NDES SCEP for intune device certs - do we really need an Ent CA

Question

We have AAD joined devices.
We do have on-prem capability but have tried to minimise the requirement to have an Active Directory given most resources users access are cloud only.

However, we now wish to use NDES server - SCEP to deliver device certificates via Intune to our devices.
This is to use certificate authentication on our WiFi.

We had wanted to use a standalone CA, standalone NDES server but I understand we must have a Ent CA in this scenario, thus dictating an Active Directory which is what we wanted to avoid!

Is there no way of doing this (apart from SCEPMan cloud cert) without having an Ent CA? Is the Ent CA required for certain fields in the cert template for intune devices, as otherwise we were going to place the NDES on the same standalone server as the CA.

Appreciate comments.

thanks
James

Answer 1

Is there no way of doing this (apart from SCEPMan cloud cert) without having an Ent CA?

That's correct. Microsoft NDES works only with Enterprise CAs, which in turn require real Active Directory (not AAD).

Is the Ent CA required for certain fields in the cert template for intune devices

Enterprise CA is necessary for both, NDES itself and device certificates too. Normally, SCEP clients generate minimalistic CSRs with subject and public key. They often do not specify additional information about requested certificate. Certificate Template is used to instruct CA what extension and other information to include in issued certificates.

as otherwise we were going to place the NDES on the same standalone server as the CA.

NDES won't work with Standalone CA even if both installed on same machine.