(194) Microsoft Intune - Autopilot ESP shows Certificates (0 out of 1 applied)

This recently happened late last year in December to one of our customers, as well it happened earlier yesterday for another customer. Gathering the logs, my initial thoughts it was an application matter as you know most customers don't give enough detail and simply say "Autopilot is not working since 6/01/206" which honestly doesn't give me much transparency on what is happening.

From the logs I gathered from only showed:

"[StatusService] Downloading app (id = 5bd17f11-2c60-4e74-9566-0f51d656d4f4, name Company Portal (System)) via WinGet, bytes 0/100 for user 00000000-0000-0000-0000-000000000000"

My assumption was DO and Company Portal wasn't playing along.

Only till when I started a pre-provisioning test, I noticed this in the ESP where it was showing Certificates (0 of 1 applied).

Then I gathered the logs from Events Application Events.evtx, and noticed this in the errors:

SCEP Certificate enrollment for Local system via https://xyz-abc.msappproxy.net/certsrv/mscep/mscep.dll/pkiclient.exe failed:

PkiStatus(2): SCEPDispositionFailure
FailInfo(1): SCEPFailBadMessageCheck
EnrollStatus(256): EnrollDenied
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
ProcessResponseMessage
Submit(Request): 
HTTP/1.1 200 
Date: Mon, 05 Jan 2026 06:44:22 GMT
Content-Length: 599
Content-Type: application/x-pki-message
Set-Cookie: AzureAppProxyAnalyticCookie_12345678-cd01-4a18-9354-bd812345678_https_1.3=MGD:MIIBxAYJKoZIhvcNAQcDoIIBtTCCAbECAQIxggE3ooIBMwIBBDCB9gRUTAAAAAAAAAABAAAAS0RTSwYAAABrAQAAGgAAAA0AAAAQcVbCCoHfCZKpmwcPpLtNIAAAAE7XDvTMdZo0uED6qrA/v/RK1hgA5kDT/vFFg0EdEt1eMIGdBgkrBgEEAYI3SgEwgY8GCisGAQQBgjdKAQ0wgYAwfjB8DAREU1RTDHRhdXN0cmFsaWFlYXN0LWRrZHMuZGtkcy5jb3JlLndpbmRvd3MubmV0O2h0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWU7Y3dhcHByb3h5ZGtkc2F1czALBglghkgBZQMEAS0EKHRsQ0XNkvN3C2poATOcTBUH/hTROPIQRbtg8ayoeLllpfrP+8Scjv4wcQYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAw/12Hsr4a+V842ukMCARCARGvLBPO8eBSG4Mz72bwAHkDwzfRvOinzRv6tuMvjstSC8jeyjnDC4wdFSisWmG1emW2NrJYgF877U3fTEqF1ogIJCbcR; path=/; Secure; SameSite=None
x-ms-proxy-app-id: 12345678-cd01-4a18-9354-bd812345678
x-ms-proxy-group-id: f5bc1dad-82fc-4483-95b0-434e12345678
x-ms-proxy-subscription-id: 12345678-8cf9-4584-ad0d-bf12345678
x-ms-proxy-transaction-id: 3f44c536-eae6-41a0-8cfa-bf12345678
x-ms-proxy-service-name: proxy-appproxy-abc-xyz-5
x-ms-proxy-data-center: xyz
x-ms-proxy-connector-id: asdx-45s2-47c3-123-c1343dbffb85
x-powered-by: ASP.NET
Nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.001,"failure_fraction":1.0}
Report-To: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://ffde.nelreports.net/api/report?cat=proxy-appproxy-abc-xyz-5"}]}

Method: POST(938ms)
Stage: ProcessResponseMessage
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

Note: I have renamed the service names due to sensitive information being leaked, as we don't manage customer's SCEP certs - make sure to get their network team to relook at the issue.

Navigate to https://intune.microsoft.com/, Select Devices then click on By platform then click on Windows then under Manage devices, select Configuration and search under SCEP

Keep note of the policy ID highlighted in the screenshot, the policy ID will be used to check whether it has been issued or revoked.

Navigate to https://intune.microsoft.com/, Select Devices then select Monitor then select Certificates

You will notice the policy ID that starts with: 26c8cd26-ef3c has been revoked.

Once the relevant network or systems team renew the SCEP certificate, time to re-test the pre-provisioning or user driven process again. Certificates is now showing (1 of 1 applied).

At the same time, navigate to https://intune.microsoft.com/, Select Devices then select Monitor then select Certificates which shows "Issued".

And the pre-provisioning process was completed.