Search…
Intune Validation

AppConfig:IntuneValidation:ComplianceCheck

Experimental Setting - Applicable to version 1.7 and above.
SCEPman Enterprise Edition only
Before version 1.9, due to delayed compliance state evaluation during enrollment this feature breaks Windows Autopilot enrollment. After certificate deployment the immediate following OCSP check will return 'not valid' during enrollment time and the Autopilot process will not succeed.
With version 1.9 and above, clients receive an "Ephemeral Bootstrap Certificate" during the enrollment phase that is later replaced with a regular client certificate, as soon as the client becomes compliant.
Value: Always or Never
Description: When SCEPman receives an OCSP request, SCEPman can optionally check the device compliance state. When set to Always SCEPman will query the device compliance state and the OCSP result can only be GOOD if the device is also marked as compliant in Azure AD.
Settting this to Never will disable the compliance check.

AppConfig:IntuneValidation:DeviceDirectory

Applicable to version 2.0 and above
Value: AAD (default for SCEPman 2.0), Intune, AADAndIntune, or ADDAndIntuneOpportunistic (applies to version 2.1 and above and default for these versions)
Determines where to look up devices on OCSP requests for device certificates. The corresponding directory is queried for a device matching the device ID written to the certificate's subject CN field. The certificate is valid only if the device exists. For AAD, it must also be enabled (Intune doesn't support disabling devices). If the ComplianceCheck is activated, the device must also be compliant. If nothing is configured and for SCEPman 1.9 and before, AAD is used.
Hence, you must configure the Intune configuration profile for devices accordingly. {{AAD_Device_ID}} is the AAD device ID, while {{DeviceID}} is the Intune device ID.
For AADAndIntune, both directories are queried in parallel. In this case, it is sufficient that the device exists in one of the two directories. This setting enables migrating from one setting to the other when there are still valid certificates for both types of directories. It also supports cases where you configure platforms differently. It can also be used as a workaround for iOS or Android devices that receive an Intune ID instead of an AAD ID, because they are not fully AAD-joined at the time of certificate enrollment.
If you have upgraded from SCEPman 1.x to SCEPman 2.x and you are still using an App Registration for SCEPman permissions, SCEPman lacks the permissions to query Intune for devices. Thus, you are limited to the AAD option. The option ADDAndIntuneOpportunistic checks whether the permissions to query Intune have been granted to SCEPman. If they are there, this works like AADAndIntune. If they are not there, this behaves like AAD.
SCEPman 2.0: Certificate Validation

AppConfig:IntuneValidation:RevokeCertificatesOnWipe

Applicable to version 2.1 and above.
Value: true (default) or false
Description: This setting extends validation of devices when using the Intune Device ID. If it is enabled, SCEPman evaluates the Management State property of an Intune Device when its device certificate is validated. If the state indicates one of the following values, the certificate is revoked:
  • RetirePending
  • RetireFailed
  • WipePending
  • WipeFailed
  • Unhealthy
  • DeletePending
  • RetireIssued
  • WipeIssued
Especially, this means that when an administrator triggers a Wipe or Retire for a device, the certificate will be revoked immediately. Even if the device is shutdown or offline and therefore the action cannot be performed on the device, the certificate is not valid anymore.

AppConfig:IntuneValidation:UntoleratedUserRisks

Experimental Setting - Applicable to version 2.2 and above.
SCEPman Enterprise Edition only
Value: Comma-separated list of User Risk Levels, e.g. Low, Medium, High.
Description: This setting only has an effect if you set UserRiskCheck to Always. Certificates of users with risk levels in this list will be considered invalid.
Example: You define Medium,High for this setting. A user has Risk Level Low. The user's certificate is valid and the certificate can be used to connect to the corporate VPN. Then, a risk event increases the User Risk Level to Medium. The user tries to connect to the VPN, but does not succeed, because the VPN Gateway checks the validity of the certificate in real-time and SCEPman responds that it is revoked.

AppConfig:IntuneValidation:UserRiskCheck

Experimental Setting - Applicable to version 2.2 and above.
SCEPman Enterprise Edition only
Value: Always or Never
Description: When SCEPman receives an OCSP request for a certificate issued to an Intune user, SCEPman can optionally check the user risk level. When set to Always SCEPman will query the user risk state and the OCSP result can only be GOOD if the user's risk is not in the list of UntoleratedUserRisks.
Settting this to Never will disable the user risk check.

AppConfig:IntuneValidation:WaitForSuccessNotificationResponse

Applicable to version 1.6 and above
Value: true or false
Description: After a certificate was successfully issued, SCEPman sends a notification about the certificate to Intune. Microsoft recommends to wait for the response in its specification. However, some instances show long delays resulting in timeouts occasionally. Therefore True is the default.
Setting this to False makes SCEPman return the issued certificate before Intune answers to the notification. This is against the letters of the specification, but increases performance and avoids timeouts in instances where this issue arises.

AppConfig:IntuneValidation:ValidityPeriodDays

Applicable to version 1.7 and above
Value: Positive Integer
Description: This setting further reduces the global ValidityPeriodDays for the Intune endpoint.
Copy link
Edit on GitHub
Outline
AppConfig:IntuneValidation:ComplianceCheck
AppConfig:IntuneValidation:DeviceDirectory
AppConfig:IntuneValidation:RevokeCertificatesOnWipe
AppConfig:IntuneValidation:UntoleratedUserRisks
AppConfig:IntuneValidation:UserRiskCheck
AppConfig:IntuneValidation:WaitForSuccessNotificationResponse
AppConfig:IntuneValidation:ValidityPeriodDays