Microsoft Intune Device Certificate Enrollment

This guide provides instructions for enrollment and validation of Microsoft Intune device certificates using EJBCA. This requires using the open source Intune EJBCA Connector SCEP server that utilizes the EJBCA SOAP API.

SCEP Management Solution

Microsoft Intune provides a SCEP management solution using an open source library with API's that allow third-party CAs to issue and validate certificates.

For more information, refer to the Microsoft docs on Use APIs to add third-party CAs for SCEP to Intune.


This integration guide uses the Intune EJBCA Connector SCEP server,, to perform certificate enrollment and validation with Microsoft Intune and EJBCA.

Intune requires the SCEP server to do an Active Directory (AD) lookup for the user before generating a certificate. This Intune EJBCA connector SCEP server does this and then makes a SOAP API call to EJBCA for certificate issuance.

The Microsoft Intune Device Certificate Enrollment is configured in the following steps:

  1. Configure EJBCA Server
  2. Configure Intune
  3. Configure Intune EJBCA Connector Server

Note that this guide covers Windows 10 device enrollments. For more information on requirements, see Certificate Enrollment Requirements.