NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).
In a hybrid UDM scenario the certificate registration service is a site system role (CRP) in Configuration Manager 2012 R2 where in a standalone scenario the certificate registration service is part of the Microsoft Intune NDES connector installation installed on NDES server. Key difference is the role of certificate registration service. In other words less infrastructure components In a Microsoft Intune standalone scenario no such components like Microsoft Intune connector and Certificate Registration Point (CRP) are required. Both scenarios shares on-premise infrastructure components such as a Domain Controller (ADDS), Certificate Authorithy (ADCS) and Network Device Enrollment Service (NDES). It was already possible for Configuration Manager 2012 R2 + Microsoft Intune (UDM) administrators to deploy certificate profiles. Private key is generated on the device and marked as non-exportable.
In this blog series I’ll cover the different aspects of certificate enrollment proces by using Microsoft Intune (standalone). With the recent updates of Microsoft Intune it is possible now deploying certificate profiles using Network Device Enrollment Service (NDES) to mobile devices.