Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Certificate Management: Complete Guide

Learn how to configure and deploy certificates in Intune using SCEP, PKCS, and trusted root certificate profiles for VPN, Wi-Fi, email, and application authentication.

By Ali Alame
intunecertificatessceppkcsvpnwifiauthenticationsecurity

Certificates in Microsoft Intune provide secure authentication for users and devices to access corporate resources like VPN, Wi-Fi, and email without requiring usernames and passwords. Intune supports multiple certificate deployment methods to meet different organizational needs.

Understanding Certificates in Intune

Certificates in Intune enable authenticated access to corporate resources through VPN, Wi-Fi, and email profiles. When you use certificates for authentication, end users don't need to enter usernames and passwords, providing a seamless and secure access experience.

Certificate Types Supported

  1. SCEP (Simple Certificate Enrollment Protocol): Unique certificates for each device/user
  2. PKCS (Public Key Cryptography Standards): Device or user certificates
  3. PKCS Imported: Shared certificates for scenarios like S/MIME
  4. Trusted Root: Root CA certificates to establish trust

For an overview, see Use certificates for authentication in Microsoft Intune.

Prerequisites

Before deploying certificates:

  1. Certification Authority: Microsoft CA or third-party CA
  2. Infrastructure:
    • For SCEP: Network Device Enrollment Service (NDES) server
    • For PKCS: Certificate Connector for Intune
  3. Trusted Root Certificate: Export root CA certificate
  4. Permissions: Appropriate Intune and CA permissions

Trusted Root Certificate Profiles

Trusted root certificate profiles deploy the public key from your root or intermediate CA to devices, establishing trust back to your Certification Authority.

Creating a Trusted Root Certificate Profile

Step 1: Export Root CA Certificate

  1. Export the root CA certificate as a .cer file (DER-encoded)
  2. Do not export the private key
  3. Export any intermediate CA certificates if needed

Step 2: Create Profile

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > Manage devices > Configuration > Create
  3. Select platform (Windows, iOS/iPadOS, Android, macOS)
  4. Select Templates > Trusted certificate
  5. Select Create

Step 3: Configure Settings

  1. Name: Enter descriptive name
  2. Description: Optional description
  3. Trusted Root Certificate: Upload the .cer file
  4. Certificate store:
    • Root certificate store (Windows)
    • User certificate store (Android)

Step 4: Assign and Deploy

  1. Assign to the same groups that will receive SCEP/PKCS profiles
  2. Deploy before SCEP/PKCS profiles

Important: Trusted root certificate profiles must be deployed before SCEP or PKCS certificate profiles.

For detailed guidance, see Trusted root certificate profiles for Microsoft Intune.

SCEP Certificate Profiles

SCEP (Simple Certificate Enrollment Protocol) provisions unique certificates for each device or user request.

Prerequisites for SCEP

  1. NDES Server: Network Device Enrollment Service configured
  2. Certificate Connector: Intune Certificate Connector installed
  3. Certificate Template: Configured on CA
  4. Trusted Root: Trusted root certificate profile deployed

Creating a SCEP Certificate Profile

Step 1: Access Certificate Profiles

  1. Navigate to Devices > Manage devices > Configuration > Create
  2. Select platform
  3. Select Templates > SCEP certificate
  4. Select Create

Step 2: Configure Basics

  1. Name: Enter descriptive name
  2. Description: Optional description
  3. Select Next

Step 3: Configure Certificate Properties

  1. Certificate type:

    • User: User certificate
    • Device: Device certificate

  2. Subject name format:

    • Common Name (CN)
    • Fully Distinguished Name (DN)
    • Custom

  3. Subject alternative name: Configure SAN if needed

  4. Certificate validity period: Set validity period

  5. Key storage provider (KSP): Choose KSP for key storage

Step 4: Configure Certificate Authority

  1. Certificate authority: Select your CA
  2. Certificate authority name: CA server name
  3. Certificate template name: Template name on CA
  4. Extended key usage: Configure EKU (Client Authentication, etc.)

Step 5: Configure Trusted Root

  1. Trusted Root Certificate: Select trusted root certificate profile
  2. Root Certificate: Verify root certificate

Step 6: Assign and Deploy

  1. Assign to user or device groups
  2. Deploy after trusted root certificate profile

For detailed guidance, see Create and assign SCEP certificate profiles in Intune.

PKCS Certificate Profiles

PKCS certificate profiles deploy device or user certificates using the Intune Certificate Connector.

Prerequisites for PKCS

  1. Certificate Connector: Intune Certificate Connector installed
  2. Certificate Template: Configured on CA
  3. Trusted Root: Trusted root certificate profile deployed

Creating a PKCS Certificate Profile

Step 1: Access Certificate Profiles

  1. Navigate to Devices > Manage devices > Configuration > Create
  2. Select platform
  3. Select Templates > PKCS certificate
  4. Select Create

Step 2: Configure Certificate Properties

  1. Certificate type: User or Device
  2. Certificate authority: Select CA
  3. Certificate template name: Template name
  4. Subject name format: Configure subject name
  5. Validity period: Set validity period

Step 3: Configure Key Storage

  1. Key storage provider: Choose KSP
  2. Key size: Configure key size
  3. Hash algorithm: Select hash algorithm

Step 4: Assign and Deploy

  1. Assign to user or device groups
  2. Deploy after trusted root certificate profile

For detailed guidance, see Create and assign PKCS certificate profiles in Intune.

Certificate Usage Scenarios

VPN Authentication

Configuration:

  1. Deploy trusted root certificate profile
  2. Deploy SCEP or PKCS certificate profile
  3. Create VPN profile referencing certificate
  4. Assign to device or user groups

Certificate Requirements:

  • Certificate type: User or Device
  • Extended Key Usage: Client Authentication
  • Subject: User UPN or Device name

Wi-Fi Authentication

Configuration:

  1. Deploy trusted root certificate profile
  2. Deploy SCEP or PKCS certificate profile
  3. Create Wi-Fi profile referencing certificate
  4. Assign to device groups

Certificate Requirements:

  • Certificate type: Device
  • Extended Key Usage: Client Authentication
  • Subject: Device name

Email Signing and Encryption (S/MIME)

Configuration:

  1. Deploy trusted root certificate profile
  2. Deploy PKCS imported certificate profile
  3. Configure email profile
  4. Assign to user groups

Certificate Requirements:

  • Use PKCS imported certificates
  • Extended Key Usage: Email Protection
  • Deploy same certificate to multiple users

For usage details, see Intune supported certificates and usage.

Best Practices

1. Deploy Trusted Root First

  • Always deploy trusted root certificate profiles first
  • Ensure root certificate is installed before SCEP/PKCS
  • Test root certificate installation

2. Use Appropriate Certificate Type

  • Use User certificates for user-specific scenarios
  • Use Device certificates for device-specific scenarios
  • Use PKCS imported for shared certificates (S/MIME)

3. Configure Proper Validity Periods

  • Set appropriate certificate validity periods
  • Plan for certificate renewal
  • Monitor certificate expiration
  • Configure renewal before expiration

4. Test Certificate Deployment

  • Test with pilot groups first
  • Verify certificate installation
  • Test certificate usage (VPN, Wi-Fi, etc.)
  • Validate certificate renewal

5. Monitor Certificate Status

  • Review certificate deployment status
  • Monitor certificate expiration
  • Address deployment failures
  • Track certificate usage

Troubleshooting

Common Issues

  1. Certificates Not Deploying

    • Verify trusted root certificate is deployed
    • Check Certificate Connector status
    • Review certificate profile assignments
    • Verify device enrollment

  2. Certificate Installation Fails

    • Check certificate template configuration
    • Verify CA connectivity
    • Review Certificate Connector logs
    • Check device requirements

  3. Certificates Not Working

    • Verify certificate is installed correctly
    • Check certificate validity
    • Review certificate properties
    • Test certificate manually

For troubleshooting guidance, see Troubleshooting the deployment of SCEP certificates profile to devices in Intune.

Additional Resources

Conclusion

Certificate management in Intune provides secure authentication for VPN, Wi-Fi, and email access. By following these best practices:

✅ Deploy trusted root certificates first
✅ Use appropriate certificate types for scenarios
✅ Configure proper validity periods
✅ Test certificate deployment thoroughly
✅ Monitor certificate status regularly

You can establish a robust certificate-based authentication framework that provides seamless and secure access to organizational resources.

Remember: Certificates require proper infrastructure setup (NDES for SCEP, Certificate Connector for PKCS). Always test certificate deployment in a pilot environment before broad deployment.