NDES SCEP for intune device certs - do we really need an Ent CA

Turpin, James 21 Reputation points
2020-09-21T10:55:26.633+00:00

We have AAD joined devices.
We do have on-prem capability but have tried to minimise the requirement to have an Active Directory given most resources users access are cloud only.

However, we now wish to use NDES server - SCEP to deliver device certificates via Intune to our devices.
This is to use certificate authentication on our WiFi.

We had wanted to use a standalone CA, standalone NDES server but I understand we must have a Ent CA in this scenario, thus dictating an Active Directory which is what we wanted to avoid!

Is there no way of doing this (apart from SCEPMan cloud cert) without having an Ent CA? Is the Ent CA required for certain fields in the cert template for intune devices, as otherwise we were going to place the NDES on the same standalone server as the CA.

Appreciate comments.

thanks
James

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,061 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,307 questions
No comments
{count} votes

Accepted answer
  1. Vadims Podāns 8,081 Reputation points MVP
    2020-09-21T13:06:26.42+00:00

    Is there no way of doing this (apart from SCEPMan cloud cert) without having an Ent CA?

    That's correct. Microsoft NDES works only with Enterprise CAs, which in turn require real Active Directory (not AAD).

    Is the Ent CA required for certain fields in the cert template for intune devices

    Enterprise CA is necessary for both, NDES itself and device certificates too. Normally, SCEP clients generate minimalistic CSRs with subject and public key. They often do not specify additional information about requested certificate. Certificate Template is used to instruct CA what extension and other information to include in issued certificates.

    as otherwise we were going to place the NDES on the same standalone server as the CA.

    NDES won't work with Standalone CA even if both installed on same machine.

    No comments

0 additional answers

Sort by: Most helpful