Microsoft Intune Device Certificate Enrollment

This guide provides instruction for enrollment and validation of Microsoft Intune device certificates using EJBCA. Intune can connect directly to the EJBCA RA, and is set up as a SCEP alias.

SCEP Management Solution

Microsoft Intune provides a SCEP management solution using an open source library with API's that allow third-party CAs to issue and validate certificates.

images/download/attachments/100275561/scep-certificate-vendor-integration.png

For more information, refer to the Microsoft docs on Use APIs to add third-party CAs for SCEP to Intune.

Overview

Intune requires the SCEP server to do an Active Directory (AD) lookup for the user before generating a certificate. The EJBCA connector does this by connecting to Intune to validate the SCEP request before the certificate is issued.

The Microsoft Intune Device Certificate Enrollment is configured in the following steps:

  1. Configure EJBCA Server

  2. Configure Intune

Note that this guide covers Windows 10 device enrollments. For more information on requirements, see Certificate Enrollment Requirements.