MD-102 Exam QuestionsBrowse all questions from this exam
Go to Exam

MD-102 Exam - Question 239

You have 500 computers that run Windows 10. The computers are joined to Azure AD and enrolled in Microsoft Intune.

You plan to distribute certificates to the computers by using Simple Certificate Enrollment Protocol (SCEP).

You have the servers shown in the following table.

Exam MD-102 Question 239

NDES issues certificates from the subordinate CA.

You are configuring a device configuration profile as shown in the exhibit. (Click the Exhibit tab.)

Exam MD-102 Question 239

You need to complete the SCEP profile.

On which server is the required root certificate located?

Show Answer
Correct Answer: B

To configure Simple Certificate Enrollment Protocol (SCEP) for distributing certificates using Microsoft Intune, devices must trust the Root Certification Authority (CA). In this scenario, the Root Certificate Authority is located on Server2, as it is the root of the certificate chain of trust that the subordinate CA (located on Server3) and NDES (located on Server4) depend on. Therefore, the required root certificate is located on Server2.

Discussion

7 comments
Sign in to comment
MerrybobOption: C
Feb 2, 2024

Given: NDES issues certificates from the subordinate CA. NDES server role – To support using the Certificate Connector for Microsoft Intune with SCEP, you must configure the Windows Server that hosts the certificate connector with the Network Device Enrollment Service (NDES) server role. In this case the NDES server pulls the certificate from the Subordinate CA and not the Root CA Ref: https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#:~:text=NDES%20server%20role%20%E2%80%93%20To%20support%20using%20the%20Certificate%20Connector%20for%20Microsoft%20Intune%20with%20SCEP%2C%20you%20must%20configure%20the%20Windows%20Server%20that%20hosts%20the%20certificate%20connector%20with%20the%20Network%20Device%20Enrollment%20Service%20(NDES)%20server%20role.

Merrybob
Feb 2, 2024

The NDES allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) without using domain credentials. SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing certification authorities (CAs). The protocol supports CA and registration authority public key distribution, enrollment, and certificate revocation queries. Ref: https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/create-domain-user-account-ndes-service-account#:~:text=The%20NDES%20allows,certificate%20revocation%20queries.

Merrybob
Feb 3, 2024

Subordinate CA <--> NDES <--> Network Device on Windows machines.

Merrybob
Feb 3, 2024

Subordinate CA <--> NDES <--> Network Device on Windows machines.

mp34
Jan 18, 2024

I think answer should be B https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure To use a SCEP certificate profile, devices must trust your Trusted Root Cert. Authority CA

Murad01
Jan 30, 2024

I think the correct answer should be B/Server 2. https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

pragni4321Option: B
Feb 15, 2024

Should be B

Alex_UCOption: B
Nov 16, 2024

The root CA certificate is needed in the SCEP profile even if the certificates are issued from a subordinate

Alex_UC
Nov 16, 2024

From Doc: "If you have a multiple level PKI Infastructure, such as a Root Certification Authority and an Issuing Certification Authority, select the top level Trusted Root certificate profile that validates the Issuing Certification Authority."

NoursBear
Jan 21, 2024

Server 3 is correct https://www.examtopics.com/discussions/microsoft/view/75018-exam-md-101-topic-3-question-36-discussion/

02dc19cOption: B
Apr 17, 2025

For a SCEP certificate deployment, devices must trust the certification path of the issued certificates. In given setup, certificates are issued by the subordinate CA (Server 3) via NDES (Server 4), but the validity of those certificates is ultimately anchored by the root certificate from the Root CA, which resides on Server 2. To ensure that devices trust the certificates they receive through SCEP, you must deploy the root certificate (typically via a trusted certificate profile in Intune) to all devices. This root certificate establishes the chain of trust needed for certificate-based authentication and secure communications.