Home Blog Configuring SCEP Profiles in Intune: A High-Level Overview

Configuring SCEP Profiles in Intune: A High-Level Overview

Network administrators are starting to realize the benefits of digital certificates, which offer greater cryptographic protection than passwords and usernames. But issuing certificates smoothly remains a problem, especially for teams managing many devices. For organizations using Microsoft Intune as their MDM, it is critical to configure the integration between Intune and the Certificate Authority (CA) […]

Secure Your Devices: Configuring SCEP Profiles in Intune Explained
Key Points
  • SCEP streamlines the certificate issuance process using an API to facilitate secure communication between clients (your managed devices) and your Public Key Infrastructure.
  • SCEP has some vulnerabilities. Using the Intune Third Party CA method is safer because it verifies devices in Intune before distributing SCEP certificates.
  • Intune SCEP Profiles can be used to issue user certificates or device/machine certificates, depending on the configuration settings.
  • Our JoinNow Suite helps you deploy SCEP Gateway API URL with Intune by creating private intermediate CA and CSR, customized templates, and a policy engine.

Network administrators are starting to realize the benefits of digital certificates, which offer greater cryptographic protection than passwords and usernames. But issuing certificates smoothly remains a problem, especially for teams managing many devices.

For organizations using Microsoft Intune as their MDM, it is critical to configure the integration between Intune and the Certificate Authority (CA) correctly for the successful issuance of both user and device certificates. SCEP (Simple Certificate Enrollment Protocol) facilitates this process by automatically enrolling managed devices with digital certificates without any end-user interaction.

In this article, we will explain simple procedures to configure the SCEP profile with Intune for your organization.

Prerequisites for Configuring a MEM Intune SCEP Profile

Before beginning, you must have:

You must create a Trusted Certificate Profile for the devices you intend to use for the SCEP configuration. This trusted certificate profile helps in the deployment of the root CA or intermediate CA on the device. It also helps in establishing trust between the device and the issuing CA.

To create a Trusted Certificate Profile, you need to configure your PKI with MEM Intune. For that, you can either use any of the following methods:

  • Intune Third-party CA Partner
  • Intune SCEP API token

We recommend using the Intune Third-party CA method because it checks the device’s authorization in Intune before distributing SCEP certificates, while the API token method does not.

Also, API Token SCEP Integration is relatively vulnerable because it works on a shared secret and an SCEP URL. The shared secret is essentially a preshared key that is visible within the URL, which makes this method riskier than necessary.

Attributes in SCEP (Simple Certificate Enrollment Protocol) Certificates

Screenshot showing SCEP certificate attribute configuration settings in Intune.

SCEP protocol in Intune enables you to customize your CA certificate using various attributes that suit your organization’s needs. Let’s discuss these attributes in the certificate template and how to use them before configuring the Intune SCEP profile.

The certificate template attributes include:

  • Certificate type
  • Subject name format
  • Subject alternative name
  • Certificate validity period
  • Key storage provider
  • Key usage
  • Key size (bits)
  • Hash algorithm
  • Root certificate
  • Extended key usage

Certificate Type

In Certificate Type, you can decide where you want to store the certificates, whether the device store or the user store. Likewise, the attributes mapped by selecting users/devices also vary accordingly in the subsequent steps.

Subject Name Format

In this section, you can choose how Intune creates the subject alternative name (SAN) in the certificate request. You can select any attributes to use one of the following attributes in the given format.

  • Email address : {{User Name}}
  • Email address : {{UserPrincipalName}}
  • Email address : {{AAD_Device_ID}}

Subject Alternative Name

Subject alternative name selection

In this section, you can choose an Email address as the Attribute as SecureW2 supports RFC 822 standards, and the Email address forms an integral part of it. Using a semicolon, you can even configure more than one value in the Value section.

Certificate Validity Period

As an admin, you must have predefined the validity of your certificate so that value will be automatically used by Intune while issuing the certificate.

Key Storage Provider

Key storage provider selection options include Enroll in Trusted Platform Module (TPM) KSP or Software KSP.

In this section, you can decide where to store the certificate’s key. In most cases, we advise choosing Enroll in Trusted Platform Module (TPM) KSP if present; otherwise, Software KSP because the other options require the availability of TPM module (hardware) in your system, which might not be present in every system.

Key Usage

Select both Key Encipherment and Digital Signature for best certificate security.

As a good practice, you must choose both the options in this section that include the following options.

  • Key encipherment: It allows key exchange only when the key is encrypted.
  • Digital signature: It allows key exchange only when a digital signature protects the key.

Key Size (Bits)

When choosing key size, select the maximum size available.

It is a good practice to choose the maximum size (bits) in this section which is 2048.

Hash Algorithm

Select the highest level of security when choosing the hash algorithm for SCEP certificates.

You can choose the most substantial level of security that the connecting devices support, i.e., SHA-2.

Root Certificate

Select the appropriate intermediate and root certificates of the issuing CA.

In this section, you can put the Intermediate and Root certificates of the issuing CA. For example, if the certificates are issued to the client by the SecureW2 Intermediate, then you need to choose the SecureW2 Root and Intermediate CA option.

Extended Key Usage

In this section, you can decide the purpose of your certificate based on your organization’s needs. This section gives you the leverage to choose various purposes for your certificate like client authentication, server certificate, and so on.

Select the appropriate extended key usage for your certificate.

Object Identifier

The Object Identifier (OID) indicates the purpose of your certificate. There are different OID values for different purposes, which are static across the entire cycle of certificate configuration.

For example, client and server authentication will have a different OID, enabling the RADIUS server to distinguish the certificates based on their unique IDs as their unique purposes are defined.

SCEP Profile for PKI Certificate Requests

The SCEP Profile is vital for communication with the PKI issuing CA certificates to enroll end-user certificates. Once the end-user certificate is enrolled successfully, the certificate is used to connect to the Wi-Fi network.

Creating a SCEP Certificate Profile

Create a SCEP certificate using a template.

  • Sign in to the Microsoft Endpoint Manager
  • Select Devices > Configuration profiles > Create profile.
  • From the Platform drop-down list, select the device platform for this SCEP certificate. You can choose one of the following platforms for device restriction settings:
    • Android
    • iOS
    • macOS
    • Windows 10 and later
  • From the Profile Type drop-down list, select Templates and then choose SCEP certificate. Click Create.Create a SCEP certificate using a template.
  • Note: You must create a separate profile for each Operating System platform. The steps to create trusted certificates are similar for each device platform.
  • On the SCEP certificate page, type a name and description for the SCEP Certificate profile and click Next.

    SCEP certificate basic configuration includes a name and a description.

  • For Certificate Type – User, use the following settings:
    • Certificate type: Select User for user certificates.
    • Subject name format: Choose how Microsoft Intune creates the subject name in the certificate request. Select one of the following options:
      • CN={{UserName}}
      • CN={{EmailAddress}}
      • CN={{UserPrincipalName}}
    • Subject alternative name: Choose how Microsoft Intune creates the subject alternative name (SAN) in the certificate request. We advise customers to use one of the following attributes in the given format:
      • Email address : {{User Name}}
      • Email address : {{UserPrincipalName}}
      • Email address: {{AAD_Device_ID}}
      • Note: To test if attributes are configured correctly, check the General Events section in the SecureW2 Management Portal for any event messages, such as Device Creation Failed, which indicates that the attributes are not correctly mapped.
    • Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, and later): Select where the certificate’s key is to be stored. Choose the following value:
      • Enroll in Trusted Platform Module (TPM) KSP if present; otherwise, Software KSP
    • Key usage: Enter the key usage options for the certificate. Select both options:
      • Key encipherment: Allow key exchange only when the key is encrypted.
      • Digital signature: Allow key exchange only when a digital signature protects the key.
    • Key size (bits): Select the number of bits in the key. Select the largest bit size.
    • Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, and later): Select SHA-2, the strongest level of security that the connecting devices support.
      • Note: Certificate type is not a setting on Android SCEP Profiles. You must create a separate profile for each OS platform. The steps to create trusted certificates are similar for each device platform.
  • Root Certificate: Click the + sign and choose the profile created earlier (Trusted Certificate Profile for SecureW2 Issuing CA).
  • Extended key usage: Add values for the certificate’s intended purpose. In most cases, the certificate requires Client Authentication so that the user or device can authenticate to a server. From the Predefined values drop-down list, select Client Authentication.
  • Enrollment Settings
    • Renewal threshold (%): Enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate. The default value is 20%.
    • SCEP Server URLs: Enter the Endpoint URI available in the MEM Intune CA IdP.
  • Select Next and assign the profile to appropriate Groups and Rules, review it, and click Create.

Final steps to create a SCEP certificate profile.

  • For Certificate Type – Device, use the following settings:
    • Certificate type: Select Device certificate for scenarios such as user-less devices, for example, kiosks, or for Windows devices, placing the certificate in the Local Computer certificate store.
    • Subject name format: Choose how Microsoft Intune creates the subject name in the certificate request. Select one of the following options:
      • CN={{DeviceName}}
      • CN={{AAD_Device_ID}}
    • Subject alternative name: Choose how Microsoft Intune creates the subject alternative name (SAN) in the certificate request. We advise customers to use one of the following attributes in the given format:
      • Email address: {{DeviceName}}
      • Email address: {{AAD_Device_ID}}
      • Note: To test if the attributes are configured correctly, check the General Events section in the JoinNow Management Portal for any event messages, such as Device Creation Failed, which indicates that the attributes are not correctly mapped.
    • Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, and later): Select where the key to the certificate is stored. Choose the following value:
      • Enroll in Trusted Platform Module (TPM) KSP if present otherwise, Software KSP
    • Key usage: Select the key usage options for the certificate. Select both the options:
      • Key encipherment: This allows key exchange only when the key is encrypted.
      • Digital signature: Allows key exchange only when a digital signature helps protect the key.
    • Key size (bits): Select the number of bits contained in the key. Select the largest bit size.
    • Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, and later): Select SHA-2, the strongest level of security that the connecting devices support.
    • Root Certificate: Click the + sign and choose the profile created earlier.
    • Extended key usage: Add values for the certificate’s intended purpose. In most cases, the certificate requires Client Authentication so the user can authenticate to a server. From the Predefined values drop-down list, select Client Authentication.

      Steps to create a device SCEP certificate in Intune.

    • Enrollment Settings
      • Renewal threshold (%): Enter the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
      • SCEP Server URLs: Enter the SCEP URL generated from the SecureW2 Management Portal.
  • Select Next and assign the profile to appropriate Groups under Assignment
  • Select Next apply Rules under Applicability Rules.

  • Review it and click Create.

After configuring SCEP integration for Intune, you can use Intune’s built-in Wi-Fi settings to deploy to users and devices. For that, you must configure the appropriate Wi-Fi settings so the certificate can connect to the desired server automatically.

You can use the SCEP-enrolled certificate to configure the desired devices for EAP-TLS authentication by adding the SCEP URL to the Intune devices so that the SCEP gateway can deploy the necessary configurations.

If you’re having trouble with your SCEP configuration, our SCEP Profile Troubleshooting Guide explains the most common errors and how to fix them.

The Top Managed PKI (MPKI) Solution for Intune

To successfully manage the entire certificate lifecycle, you must back your MDM with a robust PKI for certificate enrollment (and future management). Otherwise, you will end up manually deploying each certificate, which can cause a substantial financial burden, not to mention a high risk of misconfiguration.

The good news is that SecureW2, with its Cloud Managed PKI, is compatible with all major vendors like Intune and Jamf. It’s also built to integrate into your existing architecture, eliminating the need for costly infrastructure overhauls.

 

How the SecureW2 managed PKI works with MDM and EDM providers, including Intune and Jamf, to to simply issuance, configuration, and management of SCEP certificates.

Our PKI auto-enrolls managed devices for passwordless certificate-based authentication and can deploy certificates through any MDM via our powerful API Gateways. Also, our user-friendly management portal allows you to address the entire lifecycle of certificates by offering numerous certificate management features, such as certificate revocation. You can even customize your certificates with dozens of policies in our management portal, creating authentication solutions to suit your specific needs.

For Intune and Jamf, we also provide a unique feature that enables auto-revocation certificates on expiry. We are constantly upgrading and improving our products to keep our customers secure. If your organization uses Intune and wants to simplify SCEP enrollment, request a demo to see how SecureW2 can help.

Frequently Asked Questions

What is an Intune SCEP profile?

An Intune SCEP profile is a configuration profile used to automatically request and deploy certificates to managed devices through the Simple Certificate Enrollment Protocol (SCEP). Organizations commonly use Intune SCEP profiles to support certificate-based authentication for Wi-Fi, VPNs, applications, and wired networks without requiring users to manually install certificates.

How does SCEP work with Intune?

Intune uses SCEP to automate certificate enrollment for managed devices. After an administrator creates and assigns a SCEP profile, Intune delivers the configuration to the device. The device then sends a certificate request to a SCEP server or certification authority (CA), which validates the request and issues a certificate. The certificate is installed automatically and can then be used for secure authentication methods such as EAP-TLS.

What is SCEP used for?

SCEP is used to simplify and automate certificate enrollment and management for devices. Organizations commonly use SCEP to deploy certificates for:

  • WPA2/WPA3-Enterprise Wi-Fi authentication
  • VPN authentication
  • Wired 802.1X authentication
  • Device identity and compliance
  • Secure access to enterprise applications

SCEP helps eliminate manual certificate installation while improving scalability and security.

What devices support Intune SCEP profiles?

Microsoft Intune supports SCEP certificate deployment across many platforms, including:

  • Windows
  • macOS
  • iOS and iPadOS
  • Android

Supported features and configuration options may vary depending on the operating system and device management method.

Is SCEP secure?

SCEP can provide strong security when properly configured alongside a trusted PKI and certificate authority. Modern deployments often combine SCEP with certificate-based authentication methods such as EAP-TLS to eliminate password-based authentication risks. Organizations can further improve security by using trusted device validation, strong cryptographic algorithms, and automated certificate lifecycle management.

Vivek Raj

Vivek Raj has over 8 years of experience in cybersecurity, enterprise SaaS, and technical product marketing, with deep expertise in PKI, RADIUS, 802.1X, and Zero Trust security frameworks. At SecureW2, he works closely with Content, Product, and Marketing teams to translate complex security challenges into practical guidance for customers and IT leaders. Vivek specializes in making advanced identity and network security concepts clear, actionable, and business-focused. He also holds the IBM AI Product Manager Professional Certificate. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favourite cricket.

Learn More About SecureW2

Why SecureW2

Establish continuous trust with Dynamic PKI and Cloud RADIUS. Enforce access based on live identity, device posture, and risk context.

  • Passwordless authentication that can't be phished
  • Works with your IdP, MDM, and security stack
  • Real-time policy engine for dynamic access control
Learn More
Explore the Platform

Get the essentials on the products that power continuous enforcement.

SecureW2 JoinNow Platform
SecureW2 Dynamic PKI
SecureW2 Cloud RADIUS
MultiOS for Self-Service Onboarding
Integration Hub
Knowledge Base Articles

Explore practical guidance from engineers and admins deploying SecureW2.

  • Setup and configuration tutorials
  • Integration best practices with IdPs and MDMs
  • Troubleshooting guides for PKI and RADIUS
Browse Explainers

Related Articles

Learn how to migrate from NDES to cloud SCEP to eliminate on-prem infrastructure and simplify certificate delivery.
Integrations May 21, 2026
Migrating From NDES to Cloud SCEP: A Step-by-Step Guide for Intune Admins

If you are planning an NDES to cloud SCEP migration, you are not alone. Many Intune admins are working through this same transition as on-premises public key infrastructure (PKI) systems...

By Vivek Raj 5 min read
CRLs: Instantly block revoked certificates, stay secure!
PKI/Certificates May 20, 2026
What is a Certificate Revocation List (CRL)? OCSP, CRL, SSL

A CRL certificate check is one of the most basic safeguards in public key infrastructure (PKI). When a digital certificate is compromised, incorrectly issued, or no longer trusted, the certificate...

By Vivek Raj 5 min read
Self-signed = self-sabotage..
Risks & Threats May 20, 2026
Self-Signed Certificates: Risks, Use Cases, and Safer Alternatives

A self-signed certificate is one that is signed by the same entity that created it, rather than by a trusted Certificate Authority (CA). Self-signed certificates provide encryption but offer no...

By Amanda Tucker 4 min read
Android Pushes For Adopting Certificate-based EAP-TLS Implementation.
PKI/Certificates May 20, 2026
Android 11 Server Certificate Validation Error and Solution

*Updated Feb 2021 The dust has settled on the Dec 2020 Android 11 update and, for better or worse, the effects on network authentication have not been as drastic as...

By Vivek Raj 3 min read
Certificates Made Easy for Azure AD.
Integrations May 20, 2026
How to Integrate with Entra ID For Effective Certificate Management

The transition from on-premise Active Directory (AD) to cloud-based Azure AD (Microsoft Entra ID) can be tricky, leaving Azure admins searching for an easy way to migrate. Unlike AD, there...

By Anusha Harish 5 min read
WPA2 vs 802.1X: Understanding the Key Differences in Wi-Fi Security
Wi-Fi & Wired Security May 20, 2026
WPA2 vs 802.1X: What’s the Difference?

Nowadays, there are numerous methods and types of encryption used to secure networks. Businesses should look beyond using WPA2-PSK, which isn’t secure enough for their needs. It’s easy to get...

By Vivek Raj 3 min read