Identity / Certificate Lifecycle · Modern Endpoint Guides

🔐 Microsoft Intune

PKI & Certificate Management

Enterprise certificate delivery via SCEP and PKCS — from Certificate Connector setup to Wi-Fi, VPN, and email authentication across all managed platforms.

📅 Updated: May 2026 ⏱️ Implementation: ~4–8 hours 🎯 Audience: PKI Engineers, Intune Admins 📋 License: P1 / P2

📋 Overview & Licensing

Intune delivers certificates to managed devices via two mechanisms: SCEP (Simple Certificate Enrollment Protocol) and PKCS (PFX). Each requires a Certificate Connector and an on-premises CA (ADCS or third-party).

🎯 Core Capabilities

Automated certificate provisioning to all platforms
Device and user certificate delivery
Wi-Fi, VPN, and email client authentication
S/MIME encryption and signing
Automatic renewal before expiry
Certificate revocation on device wipe/retire

📋 Licensing Requirements

Feature	License
SCEP Profiles	Intune P1
PKCS Profiles	Intune P1
S/MIME (user cert)	P1 + Exchange
Third-party CA	P1 + CA API

SCEP vs. PKCS – Comparison

Attribute	SCEP	PKCS #12 (PFX)
Private key location	Generated on device (never leaves)	Generated on server, delivered encrypted
Security posture	Higher (non-exportable key)	Lower (PFX can be extracted)
CA requirement	ADCS with NDES role	ADCS (direct PFX)
Supported platforms	Windows, iOS, Android, macOS	Windows, iOS, Android, macOS
Use for Wi-Fi/VPN	✅ Preferred	✅ Supported
Use for S/MIME	Limited	✅ Preferred (exportable)

🏗️ PKI Architecture

📐 End-to-End Certificate Flow

Intune Policy

→

Device

→

SCEP/PKCS Profile

→

Certificate Connector

→

NDES / CA

→

Certificate Issued

🏢 ADCS (NDES) Architecture

Root CA: Offline, air-gapped for maximum security
Issuing CA: Online, member of domain
NDES server: Separate from CA (IIS + SCEP module)
Certificate Connector: Installed on NDES server
Service Account: Domain account with specific permissions

☁️ Third-Party CA Support

DigiCert, Entrust, GlobalSign via API
Connector communicates with CA REST API
No NDES required for cloud CAs
Custom subject name support
PKCS flows only (not SCEP for third-party)

🔒 Certificate Authority Hierarchy

Tier	Role	Recommendation
Root CA	Trust anchor, signs Issuing CA	Offline, HSM, 4096-bit RSA or P-384 ECDSA
Issuing CA	Issues end-entity certificates	Online, 2-year cert lifetime, CDP/AIA published
NDES	SCEP endpoint for devices	Dedicated server, load balanced for scale
Connector	Intune ↔ CA bridge	Installed on NDES, outbound HTTPS only

🔌 Certificate Connector

The Certificate Connector replaced the older Microsoft Intune Certificate Connector. Use the new unified connector from the Intune portal – it supports both SCEP and PKCS in a single agent.

Download Connector

Go to Intune admin center → Tenant administration → Connectors and tokens → Certificate connectors → Download the connector installer.

Install on NDES Server

Run the installer as local administrator. Select SCEP and/or PKCS as needed. The connector runs as a Windows service.

Authenticate to Intune

Sign in with a Global Admin or Intune Admin account when prompted. This creates a trust relationship between the connector and your Intune tenant.

Verify Status

In the Intune portal, the connector should show Active within 5 minutes. Check Windows Event Log: Applications and Services Logs → Microsoft → Intune → Certificate Connector.

⚙️ Service Account Permissions

Domain user account (not local account)
Enroll permission on the certificate template
Read and Enroll on the NDES template
Log on as a service right on the NDES server
Member of IIS_IUSRS local group on NDES

🌐 Network Requirements

Direction	Endpoint	Port
Outbound	*.manage.microsoft.com	443/HTTPS
Outbound	*.microsoftonline.com	443/HTTPS
Outbound	*.azure.com	443/HTTPS
Internal	NDES → Issuing CA	135/RPC, 49152+

♻️ High Availability Setup

Install multiple connectors on different NDES servers
Intune load balances automatically across active connectors
Each connector must be registered separately in Intune
Use NLB or Azure Load Balancer for NDES SCEP URL
Minimum 2 connectors recommended for production

Connectors do NOT need to be on the same server. You can have multiple NDES servers each with a connector, and Intune will distribute requests automatically.

⚙️ SCEP Certificate Profiles

📝 Certificate Template Settings

Template name: Must match ADCS template exactly
Certificate type: Device or User
Subject name format: CN={{DeviceName}} or CN={{AAD_Device_ID}}
SAN: DNS={{DeviceName}}, UPN={{UserPrincipalName}}
Certificate validity: 1–2 years typical
Key storage provider: TPM preferred

🔑 Key Usage Options

Digital Signature: Client authentication
Key Encipherment: Data encryption
Extended Key Usage: Client Auth OID (1.3.6.1.5.5.7.3.2)
Key size: 2048 or 4096 bits
Hash algorithm: SHA-256 minimum

🏷️ Dynamic Subject Name Variables

Variable	Value	Use Case
{{DeviceName}}	Device hostname	Device certs, Wi-Fi, VPN
{{AAD_Device_ID}}	Azure AD Device Object ID	Conditional Access device identity
{{UserPrincipalName}}	user@domain.com	User certs, email auth
{{serialNumber}}	Device serial number	Hardware-bound identity
{{IMEI}}	Mobile IMEI	Mobile device identity
{{OnPrem_Distinguished_Name}}	AD DN	Hybrid join scenarios

# SCEP Profile via Graph API
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations

{
  "@odata.type": "#microsoft.graph.windows10CertificateProfileBase",
  "displayName": "SCEP - Wi-Fi Client Auth - Windows",
  "certificationAuthority": "ca.corp.contoso.com",
  "certificationAuthorityName": "Contoso Issuing CA",
  "certificateTemplateName": "IntuneWiFiClient",
  "subjectNameFormat": "CN={{DeviceName}}",
  "subjectAlternativeNameType": "dnsName",
  "keyUsage": "digitalSignature",
  "extendedKeyUsages": [{ "objectIdentifier": "1.3.6.1.5.5.7.3.2", "name": "Client Authentication" }],
  "scepServerUrls": ["https://ndes.corp.contoso.com/certsrv/mscep/mscep.dll"],
  "validityPeriodValue": 1,
  "validityPeriodScale": "years",
  "renewalThresholdPercentage": 20
}

📜 PKCS Certificate Profiles

📦 PKCS Profile Settings

Certificate Authority: FQDN of Issuing CA
CA Name: Common Name of the CA
Template: Certificate template name in ADCS
Subject name format: Same variables as SCEP
Renewal threshold: 20–30% before expiry
Key storage: Software KSP or TPM

🔄 PKCS Imported Certificates

Pre-existing PFX files imported to Intune
Used for S/MIME (same cert across devices)
Upload via PowerShell or Graph API
Delivered encrypted per-device
Requires separate PKCS Imported profile type

# PowerShell: Upload PKCS Imported PFX for S/MIME
Import-Module Microsoft.Graph.DeviceManagement

# Read PFX file and encode
$pfxData = [System.IO.File]::ReadAllBytes("C:\certs\user_smime.pfx")
$pfxBase64 = [Convert]::ToBase64String($pfxData)

# Create the imported certificate
$body = @{
    userPrincipalName = "alice@contoso.com"
    password          = "PfxPassword123!"
    pkcs12Value       = $pfxBase64
    intendedPurpose   = "smimeEncryption"
}

New-MgDeviceManagementUserPfxCertificate -BodyParameter $body

✅ Trusted Root Certificate Profiles

Always deploy Trusted Root profiles BEFORE SCEP or PKCS profiles. Certificates will fail to validate if the root CA is not yet trusted on the device.

🌳 Root CA Deployment

Export Root CA Certificate

Export Root CA cert as .cer (DER encoded) from Certification Authority MMC.

Create Trusted Certificate Profile

Intune → Device Configuration → Create Profile → Trusted certificate → Upload .cer file.

Assign to All Devices Group

Assign broadly to All Devices or all targeted device groups before SCEP/PKCS profiles.

🏢 Intermediate CA Deployment

Also deploy Intermediate/Issuing CA certificate
Separate Trusted Certificate profile per CA
Destination store: Computer (for device certs), User (for user certs)
Include full chain if third-party CA is used

Deploy chain: Root CA → Intermediate CA → then SCEP/PKCS profile

📡 Wi-Fi & VPN Authentication

📡 802.1X Wi-Fi Profile

EAP Type: EAP-TLS (certificate-based)
Authentication method: Certificate
Client certificate: Reference SCEP profile
Server validation: Root CA certificate
Identity Privacy: anonymous@domain.com

🔗 Profile Dependency Chain

1. Trusted Root Profile → Device

2. SCEP Profile → Device (ref. root)

3. Wi-Fi Profile → Device (ref. SCEP cert)

🛡️ VPN Certificate Auth

Supported: Always On VPN, Cisco AnyConnect, Pulse Secure
Certificate EKU must include Server Authentication on VPN gateway
Client cert delivered via SCEP or PKCS
Use device certificate for machine tunnels
Use user certificate for user tunnels

🔒 Always On VPN Config

Device Tunnel: System certificate (device cert)
User Tunnel: User certificate (user cert)
Both tunnels can use certificate auth simultaneously
Requires Windows 10 1709+ or Windows 11

✉️ Email & S/MIME

🔏 S/MIME Configuration

Signing cert: PKCS Imported or SCEP user cert
Encryption cert: PKCS Imported (must be exportable)
Both Outlook for iOS/Android and native mail apps
Enroll via iOS/Android email profile referencing cert
Public key sharing: Automatic via Exchange GAL

📧 Outlook S/MIME Steps

Deploy signing certificate

SCEP or PKCS user certificate with Email Protection EKU.

Deploy encryption certificate

PKCS Imported PFX with same email address as UPN.

Configure email profile

Reference both certificates in the iOS/Android email configuration profile.

🔄 Lifecycle & Renewal

⏳ Renewal Logic

Renewal threshold: percentage of cert lifetime
Default: 20% (e.g., renew 73 days before expiry for 1-year cert)
Intune automatically triggers renewal
New certificate issued without user interaction
Old certificate revoked on successful renewal

🗑️ Revocation Scenarios

Device retire: Certificate automatically revoked
Device wipe: Certificate revoked and removed
Profile unassignment: Certificate revoked from device
User removed: User cert revoked
Manual revocation: Via ADCS MMC or script

Intune notifies the Certificate Connector to revoke the certificate in ADCS when a device is retired or wiped — this ensures complete certificate lifecycle management without manual intervention.

📊 Monitoring & Reports

📋 Certificate Inventory

Intune → Devices → Monitor → Certificate
Status: Installed, Error, Pending
Expiry date per device
Export to CSV

🔌 Connector Health

Intune → Tenant admin → Connectors
Last check-in time
Active / Warning / Error status
Connector version

📡 Event Log (On-prem)

Applications and Services Logs
Microsoft → Intune → CertConnector
NDES IIS logs: %SystemDrive%\inetpub\logs
CA Event Log: Security (Event 4886)

🔧 Troubleshooting

❌ Common Issues & Solutions

Symptom	Likely Cause	Resolution
Certificate profile in Error state	NDES unreachable or wrong SCEP URL	Test SCEP URL from device browser; check firewall
Connector shows inactive	Outbound HTTPS blocked, service stopped	Check network, restart Intune Connector Service
Certificate issued but not installed	Template permissions missing	Grant service account Enroll on template
PKCS cert not delivered	CA FQDN or name mismatch	Verify CA Name matches exactly in profile
Renewal not triggering	Threshold too low, device offline	Increase threshold; ensure device checks in regularly
EAP-TLS Wi-Fi fails	Root CA not trusted, wrong EKU	Verify root/intermediate deployed; check Server Auth EKU

# Test SCEP URL from client (PowerShell)
$scepUrl = "https://ndes.corp.contoso.com/certsrv/mscep/mscep.dll"
$response = Invoke-WebRequest -Uri $scepUrl -Method GET -UseDefaultCredentials
Write-Host "Status: $($response.StatusCode)"

# Check Intune certificate connector logs
Get-EventLog -LogName "Microsoft-Intune-CertConnector/Operational" -Newest 50 |
    Where-Object { $_.EntryType -eq "Error" } |
    Select-Object TimeGenerated, Message

# List certificates on device
Get-ChildItem Cert:\LocalMachine\My | Select-Object Subject, NotAfter, Issuer

💻 PowerShell & Graph API

# Get all SCEP/PKCS profiles via Graph
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

$profiles = Get-MgDeviceManagementDeviceConfiguration |
    Where-Object { $_.'@odata.type' -like "*Certificate*" }

$profiles | Select-Object DisplayName, Id, LastModifiedDateTime

# Get certificate deployment status per device
$profileId = "your-profile-guid"
Get-MgDeviceManagementDeviceConfigurationDeviceStatus -DeviceConfigurationId $profileId |
    Select-Object DeviceDisplayName, Status, LastReportedDateTime

# Export certificate report to CSV
$results = Get-MgDeviceManagementDeviceConfigurationDeviceStatus -DeviceConfigurationId $profileId
$results | Export-Csv -Path "C:\Reports\CertStatus.csv" -NoTypeInformation

# Check connector health via Graph
GET https://graph.microsoft.com/beta/deviceManagement/ndesConnectors

# Revoke certificate manually
$caServer = "ca.corp.contoso.com"
$serialNum = "1a2b3c4d5e6f"
certutil -config $caServer -revoke $serialNum 0  # 0 = Unspecified