{"id":114752,"date":"2024-08-22T07:50:14","date_gmt":"2024-08-22T11:50:14","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=114752"},"modified":"2025-02-28T08:00:48","modified_gmt":"2025-02-28T13:00:48","slug":"create-a-windows-scep-profiles-policy","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy","title":{"rendered":"Create a Windows SCEP Profiles Policy"},"content":{"rendered":"\n<p>This policy configures Simple Certificate Enrollment Protocol (SCEP) for your Windows devices. SCEP makes issuing digital certificates easier, more secure, and scalable.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>The device must be enrolled in JumpCloud MDM. This policy works on devices running Windows 10\/11.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p><strong>Considerations:<\/strong><\/p>\n\n\n\n<ul>\n<li>You need a Certificate Authority (CA) to issue device credentials using SCEP.<\/li>\n\n\n\n<li>The fields in the SCEP Profiles policy are added to the SCEP payload.<\/li>\n<\/ul>\n\n\n\n<p><strong>To create a Windows SCEP Profiles Policy<\/strong>:<\/p>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\/login\" target=\"_blank\" rel=\"noreferrer noopener\">Jumpcloud Admin Portal<\/a>.<\/li>\n\n\n\n<li>Go to<strong> DEVICE MANAGEMENT<\/strong> &gt; Policy Management.<\/li>\n\n\n\n<li>In the All tab, click (<strong>+<\/strong>).<\/li>\n\n\n\n<li>On the New Policy panel, select the <strong>Windows<\/strong> tab.<\/li>\n\n\n\n<li>Select the Windows <strong>SCEP Profiles <\/strong>policy from the list, then click <strong>configure<\/strong>.<\/li>\n\n\n\n<li>(Optional) In the <strong>Policy Name<\/strong> field, enter a new name for the policy or keep the default. Policy names must be unique.<\/li>\n\n\n\n<li>(Optional) In the<strong> Policy Notes<\/strong> field, enter details like when you created the policy, where you tested it, and where you deployed it.<\/li>\n<\/ol>\n\n\n\n<p><strong>Configure the following policy settings:<\/strong><\/p>\n\n\n\n<ol style=\"list-style-type:lower-alpha\">\n<li>(Mandatory) In the <strong>CA ThumbPrint<\/strong> field, enter a Base64 encoded string.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. See <a href=\"https:\/\/jumpcloud.com\/support\/generate-public-certificates-and-private-keys#determining-the-sha256-fingerprint\" target=\"_blank\" rel=\"noreferrer noopener\">Determining the Sha1 and Sha256 Fingerprint (Thumbprint)<\/a> to learn more. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"2\" style=\"list-style-type:lower-alpha\">\n<li>In the <strong>Challenge<\/strong> field, enter the one-time pre-shared secret.&nbsp;<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<ul>\n<li>This policy type requires a static challenge and will not work with a dynamic challenge.<\/li>\n\n\n\n<li>Challenges can be used to identify the user requesting the profile.<\/li>\n\n\n\n<li>Challenges should be in base64 format.<\/li>\n\n\n\n<li> Challenges should not contain special characters like (!@#$%^&amp;*_).<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"3\" style=\"list-style-type:lower-alpha\">\n<li>In the <strong>Key Length<\/strong> field,<strong> <\/strong>select the size of the key: 1024, 2048, or 4096 bits. The default is 1024.<\/li>\n\n\n\n<li>Specify the <strong>Subject Name<\/strong>. This should always start with <strong>CN=<\/strong>.\u00a0<br><strong>Example<\/strong>&#8211; CN=&#8221;Organization Root Authority&#8221;<br>If the Subject Name value includes a leading or trailing white space or any of these characters (, = + ; \/ &lt; &gt; # ), ensure the Subject Name value is quoted.\u00a0<br><strong>Example<\/strong>&#8211; CN=&#8221;\/C=US\/O=ABCEnterprise\/CN=foo\/1.2.5.3=bar&#8221;<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>The following device-specific variables are supported:<\/p>\n\n\n\n<ul>\n<li><code>%serialnumber%<\/code><\/li>\n\n\n\n<li><code>%hostname%<\/code><\/li>\n\n\n\n<li><code>%HardwareUUID%<\/code><\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"5\" style=\"list-style-type:lower-alpha\">\n<li>In the <strong>Retry Count<\/strong> field, enter the number of times the device should retry if the server sends a <em>Pending<\/em> response. The default is 3.<\/li>\n\n\n\n<li>In the <strong>Retry Delay <\/strong>field, enter the number of seconds to wait between subsequent retries. The first retry is attempted without this delay. The default is 3.&nbsp;<\/li>\n\n\n\n<li>In the <strong>Server URL<\/strong> field, enter the SCEP server\u2019s URL. For example: <code>http:\/\/scep-server\/cgi-bin\/pkiclient.exe<\/code><em>.<\/em><\/li>\n\n\n\n<li>In the <strong>Name(Template Name) <\/strong>field, enter a unique name for the payload that\u2019s recognised by the SCEP server. For example, WiFi Certificate.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>If a CA has multiple CA certificates, this field is used to distinguish which is required.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"9\" style=\"list-style-type:lower-alpha\">\n<li>In the <strong>Set Subject Alternative Name <\/strong>field,<strong> <\/strong>enter an alternate name for the SCEP certificate.<\/li>\n\n\n\n<li>Select the <strong>Include Root Certificate <\/strong>checkbox to upload the certificate for the Certificate Authority to add to the device\u2019s trusted anchors list.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<ul>\n<li>The root certificate can be installed manually, using an install certificate policy, or using a SCEP policy.&nbsp;<\/li>\n\n\n\n<li>If you selected<strong> Include Root Certificate<\/strong>, click upload file for Root Certificate. File size must be smaller than 1 MB.&nbsp;<\/li>\n\n\n\n<li>This certificate should be in the .cer or .crt format.&nbsp;If the root CA is from Okta, the file must be in .cer format.<\/li>\n\n\n\n<li>This certificate should not include public keys.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"11\" style=\"list-style-type:lower-alpha\">\n<li>(Mandatory) Enter the<strong> Renew Period<\/strong> value in days. The number of days must be less than the root CA expiry date.<\/li>\n<\/ol>\n\n\n\n<ol start=\"8\">\n<li>Once you are done, click <strong>Save<\/strong>.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>This policy configures Simple Certificate Enrollment Protocol (SCEP) for your Windows devices. SCEP makes issuing digital certificates easier, more secure, [&hellip;]<\/p>\n","protected":false},"author":223,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2852,2862],"support_tag":[],"coauthors":[3144],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Create a Windows SCEP Profiles Policy - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn how to configure the SCEP Profile Policy for your Windows devices using this JumpCloud policy.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Create a Windows SCEP Profiles Policy\" \/>\n<meta property=\"og:description\" content=\"Browse the JumpCloud Help Center by category, search for a specific topic, or check out our featured articles.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-28T13:00:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/07\/202405-MISC-JumpCloudHelpCenter-SiteDisplay-min-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"890\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"sweta.soumya@jumpcloud.com\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy\",\"url\":\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy\",\"name\":\"Create a Windows SCEP Profiles Policy - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"datePublished\":\"2024-08-22T11:50:14+00:00\",\"dateModified\":\"2025-02-28T13:00:48+00:00\",\"description\":\"Learn how to configure the SCEP Profile Policy for your Windows devices using this JumpCloud policy.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Create a Windows SCEP Profiles Policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Create a Windows SCEP Profiles Policy - JumpCloud","description":"Learn how to configure the SCEP Profile Policy for your Windows devices using this JumpCloud policy.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy","og_locale":"en_US","og_type":"article","og_title":"Create a Windows SCEP Profiles Policy","og_description":"Browse the JumpCloud Help Center by category, search for a specific topic, or check out our featured articles.","og_url":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy","og_site_name":"JumpCloud","article_modified_time":"2025-02-28T13:00:48+00:00","og_image":[{"width":890,"height":525,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/07\/202405-MISC-JumpCloudHelpCenter-SiteDisplay-min-2.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes","Written by":"sweta.soumya@jumpcloud.com"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy","url":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy","name":"Create a Windows SCEP Profiles Policy - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"datePublished":"2024-08-22T11:50:14+00:00","dateModified":"2025-02-28T13:00:48+00:00","description":"Learn how to configure the SCEP Profile Policy for your Windows devices using this JumpCloud policy.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/create-a-windows-scep-profiles-policy#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Create a Windows SCEP Profiles Policy"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/114752"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/223"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/114752\/revisions"}],"predecessor-version":[{"id":121722,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/114752\/revisions\/121722"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=114752"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=114752"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=114752"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=114752"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}