IT specialists, hello everyone! Do you remember that some time ago we saw how to implement a Cloud PKI with Microsoft Intune? Well, it’s time to use it by requesting certificates with SCEP configuration profiles!
Video
You can find the entire video below, or you can continue reading the article.
SCEP Configuration Profiles for Intune Cloud PKI
We use Cloud PKI with Microsoft Intune to request certificates with SCEP configuration profiles.
What is SCEP?
SCEP, which stands for Simple Certificate Enrollment Protocol, is a protocol used to simplify the management and distribution of digital certificates. In the context of Intune Cloud PKI, SCEP is used to distribute certificates to our managed devices, which will then be used to authenticate to various corporate resources.
Creating Intune Profiles
Let’s start by creating Intune profiles to distribute the certificates, starting with the Trusted Certificates, namely the Root CA and the Issuing CA, which we created a short time ago with Intune Cloud PKI. If you don’t remember, go back and watch the previous video.
Configuring the SCEP Profile
Now it’s finally time to create our SCEP profile, which we will configure to interact with our Cloud PKI. Pay particular attention to the SCEP URL parameter. First, let’s see the configuration of a user certificate and then the configuration of the SCEP profile to request a machine certificate.
SCEP Profile for User Certificate
SCEP Profile for Machine Certificate
Verifying Certificate Issuance
Perfect, now let’s verify that the certificates have actually been issued.
Useful Tips
- Maintain consistency between the assignments of Trusted Certificate profiles and SCEP profiles by assigning them to the same group and, above all, be consistent with the type of object that populates the group: either users or devices. This is because there is a specific supportability table to ensure that the certificates are actually issued. Here is the table below.
| Trusted certificate profile assignment includes User | Trusted certificate profile assignment includes Device | Trusted certificate profile assignment includes User and Device |
|---|---|---|
| SCEP certificate profile assignment includes User | Success | Failure |
| SCEP certificate profile assignment includes Device | Failure | Success |
| SCEP certificate profile assignment includes User and Device | Success | Success |
Other useful tips:
- If you have a hybrid environment, comply with the strong mapping requirements (details in the documentation attached below).
Documentation
Here is all the documentation I referred to during the video.
📃 Use SCEP certificate profiles with Microsoft Intune
📃 Troubleshoot deployment of Simple Certificate Enrollment Protocol (SCEP) certificate profiles to devices with Microsoft Intune
📃 Troubleshoot use of Simple Certificate Enrollment Protocol (SCEP) certificate profiles to provision certificates with Microsoft Intune
📃 Troubleshoot delivery of Simple Certificate Enrollment Protocol (SCEP) certificates
📃 Support tip: Implementing strong mapping in Microsoft Intune certificates
Conclusions
As always, this is a lab environment, so do the appropriate analysis before putting everything into production.
Thank you for watching the video up to this point. Subscribe to my YouTube channel and help it grow to produce even better content. For the rest, I’ll see you on LinkedIn and on my blog ITSpecialist.cloud!
Thanks again! See you soon… LEGENDS!
Your IT Specialist,
Riccardo
