Intune Validation

AppConfig:IntuneValidation:ComplianceCheck

Value: Always or Never (default)

Description: When SCEPman receives an OCSP request, SCEPman can optionally check the device compliance state. When set to Always SCEPman will query the device compliance state and the OCSP result can only be GOOD if the device is also marked as compliant in Azure AD.

Setting this to Never will disable the compliance check.

AppConfig:IntuneValidation:ComplianceGracePeriodMinutes

Value: Integer (default: 0)

Description: Immediately after enrollment, devices are often not yet compliant in Intune. This setting defines a grace period in minutes during which the device is considered compliant, even if it is not yet. If the device is not compliant after the grace period, the certificate is revoked. This prevents the problem of a Windows device that is just enrolling and needs to successfully complete the SCEP profile in order to finish Windows Autopilot enrollment, but will become compliant in Intune only some time later.

It is an alternative to using Ephemeral Bootstrap Certificates. If you configure any value above 0, SCEPman will never issue Ephemeral Bootstrap Certificates.

This setting is only effective if ComplianceCheck is set to Always.

AppConfig:IntuneValidation:DeviceDirectory

Value: String

Available options:

• AAD (default for SCEPman 2.0)

• Intune

• AADAndIntune

• AADAndIntuneOpportunistic (default for SCEPman 2.1 or newer)

• AADAndIntuneAndEndpointlist (available in SCEPman 2.2 and newer)

Description: Determines where to look up devices on OCSP requests for device certificates. The corresponding directory is queried for a device matching the device ID written to the certificate's subject CN field. The certificate is valid only if the device exists. For AAD, it must also be enabled (Intune doesn't support disabling devices). If the ComplianceCheck is activated, the device must also be compliant. If nothing is configured and for SCEPman 1.9 and before, AAD is used.

Hence, you must configure the Intune configuration profile for devices accordingly. {{AAD_Device_ID}} is the AAD device ID, while {{DeviceID}} is the Intune device ID.

For AADAndIntune, both directories are queried in parallel. In this case, it is sufficient that the device exists in one of the two directories. This setting enables migrating from one setting to the other when there are still valid certificates for both types of directories. It also supports cases where you configure platforms differently. It can also be used as a workaround for iOS or Android devices that receive an Intune ID instead of an AAD ID, because they are not fully AAD-joined at the time of certificate enrollment.

If you have upgraded from SCEPman 1.x to SCEPman 2.x and you are still using an App Registration for SCEPman permissions, SCEPman lacks the permissions to query Intune for devices. Thus, you are limited to the AAD option. The option AADAndIntuneOpportunistic checks whether the permissions to query Intune have been granted to SCEPman. If they are there, this works like AADAndIntune. If they are not there, this behaves like AAD.

The value AADAndIntuneAndEndpointlist works just like AADAndIntune, but additionally queries Intune's list of issued certificates. If Intune triggered the revocation of a certificate, this will make the certificate revoked in SCEPman.

AppConfig:IntuneValidation:RevokeCertificatesOnWipe

Value: true (default) or false

Description: This setting extends validation of devices when using the Intune Device ID. If it is enabled, SCEPman evaluates the Management State property of an Intune Device when its device certificate is validated. If the state indicates one of the following values, the certificate is revoked:

• RetirePending

• RetireFailed

• WipePending

• WipeFailed

• Unhealthy

• DeletePending

• RetireIssued

• WipeIssued

Especially, this means that when an administrator triggers a Wipe or Retire for a device, the certificate will be revoked immediately. Even if the device is shutdown or offline and therefore the action cannot be performed on the device, the certificate is not valid anymore.

AppConfig:IntuneValidation:UntoleratedUserRisks

Value: Comma-separated list of User Risk Levels, e.g. Low, Medium, High.

Description: This setting only has an effect if you set UserRiskCheck to Always. Certificates of users with risk levels in this list will be considered invalid.

Example: You define Medium,High for this setting. A user has Risk Level Low. The user's certificate is valid and the certificate can be used to connect to the corporate VPN. Then, a risk event increases the User Risk Level to Medium. The user tries to connect to the VPN, but does not succeed, because the VPN Gateway checks the validity of the certificate in real-time and SCEPman responds that it is revoked.

AppConfig:IntuneValidation:UserRiskCheck

Value: Always or Never (default)

Description: When SCEPman receives an OCSP request for a certificate issued to an Intune user, SCEPman can optionally check the user risk level. When set to Always SCEPman will query the user risk state and the OCSP result can only be GOOD if the user's risk is not in the list of UntoleratedUserRisks.

Setting this to Never will disable the user risk check.

AppConfig:IntuneValidation:WaitForSuccessNotificationResponse

Value: true (default) or false

Description: After a certificate was successfully issued, SCEPman sends a notification about the certificate to Intune. Microsoft recommends to wait for the response in its specification. However, some instances show long delays resulting in timeouts occasionally. Therefore True is the default.

Setting this to False makes SCEPman return the issued certificate before Intune answers to the notification. This is against the letters of the specification, but increases performance and avoids timeouts in instances where this issue arises.

AppConfig:IntuneValidation:ValidityPeriodDays

Value: Positive Integer

Description: This setting further reduces the global ValidityPeriodDays for the Intune endpoint.

AppConfig:IntuneValidation:EnableCertificateStorage

Value: true or false (default)

Description: When requesting certificates via the Intune endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to true. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically when the associated Entra or Intune object goes into an invalid state as specified by the other settings (like being disabled or deleted). If set to false or not set, SCEPman will not store issued certificates and the certificates are visible only in the logs or in the classic Intune view on Certificate Master or the Intune portal.