by The last part of the blog series. For enrolling the certificates to managed devices, you have to create 2 different profiles. The trusted certificate profile will be needed if you are creating a SCEP profile. So, the first thing is creating a Trusted Certificate profile in Microsoft Intune.
- Configure Microsoft Intune – Certificate – Part 1: Intro
- Configure Microsoft Intune – Certificate – Part 2: Certification Authority
- Configure Microsoft Intune – Certificate – Part 3: Azure Application Proxy Connector
- Configure Microsoft Intune – Certificate – Part 4: Certificate Templates
- Configure Microsoft Intune – Certificate – Part 5: CNAME and Application Proxy
- Configure Microsoft Intune – Certificate – Part 6: Create Certificates
- Configure Microsoft Intune – Certificate – Part 7: NDES role and Intune NDES connector
Alrighty then, let’s try
You got now a fully loaded CA environment that is ready for enrolling certificates via Microsoft Intune. The only thing we have to do is making a SCEP Configuration profile in Intune. Before we do that, we have to add de root certificate in Intune first. We must export the RootCA certificate into a *.cer file and then we have to import it into Intune.
Trusted Certificate
 |
Go to your NDES server and open an MMC via Run. |
 |
Go to file -> Add/Remove Snap-in.. |
 |
Select Certificates and click on the Add button. |
 |
Select Computer Account and Click Next. |
 |
Click Finish. |
 |
Click Ok. |
 |
Go to Certificate (local computer) -> Trusted Root Certification Authorities -> Certificates. |
 |
Right click on the Root CA certificate -> All Tasks -> Export |
 |
Next |
 |
Next |
 |
Save the export in a directory. |
 |
Next |
 |
Finish |
 |
Ok. |
 |
Go to your Azure Portal. Go to the Intune portal -> Device Configuration -> Profiles. Click on the Create profile button. |
 |
Give the profile a name.
Platform = Windows 10 Profiletype = Trusted Certificate. Click on Settings to configure. |
 |
Browse to your exported RootCA.cer file. Click on the Ok button if the upload was successful. |
 |
Click on the Create button to create the profile. |
 |
You must assign the profile to a group or to all users and devices. Click Assignments |
 |
Select All Users & All Devices and click on the Save button.
You are done with creating and assigning the Root Certificate to users and devices. Next step is to create a SCEP profile. |
SCEP Profile
In the previous step, we created a trusted certificate profile in Intune. This is necessary for the SCEP profile. You must enroll the RootCA certificate to the devices before the device or user can request a certificate at the CA. This is done and now we going to make a SCEP profile.
 |
Go to the Intune portal -> Device configuration -> Profiles and click on the Create Profile button. |
 |
Give the profile a name. Platform is Windows 10 and later. Profile type is SCEP certificate.
Click setting to configure the profile. |
 |
Take the settings over from the example. Root Certificate is the profile we created in the previous step.
Scroll down. |
 |
Do not forget to add Client authentication and the External URL/certsrv/mscep/mscep.dll as Server URL.
Click on the Ok button. |
 |
Click on the Create button to create the profile. |
 |
Click Assignments |
 |
Choose for All Users & All Devices and click on the Save button.
We are ready to enroll certificates on the managed devices. Go to your managed device and wait until the certificate has enrolled. |
 |
Open MMC via Run and add the Certificates snap-in. This time you have to choose My User account instead of Computer Account. In Personal, you see the certificate, which is enrolled by Microsoft Intune. |
 |
You can also check the Device Configuration status of your managed device in Intune portal. |
 |
And you can also check the Application eventlog on your NDES server. |
Final
So finally, you got a working certificate enrollment in Microsoft Intune at the moment. The user can request a certificate via Microsoft Intune to your Certification Authority. Based on that, CA will issue the certificate and NDES will enroll the certificate to the (mobile) device. I hope that you have enjoyed the blog series and that you have a running SCEP deployment.
Thanks for reading the blog. If you have any questions or comments about this, do not hesitate to contact me by email or by posting a comment here below. I am also active on social media and some community forums, like Technet forum, Yammer, and Techcommunity.
Good luck and Take care now, bye bye then…
ALBERTNEEF.TECH 
Hi,
Now we can deploy computer certs to devices with SCEP.
Do you perhaps know and tested if it also works for iOS/iPad? If i must believe Docs it should. See https://docs.microsoft.com/en-us/intune/whats-new#week-of-october-1-2018
Funny, I’m also working on that one this week. So, no, I haven’t tested it yet. I hope tomorrow.. 😉 what I have read, it should work for iOS and Windows 10 devices. Good luck with that one! Keep me posted!
Building up the environment and setting it up is relative easy. There is good documentation on this on TechNet. Client (ipad) receives a certificate based on ‘NDES Intune’ template, don’t know if this is correct and if you can deploy a different certificate template to ipad ? … You had any progress on this 🙂 ?
Ah i read on your blog the ‘NDES Intune’ template, this one will be used when the NDES service account is requesting certificates on behalf of mobile devices. So i presume i can duplicate the Computer certificate template and follow the same steps as for NDES Intune template 🙂
That is correct. You can use the same template for the device. Both use Client Authentication, so there is no need for a new template for devices.
Worked like a charm, had to change the template name that needs to be issued in regedit on the NDES server (MSCEP).
Ah great! Me too. It works for Windows 10 devices. The only thing is what I did is, made a new SCEP profile for enrolling device certificates.
Also Works great on ipad(ios) devices 🙂 Correct a new template is not necessary cause the ndes intune has client auth. key usage, but i think it ‘looks’ better this way 🙂 And yes oh new scep profile is efficiënt! Take care sir!
You are right, for the look is it better to create a new template specifically for the device certificate. You too, take care!
trying to issue a cert to IOS and get “CRP Encryption certificate could not be found” in the event log, any idea’s?
Hi Lewis, sorry about the late response…
Hmm likely, you have used the wrong certificate for enrolling to the managed devices? Did you use – during the NDES installation – the NDESIntune template? Not the NDESserver, which is for the IIS Web server and NDES Intune connector?
I have not seen this message in my environment.