Skip to content

Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview

With the recent updates of Microsoft Intune it is possible now deploying certificate profiles using Network Device Enrollment Service (NDES) to mobile devices.

In this blog series I’ll cover the different aspects of certificate enrollment proces by using Microsoft Intune (standalone).


Before going in details about NDES and hereby an brief overview of how NDES process works in relation to Microsoft Intune.

Microsoft Intune Standalone NDES

  1. Administrator configures SCEP Certificate Profile (policy) in Microsoft Intune. The cert policy are used to create the challenge for the device(s). Challenge is based on a number of variables, an important one is the requestor (alias) that can not be tampered with the profile.
  2. Policy (profile) is pushed instantly to mobile devices by Microsoft Intune. This policy contains the URL of the NDES server as well as the challenge generated by Microsoft Intune.
  3. Device contacts the NDES server using the URL from #3 and provides the challenge response. (This is why your NDES server needs to be available externally in some way)
  4. NDES Server (using Microsoft Intune NDES connector) talks to the Certificate Registration Service to validate the challenge.
  5. The Certificate Registration Service on the NDES server has access to the necessary certificate to decrypt and inspect the challenge to verify the CSR (Certificate Signing Request) was not tampered with.
  6. Microsoft Intune responds to NDES server with “true” or “false” to challenge verification (Again, over 443 SSL).
  7. If challenge is OK then the NDES server communicates with the CA to get a certificate for the device. You’ll need to make sure that the appropriate ports are open between NDES and CA for this to happen.
  8. NDES delivers certificate to mobile device. Private key is generated on the device and marked as non-exportable.

NDES: Microsoft Intune vs. Configuration Manager 2012 R2

It was already possible for Configuration Manager 2012 R2 + Microsoft Intune (UDM) administrators to deploy certificate profiles. Both scenarios shares on-premise infrastructure components such as a Domain Controller (ADDS), Certificate Authorithy (ADCS) and Network Device Enrollment Service (NDES). In a Microsoft Intune standalone scenario no such components like Microsoft Intune connector and Certificate Registration Point (CRP) are required. In other words less infrastructure components

Key difference is the role of certificate registration service. In a hybrid UDM scenario the certificate registration service is a site system role (CRP) in Configuration Manager 2012 R2 where in a standalone scenario the certificate registration service is part of the Microsoft Intune NDES connector installation installed on NDES server.


NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). The user certificates can be used for managing company resources (E-mail, WiFi- and VPN profiles) instead of using user name + password. This existing technique is recently emphatically re-evaluated by the use and application for mobile device management in relation to BYOD scenarios.

Certificate profiles in Microsoft Intune work with Active Directory Certificate Services and the Network Device Enrollment Service role to provision authentication certificates for managed devices so that users can seamlessly access company resources. For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Intune provide the following management capabilities:

  • Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows Phone 8.1 and Android, These certificates can then be used for Wi-Fi and VPN connections.
  • Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain-of-trust with devices for VPN and Wi-Fi connections when server authentication is required.
  • Monitor and report about the installed certificates.

Certificate profiles can automatically configure user devices so that company resources such as Wi-Fi networks and VPN servers can be accessed without having to install certificates manually or use an out-of-band process. Certificate profiles can also help to keep company resources secure because you can use more secure settings that are supported by your enterprise public key infrastructure (PKI). For example, you can require server authentication for all Wi-Fi and VPN connections because you have provisioned the required certificates on the managed devices.

There are two types of certificate profile in Intune:

  • Trusted CA certificate – Allows you to deploy a trusted root CA or intermediate CA certificate to form a certificate chain-of-trust when the device is authenticated by a server.
  • Simple Certificate Enrollment Protocol (SCEP) settings – Allows you to request a certificate for a device or user, by using the SCEP protocol and the Network Device Enrollment Service on a server running Windows Server 2012 R2.

In the next blog – part 2 – I will cover the prerequisites and installation of the Microsoft Intune NDES connector.


Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Enable access to company resources using certificate profiles

8 thoughts on “Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview Leave a comment

    • It’s twofold when using NDES publicly, which you does. Your server which is hosting NDES role should be (preferred) by reversed proxy or directly. The URL must be publicly accessible from your clients/end-points.

      Regards, Ronny

  1. FYI, the Certificate Connector actually does not forward the challenge to Intune. It forwards it to the Certificate Registration Service, which is located on the NDES server itself.

    The challenge was originally generated and encrypted by the Intune server which the device connected to. The Certificate Registration Service on the NDES server has access to the necessary certificate to decrypt and inspect the challenge to verify the CSR (Certificate Signing Request) was not tampered with.

  2. I have found the articles here very useful to help describe and document the NDES User certificate solution for our environment. We have implemented and can happily deploy user certs to our mobile devices (iOS & Android) for Authentication against our on-premises Exchange Infrastructure. We are now wishing to use Apple DEP for automated enrolment, but finding that the user certificates are NOT being deployed.

  3. hi,
    Do you know which encryption mechanism is used to encrypt the challenge generated by Intune in this process?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: