> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Intune configuration profiles

> Procedural guide to configure Intune certificate profiles and device enrollment settings.

This section explores the following tasks:

* Export the Root certificate.
* Enable automatic device enrollment in Intune.

## Export the certificate

Perform the following steps to export the Root certificate:

<Steps>
  <Step>
    Log in to your AD CS CA server and launch an elevated command prompt.
  </Step>

  <Step>
    Run the following command:

    ```powershell expandable lines wrap title="Powershell" theme={null}
    certutil -ca.cert C:\root.cer
    ```
  </Step>

  <Step>
    Set the certificate aside, so you can use it later when setting up the Trusted **Certificate Profile** in Intune.
  </Step>
</Steps>

## Create a trusted certificate profile

Perform the following steps to create an Intune Trusted Certificate profile:

<Steps>
  <Step>
    In a web browser, go to [**https://intune.microsoft.com/**](https://intune.microsoft.com/) and log in.
  </Step>

  <Step>
    From the main page, select **Devices** > **Windows** and select **\[ Configuration Profiles ]**.
  </Step>

  <Step>
    Select **\[ Create profile ]** and enter the following settings:

    <table>
      <thead>
        <tr>
          <th><em><strong>Setting</strong></em></th>
          <th><em><strong>Required</strong></em> <em><strong>Configuration</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Platform</strong></td>
          <td>Windows 10 and later</td>
        </tr>

        <tr>
          <td><strong>Profile</strong> <strong>Type</strong></td>
          <td>Templates</td>
        </tr>

        <tr>
          <td><strong>Template</strong> <strong>Name</strong></td>
          <td>Trusted certificate</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Create ]**.
  </Step>

  <Step>
    On the **Basics** page, enter your profile name and description. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Configuration** **Settings** page, browse for and upload the `root.cer` you exported earlier. Set the **Destination** **store** to **Computer** **certificate** **store- Root**. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Assignments** page, set which devices and users you want to be included in this policy. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Applicability** **Rules** page, you can designate rules that systems must meet for the policy to be applied. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Review + Create** page, verify your configuration settings and select **\[ Create ]**\*.
  </Step>
</Steps>

## Create a SCEP certificate profile

Perform the following steps to create an Intune SCEP certificate profile:

<Steps>
  <Step>
    In a web browser, go to [**https://intune.microsoft.com/**](https://intune.microsoft.com/) and log in.
  </Step>

  <Step>
    From the main page, select **Devices** > **Windows** and select **\[ Configuration Profiles ]**.
  </Step>

  <Step>
    Select **\[ Create profile ]** and enter the following settings:

    <table>
      <thead>
        <tr>
          <th><em><strong>Setting</strong></em></th>
          <th><em><strong>Required</strong></em> <em><strong>Configuration</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Platform</strong></td>
          <td>Windows 10 and later</td>
        </tr>

        <tr>
          <td><strong>Profile</strong> <strong>Type</strong></td>
          <td>Templates</td>
        </tr>

        <tr>
          <td><strong>Template</strong> <strong>Name</strong></td>
          <td>SCEP</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Create ]**.
  </Step>

  <Step>
    On the **Basics** page, enter your profile name and description. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Configuration** **Settings** page, use the following settings:

    <table>
      <thead>
        <tr>
          <th><em><strong>Setting</strong></em></th>
          <th><em><strong>Required</strong></em> <em><strong>configuration</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Certificate type</strong></td>
          <td>Device</td>
        </tr>

        <tr>
          <td><strong>Subject Name</strong></td>
          <td>CN=\{\{AAD\_DEVICE\_ID}}</td>
        </tr>

        <tr>
          <td><strong>Certificate Validity</strong></td>
          <td>2 years</td>
        </tr>

        <tr>
          <td><strong>Key Storage Provider (KSP)</strong></td>
          <td>Enroll in Trusted Platform Module (TPM) KSP if present, otherwise Software KSP</td>
        </tr>

        <tr>
          <td><strong>Key Usage</strong></td>
          <td>Key Encipherment, Digital Signature</td>
        </tr>

        <tr>
          <td><strong>Key Size (bits)</strong></td>
          <td>2048</td>
        </tr>

        <tr>
          <td><strong>Hash Algoritihim</strong></td>
          <td>SHA-2</td>
        </tr>

        <tr>
          <td><strong>Root Certificate</strong></td>
          <td>Name of root certificate from the previous section</td>
        </tr>

        <tr>
          <td><strong>Extended Key Usage</strong></td>
          <td>Client Authentication</td>
        </tr>

        <tr>
          <td><strong>SCEP Server URLs</strong></td>
          <td>https\://\<NDES external URL FQDN as shown in your Azure app proxy list > <code>/certsrv/mscep/mscep.dll</code>(such as <code>[https://ndesserver.intune.fx.com/certsrv/mscep/mscep.dll](https://ndesserver.intune.fx.com/certsrv/mscep/mscep.dll)</code>)</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    After entering all the necessary configuration settings, select **\[ Next ]**.
  </Step>

  <Step>
    On the **Assignments** page, set which devices and users you would like to be included in this policy. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Applicability** **Rules** page, you can designate rules that systems must meet for the policy to be applied. Select **\[ Next ]**.
  </Step>

  <Step>
    On the **Review + Create** page, verify your configuration and select **\[ Create ]**.
  </Step>
</Steps>

## Enable automatic device enrollment

Perform the following steps to enable automatic device enrollment in Intune:

<Steps>
  <Step>
    In a web browser, go to [**https://intune.microsoft.com/**](https://intune.microsoft.com/) and log in.
  </Step>

  <Step>
    On the main page, go to **Devices** > **Enroll** **Devices** and select **\[ Automatic Enrollment ]**.
  </Step>

  <Step>
    Set the **MDM** **user** **scope** to **All** and select **\[ Save ]**.
  </Step>
</Steps>

For more information on configuring Intune certificate profiles, refer to the Microsoft documentation: [**learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure**](https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure)
