How are you all handling Intune device certificates in 2026 — still NDES, SCEPman, or something else?
I've been going back and forth on how to issue certificates to Intune-managed devices and I'm curious what everyone else has actually settled on.
The two paths I keep landing on both have real downsides:
- NDES is "free" and Microsoft-native, but in practice it means standing up AD CS + IIS + the Intune Certificate Connector and keeping all of that patched, monitored and alive. It works, but it's a lot of surface area for what is conceptually a simple job.
- SCEPman is genuinely well-built and takes most of that pain away — but it's Azure-native/cloud and priced per user, which doesn't fit every environment (air-gapped, cost-sensitive, "keys must stay on our own tin", etc.).
What I'm trying to figure out: for those of you who want this self-hosted and on your own infrastructure — not in Azure, not per-seat — what are you actually running? Are people still grinding through NDES? Rolling their own with a plain SCEP server + FreeRADIUS? Something else entirely?
Full disclosure so I'm not being sneaky: this exact frustration is why I ended up building my own thing — a single-container SCEP appliance with its own issuing CA and bundled RADIUS for Wi-Fi/wired EAP-TLS, configured through a web console (it's in a free beta). I'll keep it to that and drop a link in the comments only if people are curious — I'm genuinely more interested in how others are solving this and whether the fully self-hosted angle even resonates, or if everyone's happily cloud-first now.
A few specific things I'd love takes on:
- Is NDES/connector maintenance still a real pain point for you in 2026, or have you moved past it?
- If you're on-prem/self-hosted for certs, what does your stack look like today?
- What would it take for you to trust any third-party tool to issue certs on your network?