Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment

by

Today, we will discuss Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment.

There may be a scenario where you must use different templates to deploy different SCEP certificates to your Intune-managed endpoints.

For example, you may require that the SCEP certificate be deployed to group A to use template A and group B to use template B. A unique SCEP certificate will be deployed for the different profiles—email, VPN, and Wi-Fi.”

The above has always been a supported scenario and is in use in many enterprise environments.

Patch My PC
Index
Understanding the Logic – Intune SCEP with Joy
Proof Of Concept
Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment – Table 1

Understanding the LogicIntune SCEP with Joy

The Extended Key Usage (EKU) parameter determines that the primary use case of an SCEP certificate is to serve client authentication.

The SCEP certificate template configured in CA must add Client Auth to its EKU.

Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment - Fig.1
Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment – Fig.1

You define the same while configuring the SCEP certificate profile from Intune.

Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment - Fig.2
Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment – Fig.2

Note: Selecting EKU as Any Purpose suffices for the obtained certificate to be used for auth purposes, as long as the certificate template used for creating the certificate has Client Authentication selected in its EKU.

However, the template that NDES (SCEP service) will use to make the on-behalf certificate request to the CA is determined based on the value of the Key Usage parameter of the Certificate Signing Request (CSR) that the device sends to the SCEP service, upon receiving the instructions from Intune as part of the SCEP payload.

Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment - Fig.3
Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment – Fig.3

When the SCEP service receives the certificate request from a device, it inspects the CSR to get the value for the Key Usage parameter and, based on it, determines the template to be used for making the certificate request to CA on-behalf, as defined in the reg_keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.

Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment - Fig.4
Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment – Fig.4

While configuring the SCEP certificate profile in Intune, based on the selection of Key Usage

  • Digital signature (=SignatureTemplate in MSCEP reg)
  • Key encipherment (=EncryptionTemplate in MSCEP reg)
  • Digital signature and