I was recently trying to get a device to retrieve a new certificate via SCEP and NDES through a Windows Server Certificate Authority.
Our HTTPS certificate had recently changed, so I had updated IIS however I was still receiving this error:
PkiStatus(2): SCEPDispositionFailure FailInfo(1): SCEPFailBadMessageCheck EnrollStatus(256): EnrollDenied A security error occurred 0x2f8f (WinHttp: 12175 ERROR_WINHTTP_SECURE_FAILURE)
I originally couldn’t find anything about error code 0x2f8f however a similar error code pointed me to a help article from Microsoft.
Turns out there’s a Certificate Thumbprint stored in the registry at the registry location below. Updating this thumbprint allowed things to work.
After updating this value, make sure you restart the Intune Connector Service (and give the Certificate Private Key access if you used a domain account for the service).
Failed to send http request /CertificateRegistrationSvc/Certificate/VerifyRequest. Error 12186 PkiStatus(2): SCEPDispositionFailure FailInfo(1): SCEPFailBadMessageCheck EnrollStatus(256): EnrollDenied The client certificate credentials were not recognized. 0x2f9a (WinHttp: 12186 ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY)