Free EditionYou are trying to associate SCEP policy to Windows devices and get an error "Unable to configure SCEP policy"
This error occurs due to one of the following reasons:
Ensure the server URL specified is in HTTP during profile configuration, if the SCEP server is within the organization. Such SCEP servers are usually configured to be accessible within the organization and hence, uses an internal CA certificate implying the server can be access only through HTTP.
Ensure the subject name specified while configuring the policy adheres to the format specified here and the values provided are in double quotes. Example: O="Your Company, Inc."
Ensure the time zone configured in the device and SCEP Server are same. When the SCEP server has a different time zone, it generates certificate with all time-based configurations including expiry, using the wrong time zone. Thus, the certificate might be expired when distributed to the managed device.
Ensure the thumbprint specified while configuring the SCEP policy is correct. This can be verified using the thumbprint provided in your Certificate Authority Server(http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll)
Ensure the challenge password specified while configuring the SCEP policy is correct. This can be verified using the thumbprint provided in your Certificate Authority Server(http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll)
Ensure the device is within the organization, if the SCEP server has been configured within the organization. SCEP servers are usually configured within the organization for security purposes and can be accessed by devices only through the corporate network.
This error occurs due to issues with the certificate signing request. Re-distribute the SCEP policy to the device(s) and/or group(s) again.
If the issue persists, contact MDM support with Server logs as explained here.