How Intune SCEP Works
What is SCEP
Before we get started we must understand what is Simple Certificate Enrollment Protocol (SCEP). SCEP is a certificate enrollment standard that enables devices to issue certificates by using a key provided by a 3rd party. The Certificate Authority (CA) must be able to communicate with this trusted third party (in this case Intune) to validate that the key provided by the device is allowed to request a certificate.
How to Connect an On-Premises SCEP CA to Intune
If you already have an on-premises AD with an ADCS CA, Microsoft has a guide on the other services you must add to issue certificates with Intune SCEP.
How to Create SCEP Certificates for Intune Using an Azure Based Certificate Authority
However, if you are using Intune you are probably trying to move away from legacy on-premise technology and move your security to the cloud. To create a secure and compliant CA for Intune, you can use EZCA the Azure based PKI (How to get EZCA in Azure). EZCA connects to Intune using their Third Party APIs and enables you to create SCEP certificates for intune without the overhead of managing a complex PKI.
How Intune SCEP Certificate Issuance Works
Intune starts the certificate creation workflow by: sending a challenge to the client device, then the device creates a private key and a Certificate Signing Request (CSR) and sends it with the challenge to EZCA, EZCA then validates with intune wether this request is valid, once Intune approves the request, EZCA creates the certificate and Intune installs the resulting certificate in the device.
Next Steps
Now that we know how it works it is time to create your first Intune CA