Password-based authentication is a liability. When you deploy certificate-based authentication in Intune, devices and users prove their identity with a private key that never leaves the device — there is nothing to phish. But certificates are also one of the most complex areas of Intune to configure correctly. This guide walks through the full architecture: Root CA to NDES server to Intune Certificate Connector to SCEP or PKCS profiles, through to VPN, Wi-Fi, and email authentication — and what to do when it breaks.
The Architecture: How It All Connects
SCEP vs PKCS — Choosing the Right Certificate Type
| SCEP | PKCS | |
|---|---|---|
| Full name | Simple Certificate Enrollment Protocol | Public Key Cryptography Standards #12 |
| Private key | Generated on the device — never leaves | Generated at the CA, packaged and delivered to device |
| Infrastructure required | Root CA + NDES Server + Intune Certificate Connector | Root CA + Intune Certificate Connector (no NDES) |
| Best for | High-security environments (private key stays local) | Simpler deployments; user certificate scenarios |
| Revocation | Supported via CRL/OCSP | Supported via CRL/OCSP |
| Scalability | High — NDES handles bulk issuance | High — no NDES overhead |
Setting Up the Certificate Chain
Step 1 — Root CA Certificate Profile
Before you deploy SCEP or PKCS profiles, you must deploy the trusted root certificate to all managed devices. Without this, devices will not trust certificates issued by your internal CA.
Step 2 — NDES Server Configuration (SCEP only)
The Network Device Enrollment Service (NDES) acts as the Registration Authority — devices request certificates from NDES, which validates the request against a challenge password and forwards it to the CA. The Intune Certificate Connector is installed on the NDES server and brokers the communication with Intune.
Step 3 — SCEP Certificate Profile
After the Trusted Root profile and NDES/Connector are in place, create the SCEP profile. The critical settings are: Subject name format, SAN (Subject Alternative Name), Key usage, Extended key usage, and the SCEP server URL.
| SCEP Setting | Typical value for device authentication |
|---|---|
| Certificate type | Device |
| Subject name format | CN={{DeviceName}} or CN={{AAD_Device_ID}} |
| Subject alternative name | DNS name: {{AAD_Device_ID}}.devices.yourdomain.com |
| Key usage | Digital Signature, Key Encipherment |
| Extended key usage | Client Authentication (1.3.6.1.5.5.7.3.2) |
| Renewal threshold | 20% (renew when 20% of lifetime remains) |
| SCEP server URL | Your NDES server URL: https://ndes.yourdomain.com/certsrv/mscep/mscep.dll |
Lifecycle Management
| Lifecycle event | What happens in Intune |
|---|---|
| Auto-renewal | Intune re-issues the SCEP/PKCS request before expiry (controlled by Renewal threshold %). No user action needed. |
| Certificate revocation | When a device is wiped, retired, or the profile is removed, Intune revokes the certificate via the CA. |
| Re-enrollment | If a device is unenrolled and re-enrolled, new certificates are issued automatically on next policy sync. |
Integration: Entra ID, Azure Key Vault, Defender
{{AAD_Device_ID}} links the cert to the Entra device object. For user certs, {{UserPrincipalName}} links to the Entra user.Troubleshooting
Check Connector Errors
Verify Certificate Chain
Common failure patterns
| Symptom | Likely cause | Fix |
|---|---|---|
| NDES challenge rejected | NDES application pool account lacks CA enroll permission | Grant Enroll permission on the CA certificate template to the NDES service account |
| Certificate not appearing on device | Trusted Root profile not applied before SCEP profile | Check assignment and check-in order; deploy Root profile to all devices |
| Renewal not happening | Renewal threshold too low, or device not checking in | Increase threshold to 20%; check IME logs for renewal attempts |
| Certificate expired on device | Auto-renewal failed — usually NDES or Connector offline | Check Connector service and CA health; re-enrol if needed |
Best Practices
- Use SCEP with NDES for device certificates — private key stays on the device
- Deploy the Trusted Root certificate profile before any SCEP or PKCS profile
- Set renewal threshold to 20% — gives enough runway for NDES outages without expiry
- Monitor certificate expiry with Intune Reports → Device configuration → Certificate expiry
- Store recovery keys securely — for PKCS, use Azure Key Vault; for SCEP, back up the CA private key offline
- Use Intune Certificate Connector v6.x (the unified connector, not the legacy NDES Connector)
Official References
- Use certificates for authentication in Microsoft Intune
- Configure infrastructure for SCEP certificates
- Configure and use PKCS certificates with Intune
- Certificate Connector for Microsoft Intune
This guide was inspired by Anuradha Kumari's LinkedIn post on Microsoft Intune – Certificate Profiles Configuration Architecture (Chapter 6) — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.