Forum Discussion
Intune Standalone Device-Based Certificate Issue
Can Intune Standalone deploy SCEP certs to devices? In my testing (and according to a recent ticket I opened), it appears standalone can only deploy user certs and that an Intune Hybrid setup is required to push certificates to devices. Is this really correct? I find it hard to believe that Standalone, being Microsoft's preferred flavor Intune, has no way of delivering a SCEP certificate to a device using a Device configuration policy.
- Alexander VanyurikhinIron Contributor
Standalone can do that.
You need to have Root CA deployed to devices + Intune NDES server connected to your CA and published externally(through Azure App Proxy).
https://docs.microsoft.com/en-us/intune/certificates-scep-configure- Deleted
My SCEP/NDES environment is already setup and I have been delivering certs to users for some time, so I know everything is working on that end. Heck, I feel comfortable in saying I can deliver certs to users until the cows come home, but the same can not be said when it comes to devices, however. When I create a device based SCEP policy and target it at my Intune registered devices, the requested cert is never delivered to the target machines' personal certificate store. I have forced syncs, waited for days, and nothing. Upon further inspection, what I realized was happening was the cert was actually being delivered, but it was being delivered to the current logged in user on those targeted devices, and stored in that user's personal store making it essentially a user cert, and utterly useless for what I need. I have repeated this process and confirmed that this is the behavior. That said, I still wasn't convinced that there wasn't SOMETHING I was doing wrong so I opened a support ticket. After several days back and forth (an exchange that left me feeling unsure how knowledgeable the tech I was working with was on this particular topic) I was told that this is the expected behavior. Needless to say, I was not completely convinced by this answer (hence my post here). I'm still finding it hard to believe there is no way of doing this. I'm attaching screenshots of the policy setup and results for anyone interested.
Hi,
Standalone Intune + SCEP (PKI, NDES) is definitely possible, running it on several tenants. Your wish for device certs are not available at the moment. This is very well known by the PG and there is also a Uservoice item for it. Go ahead an vote it up:
best,
Oliver