Two Management Models in Microsoft Environments

On the one hand, there is cloud-based device management via Microsoft Intune.
On the other hand, the traditional Active Directory domain environment with locally managed Windows systems remains a core component of many IT landscapes.
Both models rely on digital certificates to uniquely identify devices, users, and services. However, the underlying distribution mechanisms differ significantly.
In Intune environments, certificates are typically distributed via SCEP (Simple Certificate Enrollment Protocol).
Domain-joined Windows systems, by contrast, obtain certificates automatically through Auto Enrollment, controlled by group policies.
These mechanisms have evolved independently and represent two distinct approaches to certificate management within Microsoft ecosystems.

Hybrid PKI in Microsoft Infrastructures

Many organizations operate hybrid infrastructures where both models coexist. Mobile devices, cloud-managed endpoints, and traditional Windows systems all depend on digital certificates.
This often results in separate processes for certificate distribution. In some cases, the underlying PKI is also tightly coupled to a Microsoft certification authority.
Organizations with established PKI structures or specific requirements for their cryptographic infrastructure often pursue a different approach. They aim to select certification authorities more flexibly and operate their trust infrastructure independently of individual platforms.
This requires an architecture that supports both Microsoft mechanisms while integrating a unified hybrid PKI.

Integrating Certificate Enrollment into a Central PKI

One approach is to integrate Microsoft’s enrollment mechanisms into a central certificate management infrastructure using adapters.
The platform essendi xc follows this approach with two components:

  • A SCEP adapter for Intune-managed devices
  • An Auto Enrollment adapter for Active Directory environments

Both adapters integrate with existing Microsoft mechanisms and connect them to a central PKI.
Organizations can continue to obtain certificates through familiar Microsoft processes, while issuance can be handled by different certification authorities.

Device Identity and Device Certificates in Intune

The SCEP adapter connects Microsoft Intune with the certificate infrastructure of essendi xc.
Intune uses the SCEP protocol for certificate distribution. The adapter manages communication with the PKI and issues device certificates for managed endpoints.
These certificates establish a clear device identity and enable certificate-based authentication in modern security architectures.
Typical use cases in Intune environments include:

  • Device identities for mobile endpoints
  • Certificates for zero trust architectures
  • Device authentication in cloud-based work environments

Since essendi xc operates independently of a specific CA, issuance can be handled by different certification authorities.

Integrating Auto Enrollment in Active Directory

For traditional Windows environments, the Auto Enrollment adapter connects essendi xc to Active Directory.
Windows clients and servers continue to receive certificates automatically via group policies. The adapter ensures that these processes function with the PKI provided by essendi xc.
Existing Windows infrastructures remain unchanged. Group policies, enrollment mechanisms, and established management processes continue to operate as before.
Common use cases in Active Directory environments include:

  • Certificates for domain computers
  • Certificates for user identities
  • Certificates for internal services and applications

Certificate Lifecycle Management in Hybrid PKI Environments

When both adapters are used together, cloud-managed devices and traditional Windows systems can be supplied through a single PKI.
Mobile endpoints, Intune-managed devices, and domain-joined systems obtain their device certificates from the same trust infrastructure. This creates a consistent foundation for certificate-based authentication and automated certificate lifecycle management.
Such an architecture provides several structural advantages:

  • Centralized management of certificates within a single environment
  • Consistent processes for issuance, renewal, and revocation
  • Integration of different certification authorities
  • Consistent device and user identities

This structure simplifies the management of growing certificate inventories and reduces manual effort.

PKI Automation and Cryptographic Infrastructure

In many organizations, the number of digital certificates continues to grow. At the same time, new technologies are reshaping the requirements for cryptographic infrastructure.
These developments include:

  • Increasing PKI automation in certificate management
  • Hybrid cloud and on-premises architectures
  • Preparation for post-quantum cryptography

PKI platforms must therefore integrate different operating models and support the full lifecycle of digital certificates.
In this context, SCEP and Auto Enrollment adapters connect Microsoft’s two mechanisms with a unified infrastructure for certificate and trust management.

Subscribe to the free essendi it newsletter.

SIGN UP NOW AND STAY INFORMED.