Certificate Revocation using Microsoft Intune

There are several ways to initiate a revocation of a certificate on a mobile device, in this post we will discuss the options and their behavior per platform. It’s important to note that we can only revoke certificates which are delivered via SCEP.

There are two types of removal:

  1. Due to device wipe/retire or unenrollment.
  2. Due to user leaving the targeted collection/group, deployment being deleted or profile/policy is being deleted.

From a server side perspective, the certificate will always be revoked on the CA.
From a client side perspective, the certificate will be removed from the device. This applies to all platforms we currently support: Windows, Windows Phone, Android and iOS with one exception (see below).

The only scenario is we are currently investigating is removal type 2 in combination with Windows Phone, in certain conditions the certificate is not removed from the device.

Comments

  • Anonymous
    February 07, 2018
    Hmm. I have just tried to test certificate revocation on ADCS for some SCEP certificates issued through an SCCM/Intune unified configuration. Unenrolling a device did not appear to trigger a certificate revocation. Is there any more detail describing how this mechanism should work and how to go about troubleshooting?Many thanks