Always On VPN User Tunnel with Intune on AADJ Device – Part 2 – SCEP Profile

Time needed: 10 minutes

This steps are executed on Microsoft Endpoint Manager admin center (https://devicemanagement.microsoft.com/) in Devices, Configuration profiles.

1. Create profile: Trusted certificate

   Upload your Root certificate to Intune (.cer File) and assign that to the users / devices where you want to enroll the VPN User Certificate.

2. Create profile: SCEP certificate

   

3. Basics: Choose a name for your SCEP certificate

   

4. Configuration settings: Configure the settings as follows

   Certificate type: User
   Subject name format: Custom
   Custom: CN={{OnPrem_Distinguished_Name}}
   Subject alternative name: User principal name (UPN)
   Certificate validity period: Years 1 (or according your needs)
   Key storage provider (KSP): Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
   Key usage: It depends on which Registry Key value you have assigned the Certificate Template
   SignatureTemplate =Digital Signature, EncryptionTemplate = Key Encipherment, GeneralPurposeTemplate = Select both
   Key size (bits): 2048
   Hash algorithm: SHA-1
   Root Certificate: Select the certificate you have previously uploaded.
   Extended key usage: Select Client Authentication from Predefined values
   Renewal threshold (%): You can leave that with 20
   SCEP Server URLs: Here you can add your NDES URL(s)
   
   

5. Assign the SCEP profile to the desired users group

6. Wait until the Intune policy applied on your device and check if the certificate appears in the Users Certificate Personal Store.