Windows 10: Windows 10 - Device certificate auto enroll issue

Hi all, Hopefully, someone will be able to help with this issue. We have a hybrid setup with Domain Controller and Certificate Authority server onsite and use Intune to roll out PKCS device certificates. This seems to be working perfectly fine for existing machines. However, issue occurs when we change the hostname of the Windows 10 machine without unjoining and rejoining to domain and the certificate doesn't auto enroll. Example: ->A script is setup to install Windows 10 and auto-join to domain. The machine hostname is XXX. ->The machine get device certificate "XXX". ->We chan

:)

 

Problem with Enrollment of Certificates in WMDC. ActiveSync is OK.

Hello all,

next problem bellow. Because of company politics we received new Notebooks with Windows7 and WMDC instead of old Windows Xp and ActiveSync. For correct mail synchronisation between my WindowsMobile HTC and corporate Exchange Server I need to enroll a company's
certificate. I putted needed certificate to my HTC and set up this certificate in my mobile device.

Next step I need to do - Enroll this certificate with my WMDC.

And this is a problem: i can not find my company's certificate on my mobile device. WMDC can not let me choose certificate and i see just only a blank screen. Like here:http://i.technet.microsoft.com/Ff459604.f9434d30-b93d-41b1-b0e8-91605a5f2cee(en-us,TechNet.10).jpg .

In ActiveSync it was some dropped down menu in the Enrollment proccess with ability to choose "Certificate type from Active Directory" and our companies certificate appeared in the list with some others certificates. But it was real. And I could find it. Example
here:
http://i.technet.microsoft.com/Ff459604.749bcb4d-d4c9-430d-9db5-c58f768fde5d(en-us,TechNet.10).jpg .

Question is: Where in WMDC I can choose such dropped down menu like it was in ActiveSync?

OR maybe it is another way of solving of my problem present somehow

Without this step I cannot Enroll certificate and cannot connect to our Exchange Server because of Sertificate is needed.

Please help. Will appreciate for your reply or advices.

 

User enrollment Certificate Authority

I've a lab environment where I've set up my CA. Configured user and computer template for enrollment and checked with test users in client machines. I was able to see the user certificate and computer certificate while I try to enroll. But for one particular
user when i login and try to enroll i don't see any templates showing up. I've explicitly give the user read and enroll permissions but no luck. Tried with certserv website too but got an error saying "no certificate templates could be found. you don't have
permission to request a certificate from this CA, or an error occurred while accessing the active directory' with the user login. the user has valid email address in the user object. Tried logging into other VM with the same user account but same issue there
too. The VM is windows 10. what might be the issue.

 

Incorrect ActiveSync CA Server for Certificate Enrollment

I am configuring Windows Mobile 6.1 devices to use client certificate authentication for accessing the ActiveSync site on our Exchange 2003 front-end servers. I am running into a problem where the device is trying to enroll to the incorrect CA server.
Using the Exchange Server ActiveSync Certificate-Based Authentication Tool (http://www.microsoft.com/downloads/...18-7965-4883-A8C3-F73F1F4733AC&displaylang=en), the instructions were followed to create a custom XML file to upload
to Active Directory for the auto enrollment configuration. I have an offline stand-alone root CA that has been added into Active Directory, and an online Enterprise issuing subordinate CA that I have referenced in the XML file using the certificate authentication
tool. There is another PKI environment in my network which other administrators configured for wi-fi access purposes that consists of a single Enterprise root CA, which is not being referenced in the XML file. When attempting to configure the Windows Mobile
6.1 device, the correct credentials are entered and ActiveSync on both the phone and desktop indicate that a user certificate is required. The certificate is not being auto-enrolled as I can see on the subordinate CA that no requests are being made. When using
the Desktop ActiveSync program with the mobile device cradled, I attempt to use the option to "Get Device Certificates", select the option for "Certificate Types in Active Directory", select the "User" certificate type, and click the "Enroll" button. When
the prompt appears on screen for enrollment, the CA server that is indicated by ActiveSync is not the CA server referenced by the XML file used with the certificate authentication tool, but rather the older CA that was configured for wi-fi. With the certificate
authentication tool, I ran the RapiConfig utility, and the resulting output file indicates that the uploaded XML file in Active Directory is being pushed down to ActiveSync as it indicates the correct server names for the configuration. Is there anything that
would cause ActiveSync to not use the XML configuration file and automatically select an available CA based on Active Directory? Any pointers would be appreciated. Thanks.