During one of my recent engagements, I recently hit an issue preventing PKCS device certificates being issued in Microsoft Endpoint Manager to Azure AD Joined devices. If you’re using the FullyQualifiedDomainName attribute, here’s how you can avoid this.

What was the issue?

Well, let’s start with some context…

We wanted to deploy PKCS certificates via Microsoft Endpoint Manager to provide the Azure AD Joined devices with certificate-based Enterprise WiFi without having to domain-join our devices.

To achieve this, we deployed a bunch of Windows Server 2019 servers into the environment, configured the offline root Certificate Authority (CA), Issuing CA’s and Certificate Connector servers, along with the Certificate Templates and Microsoft Endpoint Manager PKCS certificate deployment profiles.

Below shows how I configured Endpoint Manager for the device certificate:

After many repeated tests, we found the FullyQualifiedDomainName value (shown above in red) for an Azure AD Joined device doesn’t work.

How was this resolved?

We substituted the value for the AAD_Device_ID attribute, which then allowed the certificate to be issued to the device:

Lessons Learnt

Noting the device isn’t a Hybrid Azure AD Joined, the FullyQualifiedDomainName isn’t populated in Azure AD, which results in the attribute failing to be added to the certificate request and prevents the issuance of a valid device certificate to the Microsoft Endpoint Manager managed device.

About the author