Intune Standalone Device-Based Certificate Issue

Deleted
Not applicable

Can Intune Standalone deploy SCEP certs to devices?  In my testing (and according to a recent ticket I opened), it appears standalone can only deploy user certs and that an Intune Hybrid setup is required to push certificates to devices.  Is this really correct?  I find it hard to believe that Standalone, being Microsoft's preferred flavor Intune, has no way of delivering a SCEP certificate to a device using a Device configuration policy.  

21 Replies

Standalone can do that. 
You need to have Root CA deployed to devices + Intune NDES server connected to your CA and published externally(through Azure App Proxy).
https://docs.microsoft.com/en-us/intune/certificates-scep-configure

My SCEP/NDES environment is already setup and I have been delivering certs to users for some time, so I know everything is working on that end.  Heck, I feel comfortable in saying I can deliver certs to users until the cows come home, but the same can not be said when it comes to devices, however.  When I create a device based SCEP policy and target it at my Intune registered devices, the requested cert is never delivered to the target machines' personal certificate store.  I have forced syncs, waited for days, and nothing.   Upon further inspection, what I realized was happening was the cert was actually being delivered, but it was being delivered to the current logged in user on those targeted devices, and stored in that user's personal store making it essentially a user cert, and utterly useless for what I need.  I have repeated this process and confirmed that this is the behavior.  That said, I still wasn't convinced that there wasn't  SOMETHING  I was doing wrong so I opened a support ticket.  After several days back and forth (an exchange that left me feeling unsure how knowledgeable the tech I was working with was on this particular topic) I was told that this is the expected behavior.  Needless to say, I was not completely convinced by this answer (hence my post here).  I'm still finding it hard to believe there is no way of doing this.   I'm attaching screenshots of the policy setup and results for anyone interested.

 

Hi,

 

Standalone Intune + SCEP (PKI, NDES) is definitely possible, running it on several tenants. Your wish for device certs are not available at the moment. This is very well known by the PG and there is also a Uservoice item for it. Go ahead an vote it up:

 

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/19805320-deploy-unique-compute...

 

best,

Oliver

Like I said, we are already using Intune/SCEP for user certificates. I was hoping that I was just doing something wrong for device-based certificates.   Thanks for the information.  I've already upvoted the user voice request. BTW, the scenario you layout in the comments in uservoice is almost EXACTLY the issue we are having: we have AAD-bound windows devices that need a device certificate so that the machine can connect to our wireless network at the login screen and so that new users can log in for the first time. 

Hi James,

 

just for info, device certificates have arrived in Intune.

 

see here: https://docs.microsoft.com/en-us/intune/whats-new#issue-scep-certificates-to-user-less-devices-

 

best,

Oliver

It seems that it works, but in my test environment I would like to use this device cert to connect to corp WiFi using WPA2-Enterprise profile created in Intune but failed. Somebody uses device based certs deployed by Intune to create corp WiFi network?
//Alexander

My customer implemented it and is it using currently. 

It's also a supported scenario: 

https://docs.microsoft.com/en-us/intune/wi-fi-settings-windows#enterprise-profile

 

Only SCEP profiles are supported when using EAP, PKCS certificate profiles are not supported. 

 

best,

Oliver

my client is receiving device cert but could not connect to wifi, which I deploy to client using WiFi profile. It seems that WiFI profile + NPS is trying to use still user based cert.

It seems that I set everything correct

The only thing I don't understand this setting:

Server Trust

Certificate server names: Use with EAP-TLS, EAP-TTLS, or PEAP EAP types. Enter one or more common names used in the certificates issued by your trusted certificate authority (CA). If you enter this information, you can bypass the dynamic trust dialog shown on user devices when they connect to this Wi-Fi network.

What should I set here?

//Alexander

Just put in there your Certificate Authority common name like myca.mycompany.com. The setting defines the Server Trust so that the profile knows all certificates from this CA with the name specified can be trusted and therefore no additional popups are shown. 

before logon auto connection to WiFi doesn't happen, it says there is no cert but I have user cert and device cert. After logged WiFi profile connects successfully to WiFi using as I understand user cert even in WiFi profile settings on Intune portal I choose for it device SCEP policy.
Is it possible to have auto connection to WiFi before user login using device based cert what I am trying to achieve but fails?

//Alexander

This has proven to be a royal pain for me the past week because the Microsoft documentation at https://docs.microsoft.com/en-us/intune/wi-fi-settings-ios is a bit ambiguous where it describes Server Trust - Certificate server names.

 

It states, "Add one or more common names used in the certificates issued by your trusted certificate authority (CA)."  This sounds as if it's implying entering the common names of the clients device certificates, e.g. *.domain.com.

 

It's not clear whether this means the root CA common name, the root CA common.domain.com, the common name of the CA that issued the device certs, the common name of the CA that the issued the server certificate or the latter two with the domain suffix.

 

Furthermore, does this need to match with the certificate selected under Root certificate for server validation or should I enter the common name for the CA that issued the server's cert in Certificate server names whilst selecting the root CA cert under Root certificate for server validation?

 

I'm about to eat my hand.... grrrr... :D

@Samuel Roach 

Hi, did you manage to work this approach?

As I understand correctly Windows NPS server (as a RADIUS) cant auth Azure AD joined device to Access Point even device-based cert was deployed to client because NPS could only check trusts for domain-joined computers, not for only Azure AD Joined devices.

Hi @alexander tikhomirov,

 

Our issue miraculously disappeared after having the case open (with no activity) with Microsoft for over a month.

 

However, it mysteriously resurfaced a few weeks ago.  I've been dealing with other issues so haven't revisited it to investigate further but will do so once I have some availability and report back any findings.

Incidentally, ours are iOS devices so a somewhat different use case.

Hey @alexander tikhomirov,

 

don't think this is the case, AADJ can be used in the scenario. There are blogs out there which are showing successful implementation of this scenario, like this one: https://blog.auth360.net/2018/10/12/windows-10-password-less-azure-ad-join-microsoft-intune-and-wind...

 

best,

Oliver

@Oliver Kieselbach   thanks for article, but users based certs used in their solution

"For a more immersive experience, machine certificates are preferred for use, subject to their availability in Intune"

@alexander tikhomirov ah good point I'm not deep enough into NPS, there might be a limitation here...

Hi @alexander tikhomirov ,

 

I am in exactly the same scenario as you. Device and User certificates both deployed successfully but Wireless authentication only works with the user certificates. 

 

Were you ever able to confirm if this is even possible to authenticate AAD joined devices to wireless networks using device certs?