How to configure Microsoft Intune MDM to issue SCEP certificates from the Cloudi-Fi PKI

This guide explains how to deploy Cloudi-Fi PKI using Microsoft Intune and SCEP to issue device certificates at scale. Once configured, enrolled devices can automatically request and receive certificates from Cloudi-Fi PKI without manual intervention.

Prerequisites

Before you begin, make sure you have the following access:

Cloudi-Fi tenant

• Cloudi-Fi PKI option enabled

• If not enabled, contact your Cloudi-Fi pre-sales representative

• Configure Cloudi-Fi PKI 

Microsoft Entra ID & Intune

• Permissions to:

  • Register applications in Microsoft Entra ID

  • Configure Intune Device Configuration Profiles

Scope of this documentation

This documentation covers:

• Generating a Certificate Authority (CA) from the Cloudi-Fi Admin Console

• Configuring Microsoft Intune MDM support for SCEP

• Issuing certificates automatically and at scale using Cloudi-Fi PKI

About SCEP

SCEP (Simple Certificate Enrollment Protocol) is a widely adopted protocol that allows devices to securely request and receive certificates from a Certificate Authority (CA). Intune uses SCEP to automate certificate enrollment for managed devices.

Step 1 – Register an application in Microsoft Entra ID

• Sign in to the Microsoft Entra admin center

• Go to App registrations → New registration

• Configure the application:

  • Name: Choose a meaningful name (e.g., Cloudi-Fi PKI SCEP Connector)

  • Supported account types: Accounts in this organizational directory only (Company_name only - Single tenant)

• After creation, in the Overview page, copy and save:

  • Application (client) ID

  • Directory (tenant) ID

    These values are required in Step 2.

Configure API permissions

• Go to API permissions → Add a permission

Permission 1 – Microsoft Graph

• Add a new permission

• Select Microsoft Graph

• Choose Application permissions

• Search for and select:

  • Application.Read.All

• Click Add permissions

Permission 1 – Intune

• Add a new permission

• Select Intune

• Choose Application permissions

• Select:

  • scep_challenge_provider

• Click Add permissions

• Click Grant admin consent for <your_company_name>

Step 2 – Retrieve the Cloudi-Fi certificate authority information

Assuming Cloudi-Fi is configured as the Certificate Authority for NAC provider. 

Retrieve Cloudi-Fi PKI Information

After the NAC provider is created:

• Click the three dots (⋮) next to the NAC provider

• Download the CA certificate (.cer) — this will be used in Intune

• Open View configuration and copy the following values for later steps:

  • SCEP URL

  • OpenID Issuer

  • OpenID Audience

  • OpenID Subject

Step 3 – Configure Federated Credentials in Entra ID

• Go back to Microsoft Entra ID

• Open the App registration created in Step 1

• Navigate to Certificates & secrets → Federated credentials

• Click Add credential

Federated Credential Configuration

• Federated credential scenario: Other issuer

• Issuer: Paste OpenID Issuer (from Cloudi-Fi)

• Subject identifier:

  • Type: Explicit subject identifier

  • Value: Paste OpenID Subject

• Name: Choose a descriptive name (e.g., Cloudi-Fi SCEP Trust)

• Audience: Paste OpenID Audience

Step 4 – Configure Intune Device Configuration Profiles

For each device platform, you must create two configuration profiles:

• Trusted Certificate Profile

• SCEP Certificate Profile

This guide focuses on Windows devices.
The same approach applies to Android and Apple devices.

Profile 1 – Trusted Certificate

• Go to Intune Admin Center

• Navigate to Devices → Manage devices → Configuration

• Click Create new policy

Configuration

• Platform: Windows 8.1 and later

• Profile type: Trusted certificate

• Name: e.g., Cloudi-Fi Root CA

• Upload the CA certificate (.cer) downloaded from Cloudi-Fi

• Destination store: Computer certificate store

• Assign the policy to the required users, devices, or groups

• Click Create

Profile 2 – SCEP Certificate Profile

Create another new policy

Configuration

• Platform: Windows 8.1 and later

• Profile type: SCEP certificate

Example SCEP Configuration (Adapt to Your Needs)

• Certificate type: Device

• Subject name format:

CN={{AAD_Device_ID}},O=org_name

• Certificate validity period: 1 year

• Key storage provider (KSP):

  • Use TPM KSP if available

  • Otherwise, Software Key Storage Provider

• Key usage:

  • Digital signature

  • Key encipherment

• Key size: 2048

• Hash algorithm: SHA-2

• Root certificate:

  • Select the Cloudi-Fi Root CA profile created earlier

• Extended key usage: Any purpose

• Renewal threshold: 20%

• SCEP server URLs:

  • Paste the SCEP URL from the Cloudi-Fi Admin Console

Assign the profile to the same devices or groups and Create the policy.

Step 5 – Verify SCEP Connectivity and Certificate Enrollment

Verify in Intune

• Go to Devices → Manage devices → Configuration

• Ensure there are no policy assignment failures

  • Especially for the Trusted Certificate and SCEP profiles

Verify on a Windows Device

• On an enrolled device, open Manage computer certificates

• Check:

  • Trusted Root Certification Authorities → Certificates

    • Cloudi-Fi Root CA should be present

  • Personal → Certificates

    • A device certificate issued by Cloudi-Fi PKI should be present

Result

Once these steps are completed:

• Devices automatically enroll for certificates via SCEP

• Certificates are issued by Cloudi-Fi PKI

• No manual certificate handling is required

• The setup scales seamlessly across your fleet