LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Root Certificate
  • Device Certificates
  • Example
  • User Certificates
  • Example
  • User Digital Signature Certificate
  • Example
  • Activate S/MIME Signatures in Microsoft Outlook
  • Activate S/MIME Signatures in Outlook on the Web

Was this helpful?

  1. Certificate Management
  2. Microsoft Intune

Windows

Deploy certificates to Windows devices via SCEP in Intune using SCEPman.

Last updated 3 months ago

Was this helpful?

The following article describes deploying a device or/and user certificates for Windows devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only the device, user, or even both certificate types.

Root Certificate

The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:

Note that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.

Device Certificates

Certificate type: Device

In this case we are setting up a device certificate

Subject name format: CN={{DeviceName}} or CN={{DeviceId}} or CN={{AAD_Device_ID}}

Recommended: Use {{DeviceName}}for the CN RDN to have a meaningful name of the certificate on the device or when searching for the certificate.

Optional: If configured to CN={{DeviceId}} or CN={{AAD_Device_ID}}, SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:

  • {{AAD_Device_ID}}: This ID is generated and used by Microsoft Entra ID (Azure AD).

In case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used for the CN field (e.g. CN={{DeviceName}}), SCEPman will identify the device based on the Intune Device ID ((URI)Value: IntuneDeviceId://{{DeviceId}}) provided in the subject alternative name (SAN).

Subject alternative name: (URI)Value: IntuneDeviceId://{{DeviceId}}
IntuneDeviceId://{{DeviceId}}

The URI field is mandatory in case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used in the Subject name format field.

Other SAN values like DNS can be added if needed.

Certificate validity period: 1 year

The amount of time remaining before the certificate expires. Default is set at one year.

Key storage provider (KSP): Enroll to Trusted Platform Module (TPM) KSP, otherwise fail

This setting determines the storage location of the private key for the end-user certificates. Storage in the TPM is more secure than software storage because the TPM provides an additional layer of security to prevent key theft.

Note: There is a bug in some older TPM firmware versions that invalidates some signatures created with a TPM-backed private key. In such cases, the certificate cannot be used for EAP authentication as it is common for Wi-Fi and VPN connections. In addition, this might break your Autopilot onboarding process.

Affected TPM firmware versions include:

  • STMicroelectronics: 71.12, 73.4.17568.4452, 71.12.17568.4100, 73.20.17568.6684

  • Intel: 11.8.50.3399, 2.0.0.2060

  • Infineon: 7.63.3353.0

  • IFX: Version 3.19 / Specification 1.2

  • IFX version 7.63.3353.0 specification 2.0

If you use TPM with this firmware, either update your firmware to a newer version or select "Software KSP" as a key storage provider.

Key usage: Digital signature and Key encipherment

Please activate both cryptographic actions.

Key size (bits): 2048

SCEPman supports 2048 bits.

Hash algorithm: SHA-2

SCEPman supports SHA-2 algorithm.

Root Certificate: Profile from previous step (Root certificate Profile)
Extended key use: Client Authentication, 1.3.6.1.5.5.7.3.2

Please choose Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values. The other fields will be filled out automatically.

Renewal threshold (%): 20

This value defines when the device is allowed to renew its certificate (based on the remaining lifetime of an existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 20% would allow the device with 1 year valid certificate to start renewal 73 days before expiration.

Example

User Certificates

Certificate type: User

In this section we are setting up a user certificate.

Subject name format: CN={{UserName}},E={{EmailAddress}}
Subject alternative name: (UPN)Value: {{UserPrincipalName}}

You must add the User principal name as the Subject alternative name. Add '{{UserPrincipalName}}' as Subject Alternative Name of type User principal name (UPN). This ensures that SCEPman can link certificates to user objects in AAD. The setting for 'Subject name format' is freely selectable.

Other SAN values like an Email address can be added if needed.

Based on customer feedback, it appears that some VPN clients (e.g., Azure VPN Client for Virtual WAN) are unable to discover the user certificate when it is stored in the TPM. Try enrolling it to the software KSP instead.

Example

User Digital Signature Certificate

You may use SCEPman for transnational digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration.

Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages later.

Subject alternative name
  • (required) User principal name (UPN): {{UserPrincipalName}}

  • (required) Email address: {{EmailAddress}}

By deploying a digital signature certificate, you must add the UPN and the email address.

Key usage: only Digital signature

Extended key usage: Secure Email (1.3.6.1.5.5.7.3.4)

Please choose Secure Email (1.3.6.1.5.5.7.3.4) under Predefined values. The other fields will be filled out automatically.

Renewal Threshold (%): 50

We recommend setting Renewal Threshold (%) to a value that ensures certificates are renewed at least 6 months before expiration when issuing S/MIME signature certificates. This is because emails signed with expired certificates are shown to have invalid signatures in Outlook, which confuses users. Having a new certificate long before the old one expires ensures that only older emails show this behavior, which users are more unlikely to look at. For example, if your signature certificates are valid for one year, you should set the Renewal Threshold to at least 50 %.

Example

After a successful profile sync, you should see the user certificate for Intended Purposes Secure Email

The certificate will be available for Digital Signature usage in e.g. Outlook. Below is an example of the usage

Activate S/MIME Signatures in Microsoft Outlook

Activate S/MIME Signatures in Outlook on the Web

You can sign emails with S/MIME in Outlook on the Web using certificates from your local Windows machine. You need to enable this with the following command:

Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true

See https://learn.microsoft.com/en-us/powershell/module/exchange/set-smimeconfig for more details.

{{DeviceId}}: This ID is generated and used by Intune. (requires SCEPman 2.0 or higher and to be set to Intune or AADAndIntune)

Important: The choice of the CN field affects the of certificates issued to your Intune-managed devices.

You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}). Supported variables are listed in the .

The URI field is for NAC solutions to identify the devices based on their Intune Device ID. The value should be:

SCEPman caps the certificate validity to the configured maximum in setting , but otherwise uses the validity configured in the request.

Update: You can workaround the TPM bug by removing the RSA-PSS signature algorithms -that are causing the issue- from the registry, for more information please check and

SCEPman automatically sets the Key usage to Digital signature and Key encipherment and overrides the setting here unless the setting is set to true.

Please select the Intune profile from . If you are using an , you must select the Trusted certificate profile for the Intermediate CA, not the Root CA!

SCEP Server URLs: Open the SCEPman portal and copy the URL of

Example

https://scepman.contoso.com/certsrv/mscep/mscep.dll

Please follow the instructions of and take care of the following differences:

You can define RDNs based on your needs. Supported variables are listed in the . We recommend to include the username (e.g.: janedoe) and email address (e.g.: janedoe@contoso.com) as baseline setting.

set to true

set to 365 (a maximum value of 1825 - 5 years is possible)

To deploy user certificates used for Digital Signatures please follow the instructions of and take care of the following differences and notes:

S/MIME feature is not available for the latest Outlook client. More info .

Once you have deployed S/MIME signature certificates to your client machines, you must configure Outlook to use these certificates before sending signed emails. You can do this manually or use our .

Microsoft docs
recommended by Microsoft
Richard Hicks's article
Microsoft Q&A
Microsoft docs
here
PowerShell Script to configure Outlook
Intermediate CA
#Root Certificate
Intune MDM
#Device certificates
#User certificates
automatic revocation behavior
AppConfig:ValidityPeriodDays
AppConfig:UseRequestedKeyUsages
AppConfig:UseRequestedKeyUsages
AppConfig:ValidityPeriodDays
AppConfig:IntuneValidation:DeviceDirectory