Windows
Deploy certificates to Windows devices via SCEP in Intune using SCEPman.
The following article describes deploying a device or/and user certificates for Windows devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only the device, user, or even both certificate types.
Root Certificate
The basis for deploying SCEP certificates is to trust the root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:


Device Certificates


Example

User Certificates
Please follow the instructions of #Device certificates and take care of the following differences:
Example

User Digital Signature Certificate
You may use SCEPman for transnational digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration.
Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages later.
AppConfig:UseRequestedKeyUsages
set totrue
AppConfig:ValidityPeriodDays
set to365
(a maximum value of 1825 - 5 years is possible)
To deploy user certificates used for Digital Signatures please follow the instructions of #User certificates and take care of the following differences and notes:
Example

After a successful profile sync, you should see the user certificate for Intended Purposes Secure Email

The certificate will be available for Digital Signature usage in e.g. Outlook. Below is an example of the usage

Activate S/MIME Signatures in Microsoft Outlook
S/MIME feature is not available for the latest Outlook client. More info here.
Once you have deployed S/MIME signature certificates to your client machines, you must configure Outlook to use these certificates before sending signed emails. You can do this manually or use our PowerShell Script to configure Outlook.
Activate S/MIME Signatures in Outlook on the Web
You can sign emails with S/MIME in Outlook on the Web using certificates from your local Windows machine. You need to enable this with the following command:
Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true
See https://learn.microsoft.com/en-us/powershell/module/exchange/set-smimeconfig for more details.
Last updated
Was this helpful?