Intune / EndpointFREE

Deploying certificates via Intune using SCEP and NDES

Deploying certificates to endpoints via Intune using SCEP (Simple Certificate Enrollment Protocol) is one of the more complex Intune configurations — there are four moving parts, and if any one of them is misconfigured the entire chain silently fails. This runbook covers the complete setup: the NDES server, the Intune Certificate Connector, the trusted root profile, and the SCEP profile itself.

ⓘ What this enables

SCEP via Intune lets you push device and user certificates from your internal CA to Intune-managed endpoints without requiring devices to be on the corporate network or VPN. The primary use cases are Wi-Fi authentication (802.1X), VPN certificate auth, and email signing/encryption (S/MIME).

The four-component architecture

Before building anything, understand what you're connecting:

  • Internal CA (AD CS): Your issuing certificate authority — the source of truth for certificates.
  • NDES server: Network Device Enrollment Service — a Windows Server role that acts as a SCEP proxy between Intune and your CA. Must be on a domain-joined server (not the CA itself).
  • Intune Certificate Connector: A service installed on the NDES server that bridges Intune to NDES. Authenticates to Intune via a service principal.
  • Intune SCEP profile: The configuration pushed to devices that tells them where to request certificates and what to put in them.
⚠ Don't install NDES on the CA

Microsoft explicitly recommends against co-locating NDES and the CA on the same server. NDES must run as a domain service account, and the CA service runs as Local System. Mixing them creates privilege and security issues. Use a separate server.

Set up the NDES server

Create the NDES service account

# Create a domain service account for NDES
New-ADUser -Name "svc-ndes" `
    -SamAccountName "svc-ndes" `
    -UserPrincipalName "svc-ndes@corp.contoso.com" `
    -AccountPassword (Read-Host -AsSecureString "Password") `
    -Enabled $true `
    -PasswordNeverExpires $true

# Add to IIS_IUSRS local group on the NDES server (do this after installing the role)

Install the NDES role

On the dedicated NDES server (Server Manager or PowerShell):

Install-WindowsFeature ADCS-Device-Enrollment -IncludeManagementTools
Install-WindowsFeature Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, `
    Web-Static-Content, Web-Http-Redirect, Web-Http-Logging, Web-Log-Libraries, `
    Web-Request-Monitor, Web-Http-Tracing, Web-Filtering, Web-Windows-Auth, `
    Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Console

Configure NDES

In Server Manager: Notifications flag > Configure Active Directory Certificate Services. Select Network Device Enrollment Service. When prompted:

  • Service account: the svc-ndes account created above
  • CA: select your issuing CA
  • RA information: fill in your organization details (these appear in the issued certs)
  • Cryptography: keep defaults (RSA 2048 at minimum)

Verify NDES is working

# From the NDES server itself, test the SCEP URL
# Should return an XML response, not an error
Invoke-WebRequest -Uri "http://localhost/certsrv/mscep/mscep.dll" -UseDefaultCredentials

Install the Intune Certificate Connector

  1. In the Intune admin center: Tenant administration > Connectors and tokens > Certificate connectors
  2. Click Add and download the connector installer
  3. Run the installer on the NDES server as a local admin
  4. During setup, sign in with a Global Admin or Intune Admin account to authorize the connector
  5. After installation, the connector appears in Intune within a few minutes with status Active
⚠ The connector account needs specific permissions on the CA

The connector service account needs Issue and Manage Certificates permission on the issuing CA. In the CA MMC: right-click the CA > Properties > Security > add the NDES service account with Issue and Manage Certificates. Without this, certificate requests will queue but never be issued.

Create the Intune certificate profiles

You need two profiles deployed in the right order: the trusted root first, the SCEP profile second.

Profile 1: Trusted root certificate

This pushes your root CA certificate to the device's trusted root store — required before SCEP certificates will be trusted.

In Intune: Devices > Configuration profiles > Create profile > Windows 10 and later > Templates > Trusted certificate

  • Upload the root CA certificate (.cer file, DER format)
  • Destination store: Computer certificate store — Root
  • Assign to the same device group as your SCEP profile

Profile 2: SCEP certificate profile

In Intune: Devices > Configuration profiles > Create profile > Windows 10 and later > Templates > SCEP certificate

Key fields to configure correctly:

FieldRecommended valueNotes
Certificate typeDevice or UserDevice = machine cert (for Wi-Fi/VPN). User = personal cert (for email/user auth).
Subject name formatCN={{DeviceName}} or CN={{UserName}}Use Intune variables. These get substituted at enrollment time.
Subject alternative nameUser principal name: {{UserPrincipalName}}Required for some 802.1X and email scenarios.
SCEP Server URLshttps://ndes.corp.contoso.com/certsrv/mscep/mscep.dllMust be externally reachable or via a proxy. Use HTTPS. The cert on the NDES server must be trusted by devices.
Root CertificateThe trusted root profile created aboveLink the profiles so the chain is validated.

Verify certificate deployment

# On an enrolled device, check the certificate store
# Run in PowerShell
Get-ChildItem -Path Cert:\LocalMachine\My |
    Where-Object {$_.Issuer -like "*YourCA*"} |
    Select-Object Subject, NotBefore, NotAfter, Thumbprint

# For user certs
Get-ChildItem -Path Cert:\CurrentUser\My |
    Where-Object {$_.Issuer -like "*YourCA*"} |
    Select-Object Subject, NotBefore, NotAfter

In Intune, check the SCEP profile device status. Devices showing Error will have an error code in the detail view. The most common error codes:

ErrorCauseFix
0x87D1FDE8SCEP server URL unreachable from deviceVerify NDES URL is reachable from outside the network. Check firewall, DNS, and the NDES IIS binding.
0x80094800Certificate template not found or not configured on NDESVerify the template is published to the CA and the NDES OIDs match the template.
Pending on CACA requires manager approval for this templateSet the template's issuance requirement to Supply in the request rather than CA manager approval.

Summary

The SCEP certificate chain has four components, and failures in any one look the same from the device side. Build in order: NDES service account and role, Certificate Connector, trusted root profile, SCEP profile. Verify each layer before moving to the next. The most common production issues are the NDES service account missing CA issuance permissions, the SCEP URL being unreachable from external devices, and certificate template OID mismatches between NDES and the Intune profile.