Windows
Last updated
Was this helpful?
Last updated
Was this helpful?
The following article describes deploying a device or/and user certificates for Windows devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only the device, user, or even both certificate types.
The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:
You may use SCEPman for transnational digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration.
Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages later.
After a successful profile sync, you should see the user certificate for Intended Purposes Secure Email
The certificate will be available for Digital Signature usage in e.g. Outlook. Below is an example of the usage
You can sign emails with S/MIME in Outlook on the Web using certificates from your local Windows machine. You need to enable this with the following command:
See https://learn.microsoft.com/en-us/powershell/module/exchange/set-smimeconfig for more details.
{{DeviceId}}
: This ID is generated and used by Intune.
(requires SCEPman 2.0 or higher and to be set to Intune or AADAndIntune)
Important: The choice of the CN field affects the of certificates issued to your Intune-managed devices.
You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}
). Supported variables are listed in the .
The URI field is for NAC solutions to identify the devices based on their Intune Device ID. The value should be:
SCEPman caps the certificate validity to the configured maximum in setting , but otherwise uses the validity configured in the request.
Update: You can workaround the TPM bug by removing the RSA-PSS signature algorithms -that are causing the issue- from the registry, for more information please check and
SCEPman automatically sets the Key usage to Digital signature and Key encipherment and overrides the setting here unless the setting is set to true.
Please select the Intune profile from . If you are using an , you must select the Trusted certificate profile for the Intermediate CA, not the Root CA!
Please follow the instructions of and take care of the following differences:
You can define RDNs based on your needs. Supported variables are listed in the . We recommend to include the username (e.g.: janedoe) and email address (e.g.: janedoe@contoso.com) as baseline setting.
set to true
set to 365
(a maximum value of 1825 - 5 years is possible)
To deploy user certificates used for Digital Signatures please follow the instructions of and take care of the following differences and notes:
S/MIME feature is not available for the latest Outlook client. More info .
Once you have deployed S/MIME signature certificates to your client machines, you must configure Outlook to use these certificates before sending signed emails. You can do this manually or use our .