...

• Protocol Gateway must be installed. See Install Protocol Gateway.

• Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway. 

• Microsoft Intune must be set up according to https://docs.microsoft.com/en-us/mem/intune/fundamentals/setup-steps

• The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:

  • Digital Signature

  • Key Encipherment

  • Certificate Request Agent

Configure Intune for device certificate enrollment

Register app

To authorize communication between Protocol Gateway and Azure Intune you need to create a new registration app in your company Azure portal.

1. Navigate to the Azure Portal at https://portal.azure.com/ .

2. Navigate to Azure Active Directory > App registrations and select New registration.

3. Give the app registration a Name, which is the user-facing display name, for example Intune App. 

4. Set Supported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

5. In Redirect URI, select Web and set the URI to the Protocol Gateway SCEP Intune endpoint:

   Example: Protocol Gateway SCEP Intune endpoint

   Code Block
   https://example.com:8443/pgwy/scep/intune/pkiclient.exe"

6. Click on Register to finalize the app registration.

7. You are directed to the App overview page. Copy the Application (client) id, this is your app id and needs to be configured in the Protocol Gateway SCEP properties later.

8. Navigate to Certificates & secrets and create a Client secret. Copy the value key from 'Value' before leaving the page, it can not be retrieved later. This value needs to be configured in the Protocol Gateway SCEP properties later. 

9. Navigate to API permissions. You need to add two separate application permissions.
   Click Add a permission and then:

   1. On the Request API permissions page, select Intune and then select Application permissions.

      1. Select the checkbox for scep_challenge_provider (SCEP challenge validation).

      2. Click Add permissions to save this configuration.

      3. Click Add a permission again.

   2. On the Request API permissions page, select Microsoft Graph > Application permissions.

      1. Expand Application and select the checkbox for Application.Read.All (Read all applications).

      2. Click Add permissions to save this configuration.

      3. Click Add a permission again.

10. Click on Grant admin consent for... and click Yes.

...

To allow Windows 10 devices to enroll using Intune, Microsoft Intune Mobility MDM (Mobile Device Management) must be enabled.  

1. Navigate to Azure Active Directory Microsoft Entra > Manage > Mobility (MDM and MAMand WIP)  and and select Microsoft Intune.

2. Change MDM user scope to either All or limit the enrollment access to specific groups with the option Some.

3. Make sure that MAM Windows Information Protection (WIP) user scope is set to None. Mobile Application Management (MAM) must be inactive for Intune to work. 

Configure Trusted certificate profiles

...

1. Navigate to the Azure Endpoint manager (https://endpointintune.microsoft.com/).

2. Navigate to Devices => Manage devices > Configuration Profiles, and select Create profile> 'New Policy'.

3. Perform the following settings:

   1. Set Platform to Windows 10 or later.

   2. Set Profile type to templates.

   3. Select Template name to trusted certificate and click Create.

   4. Enter a profile name and optionally a description, then click Next.

   5. Upload the certificate that should be trusted, in DER format, and specify the 'Destination store'. Then click on next.

      1. For Root CA in trusted root store: upload the root CA certificate and set Destination store to Computer certificate store - Root.

      2. For Root CA in trusted intermediate store: upload the root CA certificate and set Destination store to Computer certificate store - Intermediate.

      3. For Intermediate CA in trusted intermediate store: upload the intermediate CA certificate and set Destination store to Computer certificate store - Intermediate.

   6. Configuring the access rights to this profile can be done either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Once the assignments have been configured click on next.

   7. If no device limitation is required, configuration of the accessibility rules can be skipped. Click on Next to proceed.

   8. Review your settings and verify that they are correct and then click on Create.

...

1. Navigate to the Azure Endpoint manager at (https://endpointintune.microsoft.com/).

2. Navigate to Devices => Manage devices > Configuration Profiles and select Create profile> 'New Policy'.

3. Perform the following settings:

   1. Set Platform to Windows 10 or later.

   2. Set Profile type to templates.

   3. Select Template name to SCEP certificate and click Create.

   4. Enter a Profile name and optionally a Description. Click Next.

   5. The configurations determine the content of the CSR that will be sent to Protocol Gateway and should be adapted per installation.
      However, some settings are mandatory, for example the following:  

      1. Set Certificate type to Device.

      2. Set Key storage provider (KSP) to Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.

      3. Set Root Certificate to the Root CA Trusted Profile that was configured in the trusted root store.

      4. In Extended key usage, add Client Authentication via the Predefined values.

      5. Set SCEP Server URLs to the Protocol Gateway Intune endpoint:

         Example: Protocol Gateway SCEP Intune endpoint

         Code Block
         httpshttp://example.com:8080/pgwy/scep/intune

   6. Click on Next.

4. Configure the access rights to the profile, either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Click on Next.

5. If no device limitation is required, the configuration of the accessibility rules can be skipped. Click on Next. 

6. Verify the settings and click on Create.

Configure Protocol Gateway SCEP for Intune

Set SCEP properties

To set the properties for the SCEP protocols: 

...

Restart the Tomcat service. 

Enroll Windows 10 device

See the following Microsoft guide on how to enroll Windows 10 devices: https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device. 

...

• SCEP support in Certificate Manager

• Configuration in Protocol Gateway

• Certificate Manager is now listed as a third party CA software supporting Intune SCEP. For more information, see https://learn.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview#set-up-third-party-ca-integration.