LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • AppConfig:IntuneValidation:ComplianceCheck
  • AppConfig:IntuneValidation:ComplianceGracePeriodMinutes
  • AppConfig:IntuneValidation:DeviceDirectory
  • AppConfig:IntuneValidation:RevokeCertificatesOnWipe
  • AppConfig:IntuneValidation:UntoleratedUserRisks
  • AppConfig:IntuneValidation:UserRiskCheck
  • AppConfig:IntuneValidation:WaitForSuccessNotificationResponse
  • AppConfig:IntuneValidation:ValidityPeriodDays
  • AppConfig:IntuneValidation:EnableCertificateStorage
  • AppConfig:IntuneValidation:AllowRenewals
  • AppConfig:IntuneValidation:ReenrollmentAllowedCertificateTypes

Was this helpful?

  1. SCEPman Configuration
  2. SCEPman Settings
  3. SCEP Endpoints

Intune Validation

Last updated 1 month ago

Was this helpful?

These settings should only be applied to the SCEPman App Service, not the Certificate Master. Please refer to .

AppConfig:IntuneValidation:ComplianceCheck

Linux: AppConfig__IntuneValidation__ComplianceCheck

Experimental Setting

SCEPman Enterprise Edition only

Before version 1.9, due to delayed compliance state evaluation during enrollment this feature breaks Windows Autopilot enrollment. After certificate deployment the immediately following OCSP check will return 'not valid' during enrollment time and the Autopilot process will not succeed.

With version 1.9 and above, clients receive an "Ephemeral Bootstrap Certificate" during the enrollment phase that is later replaced with a regular client certificate, as soon as the client becomes compliant.

With version 2.5 and above, you can alternatively configure a grace period during which the device is always considered compliant with the setting ComplianceGracePeriodMinutes.

Value: Always or Never (default)

Description: When SCEPman receives an OCSP request, SCEPman can optionally check the device compliance state. When set to Always SCEPman will query the device compliance state and the OCSP result can only be GOOD if the device is also marked as compliant in Azure AD.

Setting this to Never will disable the compliance check.

AppConfig:IntuneValidation:ComplianceGracePeriodMinutes

Linux: AppConfig__IntuneValidation__ComplianceGracePeriodMinutes

SCEPman Enterprise Edition only

Applicable to version 2.5 and above

Value: Integer (default: 0)

Description: Immediately after enrollment, devices are often not yet compliant in Intune. This setting defines a grace period in minutes during which the device is considered compliant, even if it is not yet. If the device is not compliant after the grace period, the certificate is revoked. This prevents the problem of a Windows device that is just enrolling and needs to successfully complete the SCEP profile in order to finish Windows Autopilot enrollment but will become compliant in Intune only some time later.

It is an alternative to using Ephemeral Bootstrap Certificates. If you configure any value above 0, SCEPman will never issue Ephemeral Bootstrap Certificates.

AppConfig:IntuneValidation:DeviceDirectory

Linux: AppConfig__IntuneValidation__DeviceDirectory

Value: String

Available options:

  • AAD (default for SCEPman 2.0)

  • Intune

  • AADAndIntune

  • AADAndIntuneOpportunistic (default for SCEPman 2.1 or newer)

  • AADAndIntuneAndEndpointlist (available in SCEPman 2.2 and newer)

Description: Determines where to look up devices on OCSP requests for device certificates. The corresponding directory is queried for a device matching the device ID written to the certificate's subject CN field. The certificate is valid only if the device exists. For AAD, it must also be enabled (Intune doesn't support disabling devices). If the ComplianceCheck is activated, the device must also be compliant. If nothing is configured and for SCEPman 1.9 and before, AAD is used.

Hence, you must configure the Intune configuration profile for devices accordingly. {{AAD_Device_ID}} is the Entra/AAD device ID, while {{DeviceID}} is the Intune device ID.

For AADAndIntune, both directories are queried in parallel. In this case, it is sufficient that the device exists in one of the two directories. This setting enables migrating from one setting to the other when there are still valid certificates for both types of directories. It also supports cases where you configure platforms differently. It can also be used as a workaround for iOS or Android devices that receive an Intune ID instead of an Entra ID object ID, because they are not fully Entra-joined at the time of certificate enrollment.

AppConfig:IntuneValidation:RevokeCertificatesOnWipe

Linux: AppConfig__IntuneValidation__RevokeCertificatesOnWipe

Applicable to version 2.1 and above.

Value: true (default) or false

Description: This setting extends validation of devices when using the Intune Device ID. It does not work when using the Entra/AAD Device ID. If it is enabled, SCEPman evaluates the Management State property of an Intune Device when its device certificate is validated. If the state indicates one of the following values, the certificate is revoked:

  • RetirePending

  • RetireFailed

  • WipePending

  • WipeFailed

  • Unhealthy

  • DeletePending

  • RetireIssued

  • WipeIssued

Especially, this means that when an administrator triggers a Wipe or Retire for a device, the certificate will be revoked immediately. Even if the device is shutdown or offline and therefore the action cannot be performed on the device, the certificate is not valid anymore.

AppConfig:IntuneValidation:UntoleratedUserRisks

Linux: AppConfig__IntuneValidation__UntoleratedUserRisks

Experimental Setting - Applicable to version 2.2 and above. Requires permission IdentityRiskyUser.Read.All assigned by SCEPman PS module version 1.7 and above.

SCEPman Enterprise Edition only

Value: Comma-separated list of User Risk Levels, e.g. Low, Medium, High.

Example: You define Medium,High for this setting. A user has Risk Level Low. The user's certificate is valid and the certificate can be used to connect to the corporate VPN. Then, a risk event increases the User Risk Level to Medium. The user tries to connect to the VPN, but does not succeed, because the VPN Gateway checks the validity of the certificate in real-time and SCEPman responds that it is revoked.

AppConfig:IntuneValidation:UserRiskCheck

Linux: AppConfig__IntuneValidation__UserRiskCheck

Experimental Setting - Applicable to version 2.2 and above. Requires permission IdentityRiskyUser.Read.All assigned by SCEPman PS module version 1.7 and above.

SCEPman Enterprise Edition only

Value: Always or Never (default)

Setting this to Never will disable the user risk check.

AppConfig:IntuneValidation:WaitForSuccessNotificationResponse

Linux: AppConfig__IntuneValidation__WaitForSuccessNotificationResponse

Value: true (default) or false

Description: After a certificate was successfully issued, SCEPman sends a notification about the certificate to Intune. Microsoft recommends to wait for the response in its specification. However, some instances show long delays resulting in timeouts occasionally. Therefore True is the default.

Setting this to False makes SCEPman return the issued certificate before Intune answers to the notification. This is against the letters of the specification, but increases performance and avoids timeouts in instances where this issue arises.

AppConfig:IntuneValidation:ValidityPeriodDays

Linux: AppConfig__IntuneValidation__ValidityPeriodDays

Value: Positive Integer

Description: This setting further reduces the global ValidityPeriodDays for the Intune endpoint.

AppConfig:IntuneValidation:EnableCertificateStorage

Linux: AppConfig__IntuneValidation__EnableCertificateStorage

Applicable to version 2.7 and above

SCEPman Enterprise Edition only

Value: true or false (default)

AppConfig:IntuneValidation:AllowRenewals

Value: true or false (default)

Description: This allows using the RenewalReq operation on this SCEP endpoint. It works only for certificate types added to AppConfig:IntuneValidation:ReenrollmentAllowedCertificateTypes.

Please be aware that Intune will not make use of the RenewalReq operation and this setting is not required for usual operation.

AppConfig:IntuneValidation:ReenrollmentAllowedCertificateTypes

Value: Comma-separated list of certificate types from this list:

  • DomainController

  • Static

  • IntuneUser

  • IntuneDevice

  • JamfUser

  • JamfUserWithDevice

  • JamfUserWithComputer

  • JamfDevice

  • JamfComputer

Description: You can use the SCEP endpoint for renewals of certificates of the types specified in this setting. If you do not specify any value, it defaults to no types.

For example, if you wanted to renew certificates issued manually through Certificate Master, you would specify Static. If you also want to renew Domain Controller certificates, you would specify DomainController,Static.

Please be aware that Intune will not make use of the RenewalReq operation and this setting is not required for usual operation.

This setting is only effective if is set to Always.

If you want to change this setting in an existing deployment that was installed with a previous version of SCEPman, please run the again to make sure that SCEPman has the latest permissions to access the corresponding device directories.

If you have upgraded from SCEPman 1.x to SCEPman 2.x and you are still using , SCEPman lacks the permissions to query Intune for devices. Thus, you are limited to the AAD option. The option AADAndIntuneOpportunistic checks whether the permissions to query Intune have been granted to SCEPman. If they are there, this works like AADAndIntune. If they are not there, this behaves like AAD.

The value AADAndIntuneAndEndpointlist works just like AADAndIntune, but additionally queries . If Intune , this will make the certificate revoked in SCEPman.

Description: This setting only has an effect if you set to Always. Certificates of users with risk levels in this list will be considered invalid.

Description: When SCEPman receives an OCSP request for a certificate issued to an Intune user, SCEPman can optionally check the . When set to Always SCEPman will query the user risk state and the OCSP result can only be GOOD if the user's risk is not in the list of .

Description: When requesting certificates via the Intune endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to true. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically when the associated Entra or Intune object goes into an invalid state as specified by the other settings (like being disabled or deleted). If set to false, SCEPman will not store issued certificates and the certificates are visible only in the logs or in the classic Intune view on Certificate Master or the Intune portal. If this is not set, the behavior depends on the global setting .

This operation can be used with the PowerShell module.

SCEPman Settings
an App Registration for SCEPman permissions
Intune's list of issued certificates
triggered the revocation of a certificate
SCEPmanClient
ComplianceCheck
UserRiskCheck
user risk level
UntoleratedUserRisks
SCEPman 2.0: Certificate Validation
PowerShell configuration script
AppConfig:EnableCertificateStorage