diff --git a/graphics/Intune_flow_diagram.png b/graphics/Intune_flow_diagram.png
new file mode 100644
index 00000000..df5ee4d2
Binary files /dev/null and b/graphics/Intune_flow_diagram.png differ
diff --git a/graphics/Intune_permissions.png b/graphics/Intune_permissions.png
new file mode 100644
index 00000000..a3164d3f
Binary files /dev/null and b/graphics/Intune_permissions.png differ
diff --git a/manifest.json b/manifest.json
index 17ad12cd..2d285142 100644
--- a/manifest.json
+++ b/manifest.json
@@ -45,8 +45,12 @@
"title": "Tutorials",
"routes": [
{
- "title": "Jamf Pro + Smallstep MDM Setup Guide",
+ "title": "Jamf Pro + Smallstep Setup Guide",
"path": "/tutorials/apple-mdm-jamf-setup-guide.mdx"
+ },
+ {
+ "title": "Intune + Smallstep Setup Guide",
+ "path": "/tutorials/intune-mdm-setup-guide.mdx"
}
]
},
diff --git a/tutorials/intune-mdm-setup-guide.mdx b/tutorials/intune-mdm-setup-guide.mdx
new file mode 100644
index 00000000..24f78754
--- /dev/null
+++ b/tutorials/intune-mdm-setup-guide.mdx
@@ -0,0 +1,213 @@
+---
+title: Deploy MDM client certificates to Windows devices with Smallstep and Intune
+html_title: Deploy MDM client certificates to Windows devices with Smallstep and Intune
+description: In this tutorial, you will configure Smallstep and Microsoft Intune to establish device trust with your CA and to issue a Wi-Fi, VPN, or other client certificate to your devices.
+---
+
+
+# Introduction
+
+In this tutorial, you will configure Smallstep and Microsoft Intune to establish device trust with your CA and to orchestrate the issuance of TLS certificates for Enterprise Wi-Fi (EAP-TLS / WPA3 Enterprise), VPN, web browsers, or other applications on Windows devices.
+
+You will:
+
+- Connect Microsoft Entra ID to Smallstep via an Entra ID App Registration.
+- Create and configure an Intune Device Collection in Smallstep
+- Configure Intune to use Smallstep as a CA
+
+Once you've completed this tutorial, your Intune certificate enrollment process will look like this:
+
+![](/graphics/Intune_flow_diagram.png)
+
+# Prerequisites
+
+You will need:
+- A [Smallstep team](https://smallstep.com/signup)
+- A [Microsoft Azure / Entra ID](https://azure.microsoft.com/en-us/free/) Tenant
+- A [Microsoft Intune](https://www.microsoft.com/en-us/security/business/microsoft-intune) Tenant
+- A test device to enroll for management by Intune
+ - This can be a Windows VM, but you may need a physical device or additional Wi-Fi adapter for testing an Enterprise Wi-Fi connection
+- An Entra ID user for enrollment, that is known in Intune
+
+# Step-by-step instructions
+
+## 0. Gather Entra ID tenant details
+
+In your [Entra ID Tenant Overview](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView), copy your tenant’s Primary Domain, eg. `contoso.onmicrosoft.com`. You will register this with Smallstep later.
+
+## 1. Register an Entra ID Application
+
+You’ll need to register an Application in Entra ID that connects Smallstep to Intune, for the purpose of exchanging SCEP tokens. A SCEP token is a single-use password that's used by devices to get a certificate from Smallstep.
+
+In the Entra Admin Center, [Register an Application](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) with the following properties:
+
+- Name the application “Smallstep SCEP Connector”
+- Select **Register**
+
+In your new App Registration, copy the **Application (client) ID** value, which you will register with Smallstep later.
+
+Next, visit the **Certificates & secrets** blade.
+
+Select **+ New client secret**, and use the following properties:
+
+- Name the secret “Smallstep SCEP Secret”
+- Select **Add** to create the secret
+
+Copy the **Client Secret Value**, which you will register with Smallstep later.
+
+
+## 2. Grant API Permissions
+
+Now we’ll connect the App Registration to Intune by adding application permissions.
+
+In the App Registration, visit the **API Permissions** blade.
+
+Add the following two permissions:
+
+- Microsoft Graph → Application permissions → `Application.Read.All`
+- Intune → Application permissions → `scep_challenge_provider`
+
+Finally, select **✓ Grant admin consent** on the API permissions page.
+
+Here’s how the Configured permissions should look:
+
+![](/graphics/Intune_permissions.png)
+
+You’ve completed the App Registration setup.
+
+### 3. Configure Smallstep
+
+In your Smallstep dashboard,
+visit the **Devices** tab,
+create a **+ New Collection**,
+choose **Intune Windows Devices**,
+and choose **Submit**.
+
+Configure the Collection with the values you gathered above:
+
+- The tenant **Primary domain**
+- The App Registration **Application (client) ID**
+- The App Registration **Secret Value**
+
+Once the Collection is created, go to the **Settings** tab and gather your Intune configuration values:
+
+- Copy your SCEP URL
+- Download your Root CA Certificate
+- Download your Intermediate CA Certificate
+
+## 4. Configure Intune
+
+
+
+[Microsoft recommends a staged approach to Intune enrollment](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf). Create an evaluation Group, if you don’t already have one, so that any breaking changes are limited to the group.
+
+
+
+In Intune, we’re going to create three Configuration Profiles to deploy to your devices:
+
+- **Trusted certificate** profile for your Root CA
+- **Trusted certificate** profile for your Intermediate CA
+- **SCEP Certificate** profile, for issuing device certificates from Smallstep
+
+### Create a Trusted certificate profile for your Root CA
+
+Create a [new Trusted certificate profile](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/CreatePolicyFullScreenBlade/policyId/00000000-0000-0000-0000-000000000000/policyType/Windows10TrustedCertificate/policyJourneyState~/0) with the following properties:
+
+- Name: **Smallstep Root CA**
+- Certificate file: Upload your Smallstep Root CA certificate
+- Destination store: **Computer certificate store - root**
+- Included groups: Include the users or groups you are using for your staged enrollment. As you roll out into production, you will expand this list.
+- Create the profile
+
+### Create a **Trusted certificate** profile for your Intermediate CA
+
+Create a [new Trusted certificate profile](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/CreatePolicyFullScreenBlade/policyId/00000000-0000-0000-0000-000000000000/policyType/Windows10TrustedCertificate/policyJourneyState~/0) with the following properties:
+
+- Name: **Smallstep Intermediate CA**
+- Certificate file: Upload your Smallstep Intermediate CA certificate
+- Destination store: **Computer certificate store - root**
+
+
+
+ **Careful!** Add your intermediate CA to the computer’s *root* store.
+ Do not choose the intermediate certificate store — it will cause enrollment errors.
+
+
+
+- Included groups: Include the users or groups you are using for testing.
+- Create the profile
+
+### Create a **SCEP Certificate** profile
+
+Create [a new SCEP certificate profile](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/CreatePolicyFullScreenBlade/policyId/00000000-0000-0000-0000-000000000000/policyType/Windows10SCEP/policyJourneyState~/0) with the following properties:
+
+- Name: **Smallstep SCEP Certificate**
+- Certificate type: Device
+- The certificate properties may vary depending on your use case and threat model. Here are some good starting points:
+ - Subject name / SANs: For a test deployment, use the default values.
+ - Certificate validity period: Use the same duration you configured with Smallstep
+ - Key storage provider: **Enroll to TPM KSP if available, Software KSP if not**
+ - Key usage: **✓ Digital certificate** and **✓ Key encipherment**
+ - Key size: **2048**
+ - Hash algorithm: **SHA-2**
+ - Extended key usage: Under Predefined values, select **Client Authentication**
+ - Renewal Threshold (%): Select **20%**
+- Root Certificate: Select your **Intermediate CA**
+
+
+
+ **Careful!** Select your intermediate CA here. An enrolling device’s SCEP client will check the fingerprint of the intermediate, *not* the root.
+
+
+
+- SCEP Server URL: Use the SCEP URL you copied from Smallstep
+
+## 4. Test and verify your profile
+
+Now try enrolling or syncing a device.
+
+These instructions may vary depending on your enrollment method.
+We assume you’ve enabled Automatic Enrollment in Intune’s [Windows enrollment blade](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/~/windowsEnrollment).
+
+- For a new device: Go to **Windows Settings → Accounts → Access work or school**. Then , under **Add a work or school account**, choose **Connect** to sign in to your tenant.
+- For a previously-enrolled device: Go to **Windows Settings → Accounts → Access work or school**. Expand the box for the signed-in account and select **Info**. Select **Sync**.
+
+After the sync completes, it may take a minute for the certificate to appear in your Windows trust store.
+
+Check the reports in Intune to ensure your devices have enrolled without errors.
+
+# Adding Wi-Fi Support
+
+Now that we have a basic working profile with CA trust and a client certificate, we’ll configure an EAP-TLS certificate Wi-Fi connection.
+
+For this section, you will need a RADIUS server that your users will authenticate against.
+
+1. In your Intune [Device Configuration Profiles](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/configurationProfiles), create a **+ New Policy**.
+2. Choose your Platform, select **Templates**, and choose the **Wi-Fi** template.
+3. Select **Create** to continue, and give your template a clear name.
+4. For **Wi-Fi type**, choose Enterprise.
+5. Configure your SSID and other basic network settings.
+6. For **EAP type**, choose **EAP - TLS**.
+7. Under the Certificate server names, enter the Common Name that's on your RADIUS server certificate.
+ Typically, thwill match the FQDN of your RADIUS server.
+8. Under the Trust tab, add a Trusted Certificate for your RADIUS server.
+
+ If your RADIUS server certificate is managed by Smallstep, add your Smallstep Root CA and Smallstep Intermediate CA here.
+
+ If your RADIUS server certificate is from a different PKI, you’ll need to add a new Certificate payload containing your RADIUS server’s Root CA certificate.
+9. Under **Client Authentication**, for **Authentication method** choose SCEP Certificate.
+10. Select the client certificate profile you created earlier.
+11. Choose **Review + save**.
+
+Once you've saved your profile, you'll be ready to test and verify your Wi-Fi connection.
+
+# Troubleshooting
+
+- Check the expected certificates have been deployed to the right stores on Windows: user vs. device; trusted roots; trusted intermediates; personal certificates.
+ - Intune does show states in the dashboard, and you can generate reports, but they don’t provide many details, and sometimes they’re not up-to-date.
+- On the client side, use **Settings → Accounts → Access work or school → Info** to check the last sync status.
+ - You can also trigger a Sync on this screen
+ - Sometimes restarting Windows is required to trigger (re-)enrollment / profile deployment. This can happen if the machine has been online for a while, has been suspended for a while, etc. It may have been disconnected from WNS in this case, resulting in no notifications being received.
+ - There’s an option to generate an MDM report with some basic information that describes which profiles are to be applied.
+- Use Windows Event Viewer to diagnose issues. SCEP related (error) logs can be found in **Applications and Services Logs** → **Microsoft** → **Windows** → **DeviceManagement-Enterprise-Diagnostics-Provider**.
+- See also: Microsoft’s [SCEP Troubleshooting Documentation](https://learn.microsoft.com/en-us/troubleshoot/mem/intune/certificates/troubleshoot-scep-certificate-profiles)