Skip to main content
Skip table of contents

Microsoft Intune Device Certificate Enrollment


This guide provides instruction for enrollment and validation of Microsoft Intune device certificates using EJBCA. Intune can connect directly to the EJBCA RA, and is set up as a SCEP alias

SCEP Management Solution

Microsoft Intune provides a SCEP management solution using an open source library with API's that allow third-party CAs to issue and validate certificates.

For more information, refer to the Microsoft docs on Use APIs to add third-party CAs for SCEP to Intune.


Intune requires the SCEP server to do an Active Directory (AD) lookup for the user before generating a certificate. The EJBCA connector does this by connecting to Intune to validate the SCEP request before the certificate is issued.

The Microsoft Intune Device Certificate Enrollment is configured in the following steps:

  1. Configure EJBCA Server
  2. Configure Intune

Note that this guide covers Windows 10 device enrollments. For more information on requirements, see Certificate Enrollment Requirements.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.