Simple Certificate Enrolment Protocol (SCEP)

Simple Certificate Enrolment Protocol (SCEP) is the primary method of automatic enrolment for devices deployed through Microsoft Intune, Autopilot and Company Portal software. SCEP is also favoured among Linux, Mobile, and ‘Internet of things’ devices like Office Phones and Printers. SCEP is a protocol often used by devices with limited capabilities to obtain certificates.

The SCEP service allows for certificates to automatically be refreshed after configuration, but in the case of Microsoft Intune, you can also issue new device requests. SCEP is an RFC (RFC 8894) standard that defines how a network connected device can remotely request a certificate from a Certificate Authority (CA).

The process involves a three step ‘handshake’ in which the device:
1. Determines the capabilities of the SCEP server.
2. Verifies the authenticity of the servers SCEP certificate.
3. Submits a CSR for issuance to the CA.

MS Intune also offers the ability to use the NDES protocol instead of SCEP, but this method is becoming less popular due to a number of limitations with this connection method. Cogito used to provide an NDES based service but this has been retired in favour of the SCEP service.

Cogito is a Microsoft third-party certification authority partner. You can learn more about adding the Cogito Group certification authority in Intune by going to the following page: Use third-party certification authorities (CA) with SCEP in Microsoft Intune | Microsoft Learn

Download our SCEP Fact Sheet below

Read more about our PKI Knowledge Base below