Intune Certificate Deployment Step by Step Guide

The first before deploying SCEP certificate is to check the prerequisites of Intune certificate deployment. I’m going share the details of Microsoft PKI related certificate deployments in this video post. If you have a non-Microsoft PKI environment, you need to check the supportability of Intune.

SCEP does not support all third-party Certificate Authority (CA), providers.  In the recently Ignite Microsoft announced new 3rd party certificate authority partners. Recently, Intune included support for Device based SCEP deployment. Intune already supported User-based SCEP certificate.

Newly Announced Certificate Authority Partners

Intune Certificate Deployment

  1. Entrusted Datacard
  2. GlobalSign
  3. EJBCA
  5. Digicert

The above is the list of  3rd party CA partners supported by SCEP. Hence you can deploy SCEP Certificate from these CAs via Intune. If you have a customer looking for any of the other third part CA to support SCEP, you can contact Microsoft and they will able to help you with the onboarding process.

Prerequisite for SCEP Certificate Deployment via Intune

Following are the Prerequisites for Intune Certificate Deployment. SCEP Certificate deployment to users and devices.

  1. PKI or CA infrastructure
  2. NDES Server
  3. Azure AD App Proxy Connector
  4. Microsoft Intune Certificate Connector:

I would recommend reading Microsoft documentation to get more details about SCEP or Intune certificate deployment prerequisites.

How to Create a SCEP certificate Certificate

Before deploying SCEP Certificate, you need to deploy PKI or CA chain of certificates to your devices or users.

  1. Root CA Cert
  2. Intermediate or Issuing CA cert 1
  3. Intermediate or Issuing CA cert 2
  4. Intermediate or Issuing CA cert 3 etc..
  5. SCEP Certificate issuing from CA

You need to make sure all the intermediate or Issuing CA certs have already reached the device. Once all the required certs are already there in the machine, you can deploy SCEP Certificate to the user or device. The device certificate can be secured using TMP chip.

As I mentioned in the above video, you can log in to the Azure portal with correct Intune RBAC access and create a SCEP certificate deployment profile.

  1. Azure portal
  2. Intune Blade
  3. Device Configurations – Profiles
  4. Create Profile
  5. Platform – Windows 10 or later
  6. Profile Type – SCEP Certificate
  7. SCEP Certificate Type – User or Device
  8. More details available

Intune Certificate Deployment SCEP Certificates

Troubleshoot on Intune Certificate Deployment Issue?

I have already shared a post about the Intune application, certificate or profile deployment troubleshooting options. I would recommend readin that post for more troubleshooting details from Intune side.

Other part of troubleshooting is done from CA, NDES, NDES Intune connector, Azure App Proxy connector etc…

1 thought on “Intune Certificate Deployment Step by Step Guide”

Leave a Comment