Re: AMA: Microsoft Cloud PKI in Intune Suite

• Yes. See Bring your own certificate authority with Cloud PKI - Microsoft Intune | Microsoft Learn

• Yes. Custom EKUs can be added to CAs during creation. 

• Cloud PKI does not use custom templates. All customization is done through the SCEP profile. See: Use SCEP certificate profiles with Microsoft Intune | Microsoft Learn

• We utilize the SCEP protocol for certificate enrollment. The endpoint is secured so only those devices that have received SCEP enrollment requests through Intune will be able to receive certificates. When an Intune SCEP certificate profile is delivered to a device, Intune generates a custom challenge blob that it encrypts and signs. That challenge needs to be present in the request, or it will be rejected by the SCEP enrollment endpoint. 

What methods and protocols does it support for enrollment other than SCEP?

• Certificate delivery for Cloud PKI is currently limited to SCEP certificates. If you are interested in seeing other scenarios supported in the future, please submit feedback to https://aka.ms/IntuneFeedback.

Can we issue certificates with custom properties similar to ADCS’ “supply in the request”, and how is that secured?

• Customization is currently limited to what can be done from within the SCEP profile. If there are additional properties you would like to be able to add to issued certificates, please give us feedback at https://aka.ms/IntuneFeedback