Intune

Use Cloud PKI with Intune – Part 2: Device Configurations

By
Sebastiaan Smits
This is some text inside of a div block.

In part one of this series, we set up the Cloud PKI infrastructure, including the Root CA, Issuing CA, and NDES/SCEP service. Now, we will ensure that devices receive a certificate that they can use for authentication, such as for Wi-Fi access. Let’s get started.

Deploy Root Certificate for Devices

Since our Certificate Authority (CA) is internal and not publicly trusted, we need to ensure that devices recognize it as a trusted authority. This is achieved by deploying the Root Certificate via a Trusted Certificate configuration in Intune.

Step 1: Download the Root Certificate

  1. Navigate to Intune Admin Portal →Tenant Administration → Cloud PKI, then select the Root CA.

  1. Click Download to download the public part of the Root CA in .cer format.

This will download the Root Certificate to your browser.

Step 2: Deploy the Root Certificate Using Intune

  1. Go to Intune Admin Portal → Devices → Windows → Configuration profiles → Create a policy.
  1. Select Platform: Windows 10 and later, then choose Profile type: Templates → Trusted certificate.

  1. Click Create, then name the configuration (e.g., TN Trusted Root) and click Next
  1. Under Certificate file, upload the Root CA file downloaded earlier. 
  1. Keep Destination store set to Computer certificate store – Root, as we are deploying the company’s Root Certificate to the trusted root store on client devices.

  1. Assign the configuration to a group containing either users or, preferably, devices.

One of the benefits is assigning to devices ensures that the certificate is available before login

Create and Configure SCEP Profile

Now, we will configure SCEP (Simple Certificate Enrollment Protocol) to issue client certificates from the Issuing CA to enrolled devices.

Step 1: Create a SCEP Configuration Profile

  1. Go to Intune Admin Portal → Devices → Windows → Configuration profiles → Create a policy.
  2. Select Platform: Windows 10 and later, then choose Profile type: Templates → SCEP certificate.
  3. Click Create, then give the profile a name (e.g., TN SCEP Configuration).

Step 2: Configure the SCEP Profile Settings

Here are the key settings to configure:

Styled Table
Setting Description
Certificate Type Choose Device or User based on the purpose. If the certificate will authenticate users (e.g., for VPN, Wi-Fi, or email), select User. If it is used for device-based authentication, select Device.
Subject Name & Subject Alternative Name (SAN) These fields define the identity of the certificate. The Subject Name is usually the main identifier, while SAN fields are additional attributes needed by the authenticating application. Consult the application to determine the required fields.
Certificate Validity Period Defines how long the certificate remains valid before renewal. Renewal is handled automatically by Intune.
Key Storage Provider (KSP) Will the private key (the most important part of the certificate and should be protected like a password) be stored in the hardware key module (TPM) or is it allowed in a Software module (less secure but sometimes for older machines only thing that is possible).
Key Usage Defines the certificate’s purpose. Common choices are Signing (e.g., for email security) or Key Encipherment (e.g., for VPN authentication).
Key Size & Hash Algorithm A 2048-bit key is sufficient for most cases. The hashing algorithm should be SHA-2, unless backward compatibility requires SHA-1 (not recommended).
Extended Key Usage (EKU) Defines the allowed uses of the certificate. The most common choice is Client Authentication, but selecting Any Purpose ensures flexibility.

This is my Configuration:

Step 3: Assign the RootCertificate & SCEP Server URL

 

  1. Under Root Certificate, select the Trusted Certificate profile created earlier.
  1. Set Extended Key Usage to match the intended purpose (e.g., Client Authentication).

  1. Leave Renewal Threshold at the default 20%, meaning the renewal process begins when 20% of the certificate’s lifetime remains.
  1. Copy the SCEP URL from Intune Admin Portal → Tenant Administration → Cloud PKI → Issuing CA.

  1. Paste the SCEP URL into the SCEP Server URLs field.

Validate Certificate Deployment on Devices

Now lets have a quick look on the client device itself. The previous steps are almost identical for iOS, Android and Windows. In this example I use Windows. When I open the Computer Certificate Store I find the client certificate issued by my Issuing CA:

Conclusion

At this stage, your Intune-managed devices have successfully received a trusted Root CA and a client certificate via SCEP. This enables secure authentication for Wi-Fi, VPN, or other enterprise services.

In a follow up post, we will use this certificate to authenticate against Azure Key Vault and securely retrieve secrets using PowerShell. Stay tuned! 🚀

READ MORE

June 8, 2025

Knox Mobile Enrollment with Intune: Streamlining Android Device Provisioning

Master seamless Android device provisioning. See how to integrate Knox Mobile Enrollment (KME) with Microsoft Intune for efficient, zero-touch enterprise deployments. Your guide to simplified mobile device management starts here.

June 15, 2025

Enhancing Script Security: Implementing Multi-Admin Approval for Intune Scripts

Strengthen your Intune environment against unauthorized or accidental actions across your Windows, iOS and Android fleets. Learn to implement multi-admin approval for critical device commands, adding a vital layer of security and accountability.

June 17, 2025

Automate & Secure: How Intune's DDM Ensures Latest iOS Versions on Your Devices

Master Intune DDM for iOS software updates. This guide shows IT admins how to automatically enforce the latest iOS versions, ensuring devices are secure and compliant. Read more!

September 3, 2024

iOS Recommendation Cadence: Configure and Manage in Microsoft Intune

Recommendation Cadence allows enterprises to wait with the major release of iOS while still receiving essential security patches for the older version.

In-depth blog posts on Intune, PowerShell, and Mobile Device Management—driven by real-world enterprise experience managing iOS, Android, and Windows devices at scale.
Menu
AboutContact UsPrivacy Policy
External
AppleAndroidWindows
Follow us
© SecureSein by Sebastiaan Smits. Powered by Webflow