In Part 1 and Part 2 of the NDES and SCEP setup with Intune series, we configured certificate templates, installed and configured the NDES server role with a gMSA, and installed the Intune Certificate Connector and Entra Application Proxy.
In this final part, we will create a trusted root certificate profile and a SCEP certificate profile in the Intune admin center to issue certificates to Intune-managed devices.
Contents
Step 7: Create Trusted Root Certificate Profile
Export trusted root certificate from Root CA and deploy it to Intune managed devices. Refer to the post deploy trusted root certificate using Intune guide for the detailed steps. After you complete this step, move to the next step for creation of SCEP certificate profile.
Step 8: Create SCEP Certificate Profile on Intune
Create a SCEP certificate deployment profile on Intune admin center and target it to the same group which was used when deploying trusted root certificate profile. This will ensure that the trusted root certificate is also deployed with SCEP certificate. A trusted root certificate is required to complete the certificate chain and establish trust with root and issuing CA.
Sign in to the Intune admin center > Devices > Windows > Configuration > Create > New Policy.
Platform: Windows 10 and later.
Profile type: Templates.
Template name: SCEP certificate.
Certificate type: As we are deploying a user certificate to the Local user certificate store on the target device, we will select User. If you want to deploy a device based certificate which will be installed local computer certificate store, then go with Device.
Subject name format: CN={{UserName}},E={{EmailAddress}}
Subject alternative name: CN={{UserPrincipalName}}
Certificate validity period: Provide the validity period same as set in the SCEP certificate template.
Key storage provider (KSP): Select the option to confirm where the certificate key will be stored on the device. The most secure option is to select Enroll to Trusted Platform Module (TPM) KSP, otherwise fail, and most compatible option would be to choose Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.
Key usage: Select Digital signature and Key encipherment.
Key size (bits): 2048
Hash algorithm: SHA-2
Root Certificate: Select the trusted certificate profile created for deployment of the root certificate.
Enhanced key usage: Ensure that the Client Authentication is added.
Renewal threshold: Keep default
SCEP Server URL: Provide the external Entra application proxy app URL. (e.g, https://NDESIntuneWebApp-73dvgy.msappproxy.net/certsrv/mscep/mscep.dll/)
In October 2024 Intune update, New strong mapping requirements are introduced for SCEP certificates used with KDC. Windows will enforce these changes on February 11, 2025. If a certificate can’t be strongly mapped, authentication will be denied.
Check and confirm if you need to update SCEP certificate deployment profile and add additional SAN attribute called URI with value {{OnPremisesSecurityIdentifier}}. This variable is supported in user certificates for macOS, iOS, and Windows 10/11, and only works with the URI attribute.
This requirement isn’t applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier. {OnPremisesSecurityIdentifier}} variable is supported in device certificates for Microsoft Entra hybrid joined devices, and only works with the URI attribute.
Must Read
Assignments: Assign the profile to the same Entra security group used for deployment of Trusted root certificate.
Applicability Rules: Click Next.
Review + create: Review the deployment summary and click Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitoring SCEP Certificate Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
Click on View report to access more detailed information.
End User Experience
After the deployment is completed successfully, Open local certificate computer store to check if the certificate is deployed. Let’s check the steps:
Request the target user to sign in to the Intune managed device.
Press Win + R to open the Run dialog box.
Type certmgr.msc to open the local user computer store.
Navigate to Personal > Certificates and verify if the SCEP certificate has been deployed successfully.
If you have deployed a device based SCEP certificate then open the Local computer certificate store using certlm.msc and navigate to Personal > Certificates.
Note
Security Best Practices
Limit the number of local administrators on NDES and CA server.
Keep NDES and CA server up to date with latest windows security updates.
Do not Install NDES on CA server.
For automatic revocation of certificates when a MDM device is decommissioned/wipes/reset, service account used while configuring Intune Connector software must have Issue and Manage certificates permission on CA. If you have selected SYSTEM as a service account, then add the computer account of Intune connector server and provide the permissions.
After NDES role is installed and configured successfully, Un-publish or Un-assign CEP Encryption and Exchange Enrollment Agent (Offline request) certificate templates on CA. These templates are only required at the time of NDES role Installation and configuration and also when renewing the certificates issues to NDES registration authority. You can issue these templates on CA when it’s time to renew the certificates.
gMSA is preferred over a standard service account for NDES configuration.
Ensure that TLS 1.2 is enabled for communications between NDES and MDM device.
Troubleshooting
Issues with NDES Server Setup
If you find that there are issues after the deployment and configuration of NDES server. You can use a Microsoft provided PowerShell script and run it on the NDES server. The script will check all NDES configuration along with its prerequisites. The script can be downloaded from this Github link.
Issues with Certificate Deployment
If the certificate is not issued to the device after deploying SCEP certificate profile. There could be issues accessing the SCEP URL. Device might not be able to reach SCEP URL. You can perform below troubleshooting steps to find out the root cause of this issue:
Check if Entra app proxy external URL is accessible and showing HTTP Error 403.0 – Forbidden (0x8000ffff). If you see below page that means, SCEP URL is working fine.
If you get a different page than shown above. For example, Gateway timeout error or HTTP 503 error. There could be issues with NDES server. Login to the NDES server and access SCEP URL on the server to check if it’s working. Most likely, it will show the same error as the one when we accessed the Entra app proxy external URL.
Restart NDES server once. Open command prompt as administrator and type iisreset. Wait for couple of minutes and try to access the URL on the NDES server once again.
