If the error is '503 Cannot download ZIP', then the web app cannot download the ZIP with the application binaries from the URL configured in the app setting WEBSITE_RUN_FROM_PACKAGE (see Application Configuration).
The URL https://github.com/glueckkanja/gk-scepman/raw/master/dist/Artifacts.zip that we had recommended for GitHub deployments in earlier versions of this documentation redirects to the URL https://raw.githubusercontent.com/glueckkanja/gk-scepman/master/dist/Artifacts.zip. Microsoft changed the behavior of some of their Web Apps and now some versions do not support redirects together with WEBSITE_RUN_FROM_PACKAGE. Hence, you need to change the URL to
The SCEP profile will result in an error if the certificate deployment was not successful. Errors can have several reasons:
This could happen when a wrong trusted root certificate was selected in the SCEP certificate profile. This is also shown in the event log:
Open the Windows Events application
Click Applications and Services Logs
Next, click Microsoft
Then, click Windows
Scroll down and search for DeviceManagement-Enterprise-Diagnostics-Provider and click it.
In the window which will appear, click Admin
Scroll through the list an search for event ID 32
It contains a short error report
SCEP: Certificate enroll failed. Result (The hash value is not correct.).
Check if the Azure resource is up and running.
Check Azure Web App log files via Advanced Tools:
Go to Kudu
Navigate to LogFiles
Click on the download icon on the latest .txt file and review it
Configure the App Services Logs
Check the Log Stream of the App Service.
Monitor the log stream
Reproduce the error
Look for the log starting with Request validation unsuccessful, as Intune validation threw an exception
These message should have more details
If the device certificate has a localhost URL for the OCSP entry in the certificate like this:
The App Service is missing an important application setting with the name AppConfig:BaseUrl set to the azurewebsite URL. To fix this, add the variable and save the App Service config:
Delete this certificate from the device and do the MDM sync. If you did it you will see a proper URL for the OCSP entry:
First, you need to check the validity of the device certificate. Therefore, open a command prompt as administrator and type the following command:
certutil -verifyStore MY
Look at the certificate with the device ID issued by the SCEPman-Device-Root-CA-V1 and verify if the certificate is valid (see last line).
To verify that the OCSP responder is working, you can look at the OCSP url cache with the following command:
certutil -urlcache OCSP
If you want to revoke a device certificate, you have two options:
Deleting the device from Azure AD or
Disabling a device
The following example shows the the second option 'Disabling a device':
Navigate to Devices - All devices in your Azure AD
Choose a device
Next, type in the following command again:
certutil -verifyStore MY
As you can see in the last line, the Certificate is REVOKED
When you enable the device in Azure AD again and you type in the command from above again, the certificate should be marked as valid.
As an alternate you can export the device certificate and use
certutil to display a small certutil UI for the OSCP check:
certutil -url <path-to-exported-device-certificate>
The SCEP configuration profile depends on the Trusted Root certificate profile. Assign both profiles to the same Azure Active Directory user or device group to make sure the user or device overlaps and both profiles are targeted to the device. Do not mix user and device groups. If you see pending as status for the configurations profiles in Intune for a long time, the assignment is probably wrong.
Cisco ISE is still not supporting HTTP 1.1 when looking up OCSP and therefore can't connect to a general SCEPman instance running on Azure App Services. The error message may look like this:
Please see here for a solution.