Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment…

There may be a scenario where you require to use different templates to deploy different SCEP certificates to your Intune managed endpoints. For example, you may have a requirement where

• SCEP certificate was deployed to group A to use template A and for group B to use template B.
• Unique SCEP certificate to be deployed for the different profiles – Email, VPN, and Wi-Fi.

The above has been always a supported scenario and is in use in many enterprise environments.

Understanding the Logic

The primary use case of a SCEP certificate is to serve client authentication, determined by the Extended Key Usage (EKU) parameter.

That is why the SCEP certificate template configured in CA must have Client Auth added to its EKU.

You define the same while configuring the SCEP certificate profile from Intune.

Note: Selecting EKU as Any Purpose suffices for the obtained certificate to be used for auth purpose, as long as the certificate template used for creating the certificate has Client Authentication selected in its EKU.

However, the template that NDES (SCEP service) will use to make the on-behalf certificate request to the CA is determined based on the value of the Key Usage parameter of the Certificate Signing Request (CSR) that the device sends to the SCEP service, upon receiving the instructions from Intune as part of the SCEP payload.

When the SCEP service receives the certificate request from a device, it inspects the CSR to get the value for the Key Usage parameter and based on it determines the template to be used for making the certificate request to CA on-behalf, as defined in the reg_keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.

While configuring the SCEP certificate profile in Intune, based on the selection of Key Usage

• Digital signature (=SignatureTemplate in MSCEP reg)
• Key encipherment (=EncryptionTemplate in MSCEP reg)
• Digital signature and Key encipherment (=GeneralPurposeTemplate in MSCEP reg)

you can choose to configure SCEP certificate deployment for specific purposes using up to 3 unique certificate templates configured in your CA. 

Proof Of Concept

I have configured 3 unique SCEP profiles in my test tenant and have made 3 unique assignments as can be seen from the snaps below.

NOTE: There is an important validation step of Effective Group Association calculation carried out in the backend (Azure AD functionality) when you make an active assignment of a SCEP profile from Intune. This checks and determines the association of the SCEP profile with the Trusted Certificate profile (for Root CA cert or Issuing CA cert based on your PKI infrastructure) defined within the profile. If this check fails to determine the association, the deployment fails at the initial stages and since this step is performed in the backend, you also do not get any logs for the same.

It is for this reason that Microsoft recommends deploying the Trusted Certificate profile which is linked with the SCEP profile and the SCEP Certificate profile to the same group. Ref Microsoft article here.

However, in our case, this would defy the purpose if we have to deploy to the same group.

Our aim is to deliver unique SCEP certificates to unique deployment groups using unique templates from the CA.

My SCEP lab is based on a multi-tier PKI infrastructure where I have a Root CA and a Sub CA and the Sub CA is the Issuing CA for my NDES box.

What I did ?

I deployed the Trusted Cert profile for the Issuing CA (which is essentially defined as the Root Certificate within all my SCEP profiles) to All Devices (since my deployment is based on device groups) and then made a unique assignment for each of the 3 SCEP profiles.

Intune SCEP Certificate Workflow Analysis – Check this post if you have not read my previous article on SCEP which explains the above.

This satisfies the Effective Group Association calculation and as you can see, all the 3 profiles have the success status as shown below.

Checking the Issued Certificates on the CA, you will see that the 3 certs as issued are generated using the unique templates as intended.

Above, I showed how you can have 3 unique templates configured in CA to serve for specific use-cases scenarios.

Similarly, you can also use a single template in CA to serve both Device-based and User-based SCEP certificates to the endpoints – essentially because we configure the template to provide details (CN and SAN) on request.

Well, that was all for today. Hope this would help you in planning SCEP certificate deployments in your environment if you ever face a similar requirement.

Stay safe!