HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Intune CertificatesSCEPPKCSNDESIntuneSecurityAuthenticationMD-102

Intune Certificate Profiles: SCEP, PKCS, NDES and the Full Architecture

IA
Imran Awan
1 July 2026

Password-based authentication is a liability. When you deploy certificate-based authentication in Intune, devices and users prove their identity with a private key that never leaves the device — there is nothing to phish. But certificates are also one of the most complex areas of Intune to configure correctly. This guide walks through the full architecture: Root CA to NDES server to Intune Certificate Connector to SCEP or PKCS profiles, through to VPN, Wi-Fi, and email authentication — and what to do when it breaks.

The Architecture: How It All Connects

Certificate Deployment Architecture — Intune SCEP Flow
Root CA
NDES Server
Intune Certificate Connector
Microsoft Intune
Device Certificate Profile / User Certificate Profile
Downstream from Intune: Device Certificate Profile and User Certificate Profile enable authentication for VPN Wi-Fi Email Authentication

SCEP vs PKCS — Choosing the Right Certificate Type

SCEPPKCS
Full nameSimple Certificate Enrollment ProtocolPublic Key Cryptography Standards #12
Private keyGenerated on the device — never leavesGenerated at the CA, packaged and delivered to device
Infrastructure requiredRoot CA + NDES Server + Intune Certificate ConnectorRoot CA + Intune Certificate Connector (no NDES)
Best forHigh-security environments (private key stays local)Simpler deployments; user certificate scenarios
RevocationSupported via CRL/OCSPSupported via CRL/OCSP
ScalabilityHigh — NDES handles bulk issuanceHigh — no NDES overhead
Recommendation: Use SCEP with NDES for device certificates where the private key must not leave the device (Wi-Fi auth, machine certificates). Use PKCS for user email certificates or simpler deployments where NDES infrastructure is not available.

Setting Up the Certificate Chain

Step 1 — Root CA Certificate Profile

Before you deploy SCEP or PKCS profiles, you must deploy the trusted root certificate to all managed devices. Without this, devices will not trust certificates issued by your internal CA.

Intune Admin Center → Devices → Configuration → Create policy
Platform: Windows 10 and later Profile type: Trusted certificate Upload your Root CA .cer file

Step 2 — NDES Server Configuration (SCEP only)

The Network Device Enrollment Service (NDES) acts as the Registration Authority — devices request certificates from NDES, which validates the request against a challenge password and forwards it to the CA. The Intune Certificate Connector is installed on the NDES server and brokers the communication with Intune.

Windows PowerShell — Verify NDES and Connector service status
# Run on the NDES server
Get-Service -Name "NDESConnectorSvc" | Select Name, Status
Get-Service -Name "AADConnectAgentUpdater" | Select Name, Status

# Check Connector logs
Get-ChildItem "C:\ProgramData\Microsoft\MicrosoftIntuneCertConnector\Logs" |
  Sort LastWriteTime -Desc | Select -First 5

Step 3 — SCEP Certificate Profile

After the Trusted Root profile and NDES/Connector are in place, create the SCEP profile. The critical settings are: Subject name format, SAN (Subject Alternative Name), Key usage, Extended key usage, and the SCEP server URL.

SCEP SettingTypical value for device authentication
Certificate typeDevice
Subject name formatCN={{DeviceName}} or CN={{AAD_Device_ID}}
Subject alternative nameDNS name: {{AAD_Device_ID}}.devices.yourdomain.com
Key usageDigital Signature, Key Encipherment
Extended key usageClient Authentication (1.3.6.1.5.5.7.3.2)
Renewal threshold20% (renew when 20% of lifetime remains)
SCEP server URLYour NDES server URL: https://ndes.yourdomain.com/certsrv/mscep/mscep.dll

Lifecycle Management

Lifecycle eventWhat happens in Intune
Auto-renewalIntune re-issues the SCEP/PKCS request before expiry (controlled by Renewal threshold %). No user action needed.
Certificate revocationWhen a device is wiped, retired, or the profile is removed, Intune revokes the certificate via the CA.
Re-enrollmentIf a device is unenrolled and re-enrolled, new certificates are issued automatically on next policy sync.

Integration: Entra ID, Azure Key Vault, Defender

Microsoft Entra ID: Entra ID provides the device and user identities used in certificate Subject Names. For device certificates, {{AAD_Device_ID}} links the cert to the Entra device object. For user certs, {{UserPrincipalName}} links to the Entra user.
Azure Key Vault: PKCS certificates can be backed by Azure Key Vault as the CA. This is especially relevant for Azure-joined devices where no on-premises CA exists. The Intune Certificate Connector can be configured to use Key Vault as the certificate authority.
Defender for Endpoint: MDE uses certificate trust to validate device identity when onboarding. If your MDE onboarding fails with certificate errors, check the device certificate chain — the root CA certificate profile must apply before the MDE onboarding policy.

Troubleshooting

Check Connector Errors

Windows PowerShell — Scan Connector log for errors
# On the NDES/Connector server
$log = Get-ChildItem "C:\ProgramData\Microsoft\MicrosoftIntuneCertConnector\Logs" | Sort LastWriteTime -Desc | Select -First 1
Select-String -Path $log.FullName -Pattern "error|fail|exception" -CaseSensitive:$false | Select -Last 20
ERROR NDESConnector: Certificate request failed — NDES challenge validation rejected ERROR NDESConnector: CA unreachable — check CA connectivity and RPC firewall rules

Verify Certificate Chain

Windows PowerShell — Verify device certificate and chain on endpoint
# Check certificate store on managed device
Get-ChildItem Cert:\LocalMachine\My | Where {$_.Issuer -like "*YourCA*"} | Select Subject, Issuer, NotAfter, Thumbprint

# Verify chain builds to trusted root
$cert = Get-Item "Cert:\LocalMachine\My\"
$chain = New-Object Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)

Common failure patterns

SymptomLikely causeFix
NDES challenge rejectedNDES application pool account lacks CA enroll permissionGrant Enroll permission on the CA certificate template to the NDES service account
Certificate not appearing on deviceTrusted Root profile not applied before SCEP profileCheck assignment and check-in order; deploy Root profile to all devices
Renewal not happeningRenewal threshold too low, or device not checking inIncrease threshold to 20%; check IME logs for renewal attempts
Certificate expired on deviceAuto-renewal failed — usually NDES or Connector offlineCheck Connector service and CA health; re-enrol if needed

Best Practices

Official References

This guide was inspired by Anuradha Kumari's LinkedIn post on Microsoft Intune – Certificate Profiles Configuration Architecture (Chapter 6) — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Intune
Windows Autopilot Complete Overview: Deployment Types,…
The complete Windows Autopilot fundamentals guide: what it is, how it works, User-Driven…
Intune
Intune Win32 App Deployment: Complete Guide from Packaging to…
The complete Win32 app deployment guide: packaging with IntuneWinAppUtil, install and…
Intune
Microsoft Store Apps in Intune — Deployment & Troubleshooting,…
Store for Business is gone — modern Intune Store apps are winget-backed. The full…