Endpoint management
Microsoft Intune

Configure Intune configuration profiles

5min

This section explores the following tasks:

  • Export the Root certificate.
  • Enable automatic device enrollment in Intune.

Export the Root certificate

1

Log in to your AD CS CA server and launch an elevated command prompt.

2

Run the following command:

PowerShell

3

Set the certificate aside, so you can use it later when setting up the Trusted Certificate Profile in Intune.

Create Intune Trusted Certificate Profile

1

In a web browser, go to https://intune.microsoft.com/ and log in.

2

From the main page, select Devices > Windows and select [ Configuration Profiles ].

3

Select [ Create profile ] and enter the following settings:

Setting

Required Configuration



Platform

Windows 10 and later



Profile Type

Templates



Template Name

Trusted certificate


4

Select [ Create ].

5

On the Basics page, enter your profile name and description. Select [ Next ].

6

On the Configuration Settings page, browse for and upload the root.cer you exported earlier. Set the Destination store to Computer certificate store- Root. Select [ Next ].

7

On the Assignments page, set which devices and users you want to be included in this policy. Select [ Next ].

8

On the Applicability Rules page, you can designate rules that systems have to meet for the policy to be applied. Select [ Next ].

9

On the Review + Create page, verify your configuration settings and select [ Create ].

Create Intune SCEP Certificate Profile

1

In a web browser, go to https://intune.microsoft.com/ and log in.

2

From the main page, select Devices > Windows and select [ Configuration Profiles ].

3

Select [ Create profile ] and enter the following settings:

Setting

Required Configuration



Platform

Windows 10 and later



Profile Type

Templates



Template Name

SCEP


4

Select [ Create ].

5

On the Basics page, enter your profile name and description. Select [ Next ].

6

On the Configuration Settings page, use the following settings:

Setting

Required configuration



Certificate type

Device



Subject Name

CN={{AAD_DEVICE_ID}}



Certificate Validity

2 years



Key Storage Provider (KSP)

Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP



Key Usage

Key Encipherment, Digital Signature



Key Size (bits)

2048



Hash Algoritihim

SHA-2



Root Certificate

Name of root certificate from previous section



Extended Key Usage

Client Authentication



SCEP Server URLs

https://<NDES external URL FQDN as shown in your Azure app proxy list>/certsrv/mscep/mscep.dll

(i.e., https://ndesserver.intune.fx.com/certsrv/mscep/mscep.dll)


7

After entering all the necessary configuration settings, select [ Next ].

8

On the Assignments page, set which devices and users you would like to be included in this policy. Select [ Next ].

9

On the Applicability Rules page, you can designate rules that systems have to meet for the policy to be applied. Select [ Next ].

10

On the Review + Create page, verify your configuration and select [ Create ].

Enable automatic device enrollment in Intune

1

In a web browser, go to https://intune.microsoft.com/ and log in.

2

On the main page, go to Devices > Enroll Devices and select [ Automatic Enrollment ].

3

Set the MDM user scope to All and select [ Save ].

For more information on configuring Intune certificate profiles, refer to the Microsoft documentation.

Updated 07 Oct 2024
Did this page help you?
PREVIOUS
Install the Intune certificate connector
NEXT
Generic
Docs powered by Archbee