Microsoft Security | Intune | Configuration
Setting up and managing device configurations using Intune
From the screenshot and scenario, the failure is most likely due to a misconfiguration of the PKCS certificate profile or the associated certificate template/CA settings, which are the most common causes of PKCS deployment issues in Intune.
Use the following checks end‑to‑end:
- Validate CA name and FQDN in the PKCS profile
- In the PKCS profile, confirm:
- Certification authority = internal FQDN of the CA server (for example,
server1.domain.local). - Certification authority name = CA name exactly as shown in the Certification Authority MMC under Certification Authority (Local).
- Certification authority = internal FQDN of the CA server (for example,
- Any typo or mismatch can cause errors like The RPC server is unavailable 0x800706ba or The parameter is incorrect 0x80070057, and the profile will show as failed.
- In the PKCS profile, confirm:
- Confirm the certificate template and permissions
- On the CA, open Certification Authority → right‑click Certificate Templates → Manage.
- Open the properties of
FortiNac-UserCertand verify:- The template is published on the CA (in Certificate Templates → New → Certificate Template to Issue it must be selected).
- On the Security tab, the Computer Account of the Intune Certificate Connector server has Read and Enroll permissions. Missing permissions cause Denied by Policy Module and failed issuance.
- Check subject and SAN configuration vs. template
- In the template Subject Name tab:
- If Intune is supplying CN and SAN (as in the profile:
CN={{UserPrincipalName}}and SAN entries), ensure Supply in the request is enabled. If it is not, you can see errors like CERTSRV_E_SUBJECT_EMAIL_REQUIRED or general policy‑module denials.
- If Intune is supplying CN and SAN (as in the profile:
- If SAN includes Email address = {{UserPrincipalName}}, ensure every targeted user actually has a valid email/UPN value in directory. A null email/SAN value results in The parameter is incorrect 0x80070057 and failed requests.
- In the template Subject Name tab:
- Verify the trusted root profile and CA chain
- Ensure a trusted certificate profile is deployed that installs the root certificate from the Enterprise CA to the device.
- In the PKCS profile, ensure it references the correct CA and the correct trusted certificate profile. If the wrong CA/root is referenced, requests can remain pending or fail without clear device‑side details.
- Review connector logs and PfxRequest folders
- On the Intune Certificate Connector server:
- Check
%ProgramFiles%\Microsoft Intune\PfxRequest→ Failed, Processing, and Succeed folders for request files and error text. - Use the error text to match against the documented common errors (RPC unavailable, parameter incorrect, denied by policy module, submission pending, etc.) and apply the corresponding fix.
- Check
- On the Intune Certificate Connector server:
- Confirm enrollment policy server configuration (if applicable)
- If connector logs show 0x80094015 An enrollment policy server cannot be located, configure the certificate enrollment policy server on the connector server using
Add-CertificateEnrollmentPolicyServeras documented.
- If connector logs show 0x80094015 An enrollment policy server cannot be located, configure the certificate enrollment policy server on the connector server using
After correcting any mismatches (CA name/FQDN, template permissions, subject/SAN vs. template settings, and trusted root/CA association), redeploy the PKCS profile and allow the device to refresh policy. The profile status should move from Error to Succeeded once the CA issues the certificate successfully.
References: