Secure sensitive resources from unauthorized Windows devices

Microsoft Intune manages Windows fleets, but enrollment does not prove device authenticity. Smallstep integrates with Intune to verify Windows hardware and restrict access to critical resources, including internal AI tools, copilots, and MCP-enabled services, to hardware-attested devices only.

Book a demo

Only issue credentials to verified Windows devices

Smallstep checks every certificate request against your Intune inventory, blocking unrecognized Windows devices from obtaining credentials. This prevents personal, compromised, or rogue machines from accessing sensitive systems using stolen or shared credentials.

Eliminate static secrets

Traditional Windows deployments have relied on vulnerable static SCEP passwords. Smallstep upgrades Windows enrollment security with ACME Device Attestation, issuing hardware-bound, non-exportable credentials. For legacy hardware, Dynamic SCEP enables a smooth migration to secure certificate-based Wi-Fi and VPN authentication.

Zero-touch device configuration

Smallstep automatically deploys secure configuration profiles and credentials for Wi-Fi, VPN, and SaaS apps to all verified Windows devices. Streamline enrollment, eliminate manual steps, and ensure robust, error-free security across your Windows fleet.

Hands-free certificate management

Say goodbye to manual certificate renewals and revocation hassles. Smallstep proactively monitors each certificate’s lifecycle, renewing credentials before they expire and revoking access if a device is off-boarded or compromised. This reduces admin workload, prevents human errors, and keeps your device inventory up to date.

Multi-OS certificate deployment including Windows Intune, Apple MDM, and Linux management

Unified security beyond Windows

Smallstep goes beyond Windows, seamlessly extending centralized, high-assurance device identity to macOS, Linux, and cloud environments. Whether you're using Intune, Jamf, or another MDM, Smallstep provides unified control and security across your entire device fleet.

Get the data sheet

When Smallstep is added to Intune, a device's hardware identity becomes an authentication factor. Instead of relying solely on shared secrets and user credentials, Smallstep silently verifies device trust —blocking unauthorized machines without adding friction for users.

Download

Leading the industry in Zero Trust for devices

Empower your teams to work at the pace and scale of modern engineering.

Book a demo

Secure sensitive resources from unauthorized Windows devices

Only issue credentials to verified Windows devices

Eliminate static secrets

Zero-touch device configuration

Hands-free certificate management

Unified security beyond Windows

Get the data sheet

Leading the industry in Zero Trust for devices

FAQs Smallstep for Windows + Intune

What problem does Smallstep solve for Intune-managed Windows devices that Intune alone cannot?

How does Smallstep use TPM attestation on Windows?

Which Intune enrollment methods does Smallstep support?

How does Smallstep improve Wi-Fi onboarding (WPA2/WPA3 Enterprise EAP-TLS) for Windows fleets?

How does Smallstep improve VPN security for Windows?

What is the role of the Smallstep Agent on Windows? Do I need it?

How does Smallstep unify user identity with device identity for authentication workflows?

How does certificate renewal and revocation work on Windows?

How does Smallstep handle multi-user scenarios, VDI, and shared terminals?

Does Smallstep work alongside Windows security features (Secure Boot, Credential Guard, HVCI)?

Can Smallstep replace Microsoft AD CS (NDES/SCEP) for certificate issuance?

Does Smallstep support Windows device identity in hybrid and multi-cloud environments?

How does Smallstep improve auditability and compliance for Windows environments?

What happens when Windows devices are off-network, remote, or mobile?