IntuneClient.java:443) at com.microsoft.intune.scepvalidation.IntuneClient.RefreshServiceMap(IntuneClient.java:384) at com.microsoft.intune.scepvalidation.IntuneClient.GetServiceEndpoint(IntuneClient.java:349) at com.microsoft.intune.scepvalidation.IntuneClient.PostRequest(IntuneClient.java:285) at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.PostRequest(IntuneScepServiceClient.java:40) at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.Post(IntuneScepServiceClient.java:231) at com.microsoft.intune.scepvalidation.IntuneScepServiceClient.ValidateRequest(IntuneScepServiceClient.java:121) at com.nexussafe.cm.pgwy.scep.ScepIntune.modify(ScepIntune.java:66)

Does anyone know which permission we are [presumably] lacking from our App Registration to allow for this call to pass?
Trying to test each permission one by one seems like a bit much considering there are quite a few. Or is there some documentation somewhere that I have missed?

This set of permissions were not sufficient:

// Gustav Mattsson

Hi looking at the documentation I see the following fields for send success:

• transactionId - The SCEP Transaction ID
• certificateRequest - DER-encoded PKCS # 10 Certificate Request Base64 encoded as a string
• certThumprint - SHA1 hash of the thumbprint of the provisioned certificate
• certSerialNumber - Serial number of the provisioned certificate
• certExpirationDate - Expiration date of the provisioned certificate. The date time string should be formatted as web UTC time (YYYY-MM-DDThh:mm:ss.sssTZD) ISO 8601.
• certIssuingAuthority - Name of the authority that issued the certificate

However, looking at the example I see the extra fields of "caConfiguration" and "certificateAuthority". What are these values supposed to be?

It looks like the code uses the ADAL authentication, this document (https://developer.microsoft.com/en-us/identity/blogs/end-of-support-timelines-for-azure-ad-authentication-library-adal-and-azure-ad-graph/) mentions, that this will stop working in July 2022.

Are there any plans to migrate to MSAL?

Are you able to provide the detailed steps to deploy the code to Intunes so that I am able to import S/MIME certificates in pfx format to Intune and deploy the pfx certificates to users?

When PowerShell script runs “none-interactively” as a scheduled job an exception “one more error occurred” is thrown. As a minimum introduction of API call that can extend the lifespan of token would be helpful so one can launch the script interactively and run it for a longer period of time.

Hi all, i'm using this tool to succesfully deploy a cert issued by sectigo, now i'm doing the same thing with a Digicert Certificate, once i use the command:

$userPFXObject = New-IntuneUserPfxCertificate -PathToPfxFile "C:\Users\admin.far\Desktop\Digicert.pfx" $SecureFilePassword "[email protected]" "Microsoft Software Key Storage Provider" "PFXEncryptionKey" "smimeEncryption"

everything seems to work. but then if i try to list the certificates with Get-IntuneUserPfxCertificate this certificate is not listed.

Any suggestion on where to check?

Problems

The API request used to “downloadRevocationRequests” accepts two parameters, and neither of which work as expected. Furthermore, the Endpoint being queried is not documented and doesn’t appear to have any pagination features.

Request Parameter: issuerName:

• Expected Behavior: Should return a list of certificates to be revoked which were issued by the “issuerName”.
• Actual Behavior: issuerName maps to caConfiguration.
• Concerns about fixing: All existing integrations between InTune and 3rd Party SCEP Certificate Authorities rely on this incorrect mapping. Any existing integration which makes use of this parameter will need to be updated should the behavior of the API be corrected.

Request Parameter: maxRequests:

• Expected Behavior: Submitting a request with both "issuerName" and "maxRequests" defined should return a list of certificates issued by "issuerName". The list should contain at most "maxRequests" certificates for revocation.
• Actual Behavior: It appears like the order of operations on the back-end is incorrect. “issuerName” filtering seems to be getting applied only after truncating the response to based on the value of “maxRequests”. A result of the above behavior is that the list of "CARevocationRequests" returned to the 3rd Party SCEP Certificate Authority may be "empty" instead of actually containing a list of certificates to revoke.
• Reason why this needs to be fixed: Revoked certificates should never be used. The moment a Certificate is marked for revocation, the Certificate Authority has a responsibility to actually revoke that certificate, and furthermore to notify all clients of the revocation using methods such as CRLs or OCSP. If a Certificate Authority lacks the ability to reliably know which certificate need to be revoked, then the certificates issued from that Certificate Authority cannot be trusted.

Samples

maxRequests=10.
issuerName=testb3d9b17c51~testroot
Expected Response given the fact that issuerName is mismatched: A list of 4 certificates to be revoked.
Actual Response: 0 Certificates (empty response).

{
  "@odata.context":https://fef.msua01.manage.microsoft.com/RACerts/StatelessPkiConnectorService/6fc027cc-ffff-0265-1009-102518023364/$metadata#Collection(microsoft.management.services.api.caRevocationRequest),"value":[
    
  ]
 
} 

maxRequests=500.
issuerName=testb3d9b17c51~testroot
Expected Response given the fact that issuerName is mismatched: A list of 4 certificates to be revoked.
Actual Response: A list of 4 certificates to be revoked.

{
  "@odata.context":https://fef.msua01.manage.microsoft.com/RACerts/StatelessPkiConnectorService/6fc027cc-ffff-0965-1009-102517542417/$metadata#Collection(microsoft.management.services.api.caRevocationRequest),"value":[
    {
      "requestContext":"2:092d620fb3d30a731a0454f4791398e0c350a212:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"7dafad71a092690b8eb030dae55348c2","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    },{
      "requestContext":"2:7b75c4206d059a4e0ac335c2589b96fb21203c3f:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"55f05c880048d6f487db7927d83808ee","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    },{
      "requestContext":"2:d7136ebeb113f1ce42b568f612b4e6ccbdcc4625:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"408d5cbf6fe165f84a17629efa38286c","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    },{
      "requestContext":"2:d89db377283350b6abe362a479479ac71deb1c51:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"67b2d0faeaf43d673880b6bd3bcb0756","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    }
  ]
 
} 

Questions

We were left with the following questions after experiencing the above behavior:

1. Why does a request of maxResults=10 return with a list of 0 certificates, but a request with maxResults=500 returns with a list of 4 certificates. Our assumption was that this is due to an error with the order of operations (truncating before filtering) in the backend.
2. If there is actually an issue with regards to the order of operations (i.e. truncating the list prior to filtering the list), then how can we guarantee that the list returned for maxRequest=500 is actually the full list of certificates? There doesn't appear to be any kind of pagination feature for this API endpoint... does one exist?
3. Where is the documentation for the StatelessPkiConnectorService?

I am verifying Intune and PKI integration, I have two questions want cofirm with you.

1. Could you please tell me the trigger and sequence for automatically renewing the SCEP certificate?
   I confirmed that the renewal threshold (%) can be defined in the SCEP certificate profile on the Intune side, but
   　　If the threshold is exceeded, I would like to know when the certificate will be automatically renewed and by what procedure.

2. Is it correct that the updated certificate name is same with the old one?

Hi all,
I am using the tool to succesfully deploy a cert. When I run below command and logged in, but below error appeared.

I tried to login to intune as global admin but still got the error.

Please help to provide a right way to solve the problem.

thanks

PS C:\Program Files\WindowsPowerShell\Modules\PfxImportPS> Set-IntuneAuthenticationToken -AdminUserName $AdminUPN
Set-IntuneAuthenticationToken : One or more errors occurred.
At line:1 char:1

• Set-IntuneAuthenticationToken -AdminUserName $AdminUPN

•   + CategoryInfo          : NotSpecified: (:) [Set-IntuneAuthenticationToken], AggregateException
    + FullyQualifiedErrorId : System.AggregateException,Microsoft.Management.Powershell.PFXImport.Cmdlets.SetAuthToken