Subscribe to Help Center RSS FeedThis policy configures Simple Certificate Enrollment Protocol (SCEP) for your Windows devices. SCEP makes issuing digital certificates easier, more secure, and scalable.
Note:
The device must be enrolled in ºÚÁϺ£½Ç91Èë¿Ú MDM. This policy works on devices running Windows 10/11.
Considerations:
- You need a Certificate Authority (CA) to issue device credentials using SCEP.
- The fields in the SCEP Profiles policy are added to the SCEP payload.
To create a Windows SCEP Profiles Policy:
- Log in to the .
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Windows tab.
- Select the Windows SCEP Profiles policy from the list, then click configure.
- (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
- (Optional) In the Policy Notes field, enter details like when you created the policy, where you tested it, and where you deployed it.
Configure the following policy settings:
- (Mandatory) In the CA ThumbPrint field, enter a Base64 encoded string.
Note:
This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. See Determining the Sha1 and Sha256 Fingerprint (Thumbprint) to learn more.
- In the Challenge field, enter the one-time pre-shared secret.
Note:
- This policy type requires a static challenge and will not work with a dynamic challenge.
- Challenges can be used to identify the user requesting the profile.
- Challenges should be in base64 format.
- Challenges should not contain special characters like (!@#$%^&*_).
- In the Key Length field, select the size of the key: 1024, 2048, or 4096 bits. The default is 1024.
- Specify the Subject Name. This should always start with CN=.
Example- CN="Organization Root Authority"
If the Subject Name value includes a leading or trailing white space or any of these characters (, = + ; / < > # ), ensure the Subject Name value is quoted.
Example- CN="/C=US/O=ABCEnterprise/CN=foo/1.2.5.3=bar"
- In the Retry Count field, enter the number of times the device should retry if the server sends a Pending response. The default is 3.
- In the Retry Delay field, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 3.
- In the Server URL field, enter the SCEP server’s URL. For example: http://scep-server/cgi-bin/pkiclient.exe.
- In the Name(Template Name) field, enter a unique name for the payload that’s recognised by the SCEP server. For example, WiFi Certificate.
Tip:
If a CA has multiple CA certificates, this field is used to distinguish which is required.
- In the Set Subject Alternative Name field, enter an alternate name for the SCEP certificate.
- Select the Include Root Certificate checkbox to upload the certificate for the Certificate Authority to add to the device’s trusted anchors list.
Note:
- The root certificate can be installed manually, using an install certificate policy, or using a SCEP policy.
- If you selected Include Root Certificate, click upload file for Root Certificate. File size must be smaller than 1 MB.
- This certificate should be in the .cer or .crt format. If the root CA is from Okta, the file must be in .cer format.
- This certificate should not include public keys.
- (Mandatory) Enter the Renew Period value in days. The number of days must be less than the root CA expiry date.
- Once you are done, click Save.
Back to Top
In this Article
Learn More