u/SeasonOld6926

▲ 25 r/Intune

How are you all handling Intune device certificates in 2026 — still NDES, SCEPman, or something else?

I've been going back and forth on how to issue certificates to Intune-managed devices and I'm curious what everyone else has actually settled on.

The two paths I keep landing on both have real downsides:

  • NDES is "free" and Microsoft-native, but in practice it means standing up AD CS + IIS + the Intune Certificate Connector and keeping all of that patched, monitored and alive. It works, but it's a lot of surface area for what is conceptually a simple job.
  • SCEPman is genuinely well-built and takes most of that pain away — but it's Azure-native/cloud and priced per user, which doesn't fit every environment (air-gapped, cost-sensitive, "keys must stay on our own tin", etc.).

What I'm trying to figure out: for those of you who want this self-hosted and on your own infrastructure — not in Azure, not per-seat — what are you actually running? Are people still grinding through NDES? Rolling their own with a plain SCEP server + FreeRADIUS? Something else entirely?

Full disclosure so I'm not being sneaky: this exact frustration is why I ended up building my own thing — a single-container SCEP appliance with its own issuing CA and bundled RADIUS for Wi-Fi/wired EAP-TLS, configured through a web console (it's in a free beta). I'll keep it to that and drop a link in the comments only if people are curious — I'm genuinely more interested in how others are solving this and whether the fully self-hosted angle even resonates, or if everyone's happily cloud-first now.

A few specific things I'd love takes on:

  1. Is NDES/connector maintenance still a real pain point for you in 2026, or have you moved past it?
  2. If you're on-prem/self-hosted for certs, what does your stack look like today?
  3. What would it take for you to trust any third-party tool to issue certs on your network?
reddit.com
u/SeasonOld6926 — 1 day ago