Intune Create Deploy SCEP Certificate to Windows Devices

1

In this post, we will go through the process of creating and deploying SCEP Certificate to Windows 10 Devices (How to Deploy SCEP Certificate to Windows Devices). We need to take care of some prerequisites before creating SCEP Certificates in Intune. You need to have a on prem infrastructure components available before creating SCEP cert profiles in Intune.

NDES setup for SCEP

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-How-to-configure-NDES-for-SCEP-certificate/ba-p/455125

NDES connector should be installed on your Data Center and NDES connector should be able to talk to CA server as well as with Azure AD App proxy connector if you are using Azure app proxy. I’m not going to cover the setup of NDES and Azure AD App proxy connector. Those two configurations are very complex and very well explained in other blogs.

All these configurations are explained in the video above or you can watch here

Deploying SCEP Certificatee to Windows10 Devices will help to get connected to corporate resources like Wi-Fi and VPN profiles etc…Before creating Windows 10 SCEP Certificate in Intune, you need to create and deploy certificate chain. The certificate chain includes Root CA certificate and Intermediate /Issuing CA certificate. There are 3 certificate profiles available in Intune and those are TRUSTED Certificate, SCEP Certificate and PKCS certificate. We are not going to use PKCS certificate for SCEP profile deployment.

Deploy SCEP Certificate to Windows DevicesFollowing are the high-level tasks for deploying SCEP Certificate to Windows10 Devices via Intune:-

Create and Deploy iOS Root CA certificate using Intune Azure Portal
Create and Deploy iOS Intermediate/Issuing CA Certificate using Intune Azure Portal
Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal

Create and Deploy Windows 10 Root CA, Windows 10 Intermediate/Issuing CA Certificate Profiles

As first step, we need to create Root CA cert profile. To create Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile. Select the platform as Windows 10 and profile type as Trusted Certificate. You just need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER)from your CA server. In Windows 10 Trusted certificate profile, we need to select destination store. For root cert profile, we need to select Computer Certificate store -root. Once settings are saved, just need to deploy root cert profile to required Windows 10 devices.

SCEP Profile to Windows10 DevicesWe need to follow same process for Intermediate/Issuing CA certificate profile deployment via Intune. Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from you CA server. Another point we need to take care is destination store. We need to select destination store as Computer Certificate Store – Intermediate. Click OK – Create to finish the creation of Issuing cert profile.

Deploy Windows 10 Root CA and Intermediate/Issuing CA Certificate Profiles to the same group of Windows 10 devices. We can use either AAD User or Device group to deploy these profiles. However, I would prefer to use AAD dynamic device groups wherever possible.

Create and Deploy Windows 10 SCEP profile via Intune

To create and deploy SCEP profile to Windows 10 devices, navigate through Microsoft Intune – Device Configuration – Profiles – “Create profile“. Select the platform as Windows 10 and profile type as SCEP Certificate. There is some specific setting you need to put in when you create a SCEP profile for Windows 10 device. Loads of these configurations can differ as per the CA server setup and other on prem component setup.

SCEP Profile to Windows10 DevicesCertificate validity period is 1 year and this is the normal standard in the industry. There are four options for Key storage provider (KSP) and those are Enrol to trusted platform Module(TPM) KSP if present Software KSP, Enrol to Trusted platform module(TPM), otherwise fail, Enrol to passport, otherwise fail and Enrol to Software KSP. In this scenario, I have selected Enrol to trusted platform Module(TPM) KSP if present Software KSP. We need to select the subject name format value depending on your organizational requirement. In this scenario, I selected common name as email. Subject alternative name as UPN. Key usage is digital signature and key encipherment. Key Size value is 2048. Hash algorithm value (SHA-2) should be the latest one if your CA supports the same.

Another important point is that you need to link the SCEP profile with ROOT cert profile which you already created. If you have not created any ROOT cert and intermediate/issuing CA cert profiles in Intune then it won’t allow you to create SCEP profile. Extended key usage is another setting and it should automatically get populated. One example here is “Client Authentication – 1.3.6.1.5.5.7.4.3.”

SCEP Profile to Windows10 DevicesLast set of settings for Windows 10 SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value 20%. SCEP server URLs (e.g. https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll) are very important. These are the URL/s which Windows 10 devices will go and request for SCEP certs. So, this should be reachable from internet. As I mentioned above you can very well use Azure AD app proxy URLs here. In this scenario, I’m going to use Azure AD app proxy settings.

SCEP profile cert will be deployed to users personal store in the following format “ACN-Issuing-CA-PR5“.

End User Windows 10 Certificate Store Experience:- 

SCEP profile will be deployed to Current User\Personal\Certificates = “ACN-Issuing-CA-PR5”

Root and Intermediate CA cert will be deployed to Local Computer\Intermediate Certification Authorities\Certificates = ACN-Enterprise-Root-CA.CER and ACN-Issuing-CA-PR1.CER

Intune Create Deploy SCEP Certificate to Windows Devices 1

Reference :- 

  • Configure and manage SCEP certificates with Intune – New Azure Portal – here
  • How to configure certificates in Microsoft Intune – New Azure Portal – here
  • How to Protect NDES with Azure AD Application Proxy – here

1 COMMENT

  1. We are trying to do this in our environment now, but are having some issues and I’ve searched the net finding this post.

    We’ve done pretty much the same, but were making it a device type certificate, not user. The idea behind this is an assumption user certificates would be troublesome in an environment where several users share a single computer. I’m not sure if this assumption is accurate?

    In any case, we’re having issues. I can see the certificate on the computer, under Certificates (local computer)\Personal\Certificates. However, when I try connecting to the WiFi I just get an message “unable to log on because you need a certificate, contact IT-support” (translated from Norwegian). And I can’t seem to find a useful error message anywhere.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.