I ran into this issue when configuring SCEP/NDES certificate registration for an Intune tenant.
Following all the best practice configuration steps, left me with an SCEP enrollment page returning Internal Server Error 500 instead of the expected 200.
I found that the Device Registration Service was not starting correctly. In the event logs I found it attempting to start and then stopping
The two most helpful event are the EventID 137
Failed to find the Device Registration Service object at DeviceRegistrationService.
Error Message: The object does not exist..
Error Result code: NoSuchObject.
and EventID 157
An error occurred.
Error: Failed to find the Device Registration Service object in the configuration naming context in domain contoso.com.
It’s essentially saying that the DeviceRegistrationService objects have not been successfully written to AD.
If I browse the Configuration partition of my Active Directory, I can see there is no Device Registration Configuration
And if I run the following Get-AdfsDeviceRegistration PowerShell cmdlet, I’ll get a configuration error
To fix this, run Initialize-ADDeviceRegistration
You’ll then find the Device Registration Configuration objects in your Active Directory
Start the Device Registration Service again, and all should start as expected.
Restart the NDES server just to be sure everything is talking correctly, and test the SCEP URL again. This time we should get a 200 instead of 500