- This line was added.
- This line was removed.
- Formatting was changed.
This article describes a configuration example of the SCEP protocol with Azure Intune in Protocol Gateway.
Since the ADAL authentication API has been deprecated by Microsoft, the SCEP Intune protocol in Certificate Manager 8.6.1 has been updated to use the MSAL authentication API instead.
The following prerequisites apply:
Configure Intune for device certificate enrollment
To authorize communication between Protocol Gateway and Azure Intune you need to create a new registration app in your company Azure portal.
To allow Windows 10 devices to enroll using Intune, Microsoft Intune Mobility MDM (Mobile Device Management) must be enabled.
To establish the necessary certificate trust stores for the devices to successfully enroll with Intune, the following Trusted certificate profiles need to be configured:
Follow this guide to configure each of the trusted certificate profiles:
A SCEP Certificate Profile needs to be created for Intune to know how the end user certificate should be defined and which CA to deliver the CSR to.
Configure Protocol Gateway SCEP for Intune
To set the properties for the SCEP protocols:
Additional optional attributes for Intune, revocation via Intune and proxy are available and described in the SCEP INTUNE section of the scep.properties file.
Enroll Windows 10 device
See the following Microsoft guide on how to enroll Windows 10 devices: https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device.
To forcefully sync a Windows 10 device against the Intune MDM it is possible to do the following: