Configure Intune configuration profiles

This section explores the following tasks:

Export the Root certificate.
Enable automatic device enrollment in Intune.

Export the certificate

Perform the following steps to export the Root certificate:

Run the following command:

Powershell

certutil -ca.cert C:\root.cer

Set the certificate aside, so you can use it later when setting up the Trusted Certificate Profile in Intune.

Create a trusted certificate profile

Perform the following steps to create an Intune Trusted Certificate profile:

In a web browser, go to https://intune.microsoft.com/ and log in.

From the main page, selectDevices > Windows and select [ Configuration Profiles ].

Select** [ Create profile ]** and enter the following settings:

Setting	Required Configuration
Platform	Windows 10 and later
Profile Type	Templates
Template Name	Trusted certificate

Select [ Create ].

On the Basics page, enter your profile name and description. Select [ Next ].

On the Configuration Settings page, browse for and upload the root.cer you exported earlier. Set the Destination store to Computer certificate store- Root. Select** [ Next ]**.

On the Assignments page, set which devices and users you want to be included in this policy. Select [ Next ].

On the Applicability Rules page, you can designate rules that systems must meet for the policy to be applied. Select [ Next ].

On the Review + Create page, verify your configuration settings and select [ Create ]*.

Create a SCEP certificate profile

Perform the following steps to create an Intune SCEP certificate profile:

In a web browser, go to https://intune.microsoft.com/ and log in.

From the main page, select Devices > Windows and select [ Configuration Profiles ].

Select** [ Create profile ]** and enter the following settings:

Setting	Required Configuration
Platform	Windows 10 and later
Profile Type	Templates
Template Name	SCEP

Select** [ Create ]**.

On the Basics page, enter your profile name and description. Select [ Next ].

On the Configuration Settings page, use the following settings:

Setting	Required configuration
Certificate type	Device
Subject Name	CN={{AAD_DEVICE_ID}}
Certificate Validity	2 years
Key Storage Provider (KSP)	Enroll in Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
Key Usage	Key Encipherment, Digital Signature
Key Size (bits)	2048
Hash Algoritihim	SHA-2
Root Certificate	Name of root certificate from the previous section
Extended Key Usage	Client Authentication
SCEP Server URLs	https://<NDES external URL FQDN as shown in your Azure app proxy list > `/certsrv/mscep/mscep.dll`(such as `https://ndesserver.intune.fx.com/certsrv/mscep/mscep.dll`)

After entering all the necessary configuration settings, select [ Next ].

On the Assignments page, set which devices and users you would like to be included in this policy. Select [ Next ].

On the Applicability Rules page, you can designate rules that systems must meet for the policy to be applied. Select [ Next ].

On the Review + Create page, verify your configuration and select [ Create ].

Enable automatic device enrollment

Perform the following steps to enable automatic device enrollment in Intune:

In a web browser, go to https://intune.microsoft.com/ and log in.

On the main page, go toDevices > Enroll Devices and select [ Automatic Enrollment ].

Set the MDM user scope to All and select [ Save ].

For more information on configuring Intune certificate profiles, refer to the Microsoft documentation: learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

​Export the certificate

​Create a trusted certificate profile

​Create a SCEP certificate profile

​Enable automatic device enrollment

Export the certificate

Create a trusted certificate profile

Create a SCEP certificate profile

Enable automatic device enrollment