Update: This fix for this issue has now been rolled out.

We’ve seen an issue in the “Common name” value of SCEP certificate profiles for Android Enterprise fully managed devices in Intune.

These profiles can potentially fail to deploy because of how the Common Name value is interpreted in the Intune backend. Even if your certificates are deploying to devices, they may be using a different value for Common Name than SCEP profiles you’ve deployed for other platforms.

We’ll update this post when the fix for this issue is rolled out so you can make changes to impacted profiles. After that fix is in, you will have to take action to ensure that your SCEP profiles work as expected.

For existing SCEP profiles, we recommend that you delete the existing profile and create a new one with the same configuration after the fix has been rolled out. This will ensure that the certificates you issued are issuing certificate subject names consistent with our SCEP profiles you may have for other platforms. Once you create and deploy the updated SCEP profile, all devices targeted by the policy will receive a new certificate with the correct Common Name and the old certificate will be removed.

If you do not take action to delete an impacted profile, the profile will get the correct Common Name value when the SCEP certificate is next renewed.

More information about SCEP certificate profiles is available in the Create and assign SCEP certificate profiles in Intune doc.

11/25/19: Updated with status of fix