Deploying certificates via Intune using SCEP and NDES
Deploying certificates to endpoints via Intune using SCEP (Simple Certificate Enrollment Protocol) is one of the more complex Intune configurations — there are four moving parts, and if any one of them is misconfigured the entire chain silently fails. This runbook covers the complete setup: the NDES server, the Intune Certificate Connector, the trusted root profile, and the SCEP profile itself.
SCEP via Intune lets you push device and user certificates from your internal CA to Intune-managed endpoints without requiring devices to be on the corporate network or VPN. The primary use cases are Wi-Fi authentication (802.1X), VPN certificate auth, and email signing/encryption (S/MIME).
The four-component architecture
Before building anything, understand what you're connecting:
- Internal CA (AD CS): Your issuing certificate authority — the source of truth for certificates.
- NDES server: Network Device Enrollment Service — a Windows Server role that acts as a SCEP proxy between Intune and your CA. Must be on a domain-joined server (not the CA itself).
- Intune Certificate Connector: A service installed on the NDES server that bridges Intune to NDES. Authenticates to Intune via a service principal.
- Intune SCEP profile: The configuration pushed to devices that tells them where to request certificates and what to put in them.
Microsoft explicitly recommends against co-locating NDES and the CA on the same server. NDES must run as a domain service account, and the CA service runs as Local System. Mixing them creates privilege and security issues. Use a separate server.
Set up the NDES server
Create the NDES service account
# Create a domain service account for NDES
New-ADUser -Name "svc-ndes" `
-SamAccountName "svc-ndes" `
-UserPrincipalName "svc-ndes@corp.contoso.com" `
-AccountPassword (Read-Host -AsSecureString "Password") `
-Enabled $true `
-PasswordNeverExpires $true
# Add to IIS_IUSRS local group on the NDES server (do this after installing the role)
Install the NDES role
On the dedicated NDES server (Server Manager or PowerShell):
Install-WindowsFeature ADCS-Device-Enrollment -IncludeManagementTools
Install-WindowsFeature Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, `
Web-Static-Content, Web-Http-Redirect, Web-Http-Logging, Web-Log-Libraries, `
Web-Request-Monitor, Web-Http-Tracing, Web-Filtering, Web-Windows-Auth, `
Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Console
Configure NDES
In Server Manager: Notifications flag > Configure Active Directory Certificate Services. Select Network Device Enrollment Service. When prompted:
- Service account: the
svc-ndesaccount created above - CA: select your issuing CA
- RA information: fill in your organization details (these appear in the issued certs)
- Cryptography: keep defaults (RSA 2048 at minimum)
Verify NDES is working
# From the NDES server itself, test the SCEP URL
# Should return an XML response, not an error
Invoke-WebRequest -Uri "http://localhost/certsrv/mscep/mscep.dll" -UseDefaultCredentials
Install the Intune Certificate Connector
- In the Intune admin center: Tenant administration > Connectors and tokens > Certificate connectors
- Click Add and download the connector installer
- Run the installer on the NDES server as a local admin
- During setup, sign in with a Global Admin or Intune Admin account to authorize the connector
- After installation, the connector appears in Intune within a few minutes with status Active
The connector service account needs Issue and Manage Certificates permission on the issuing CA. In the CA MMC: right-click the CA > Properties > Security > add the NDES service account with Issue and Manage Certificates. Without this, certificate requests will queue but never be issued.
Create the Intune certificate profiles
You need two profiles deployed in the right order: the trusted root first, the SCEP profile second.
Profile 1: Trusted root certificate
This pushes your root CA certificate to the device's trusted root store — required before SCEP certificates will be trusted.
In Intune: Devices > Configuration profiles > Create profile > Windows 10 and later > Templates > Trusted certificate
- Upload the root CA certificate (.cer file, DER format)
- Destination store: Computer certificate store — Root
- Assign to the same device group as your SCEP profile
Profile 2: SCEP certificate profile
In Intune: Devices > Configuration profiles > Create profile > Windows 10 and later > Templates > SCEP certificate
Key fields to configure correctly:
| Field | Recommended value | Notes |
|---|---|---|
| Certificate type | Device or User | Device = machine cert (for Wi-Fi/VPN). User = personal cert (for email/user auth). |
| Subject name format | CN={{DeviceName}} or CN={{UserName}} | Use Intune variables. These get substituted at enrollment time. |
| Subject alternative name | User principal name: {{UserPrincipalName}} | Required for some 802.1X and email scenarios. |
| SCEP Server URLs | https://ndes.corp.contoso.com/certsrv/mscep/mscep.dll | Must be externally reachable or via a proxy. Use HTTPS. The cert on the NDES server must be trusted by devices. |
| Root Certificate | The trusted root profile created above | Link the profiles so the chain is validated. |
Verify certificate deployment
# On an enrolled device, check the certificate store
# Run in PowerShell
Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object {$_.Issuer -like "*YourCA*"} |
Select-Object Subject, NotBefore, NotAfter, Thumbprint
# For user certs
Get-ChildItem -Path Cert:\CurrentUser\My |
Where-Object {$_.Issuer -like "*YourCA*"} |
Select-Object Subject, NotBefore, NotAfter
In Intune, check the SCEP profile device status. Devices showing Error will have an error code in the detail view. The most common error codes:
| Error | Cause | Fix |
|---|---|---|
| 0x87D1FDE8 | SCEP server URL unreachable from device | Verify NDES URL is reachable from outside the network. Check firewall, DNS, and the NDES IIS binding. |
| 0x80094800 | Certificate template not found or not configured on NDES | Verify the template is published to the CA and the NDES OIDs match the template. |
| Pending on CA | CA requires manager approval for this template | Set the template's issuance requirement to Supply in the request rather than CA manager approval. |
Summary
The SCEP certificate chain has four components, and failures in any one look the same from the device side. Build in order: NDES service account and role, Certificate Connector, trusted root profile, SCEP profile. Verify each layer before moving to the next. The most common production issues are the NDES service account missing CA issuance permissions, the SCEP URL being unreachable from external devices, and certificate template OID mismatches between NDES and the Intune profile.