Deploy unique computer certificates using Intune/SCEP/NDES
We want to deploy unique device certificates to our Windows 10 devices using Intune/SCEP/NDES. At the moment we can only deploy user certificates.
The story behind this idea is as follows:
We are using shared Windows 10 devices and a wireless environment that uses certificate authentication. Because of the shared devices and the possibility that the user never logged on to the device yet, we want the wireless profile to be connected before user logon. And that requires a unique computer certificate.

As of the October 2018 release, SCEP certificates can be issued to devices, including user-less devices such as kiosks.
https://docs.microsoft.com/en-us/intune/whats-new#week-of-october-1-2018
We hope this delivers what you need! Thanks for your feedback and support!
21 comments
-
Jean-Philippe Lucas commented
As suggered by another person, is it possible to extend this possibility to PKCS deployment profiles ?
-
João Ribeiro commented
It's available for Windows 10 Device Configuration Profiles but what about macOS ? It's going to be available as well ?
-
Nik Magashi commented
Is it possible to deploy certificates to printers using this feature via Intune?
-
Uwe commented
We do also need this for about 1000 AAD joined Windows 10 devices.
-
Dieter commented
Need this for headless robots
-
Ash Hoque commented
I would like to see this extended beyond Windows devices and include Android and iOS
-
Anonymous commented
Any update? This is holding up adoption anywhere where networks will only talk to trusted devices.
-
Andriy Dovbnya commented
any updates so far? it actual option
-
Sudarshan commented
@Cathy Moya - can you confirm if this unique device cert can be deployed to Shared iOS device before deploying in kiosk mode(they will be DEP devices)
-
Roland Zink commented
We need this for wifi access -> over 2000 devices
-
Angelo Casanova commented
Need this
-
anonymous commented
Need this for WiFi configuration.
-
Anonymous commented
Any news around this feature ?
-
Kyle Williams commented
Is a necessary feature to use the AlwaysOn VPN Pre-logon tunnel.
-
Rikard Strand commented
Also add support for PKCS deployment profiles.
-
Jason Schuler commented
I am currently running into a need for this. I have Windows 10 devices running the Intune Software client that have conflicts with my Computer certificate auto-enroll GPO. This is causing the software client to crash and do me no good. I’m being told to manage Windows 10 as mobile devices but will then lose the ability to deploy my WiFi profile using computer cert authentication. If it’s not one thing it’s another...
-
Andreas Norling commented
I would very much like to be able to deploy computer/device certificates as well. As other people have mentioned, I would like the device to be able to connect to our wifi before any user has logged in to it.
-
Oliver Kieselbach commented
indeed and in troubleshooting cases this is good also. Imagine a Win10 AAD joined device. now you get logon problems with the logon of the owner. to logon with a different user you need an internet connection (Wi-Fi) but you won't get one as it's bound to user cert at the moment. with a device cert this would be no problem!
-
Anonymous commented
Yes!! this would be very nice!
-
Andre Potters commented
We are using shared Windows 10 devices and a wireless environment that uses certificate authentication. Because of the shared devices and the possibility that the user never logged on to the device yet, we want the wireless profile to be connected before user logon. And that requires a unique computer certificate.