Configure Intune configuration profiles

5min

this section explores the following tasks export the root certificate enable automatic device enrollment in intune export the certificate perform the following steps to export the root certificate log in to your ad cs ca server and launch an elevated command prompt run the following command certutil ca cert c \root cer set the certificate aside, so you can use it later when setting up the trusted certificate profile in intune create a certificate profile perform the following steps to create an intune trusted certificate profile in a web browser, go to https //intune microsoft com/ and log in from the main page, select devices > windows and select \[ configuration profiles ] select \[ create profile ] and enter the following settings setting required configuration platform windows 10 and later profile type templates template name trusted certificate select \[ create ] on the basics page, enter your profile name and description select \[ next ] on the configuration settings page, browse for and upload the root cer you exported earlier set the destination store to computer certificate store root select \[ next ] on the assignments page, set which devices and users you want to be included in this policy select \[ next ] on the applicability rules page, you can designate rules that systems must meet for the policy to be applied select \[ next ] on the review + create page, verify your configuration settings and select \[ create ] create a certificate profile perform the following steps to create an intune scep certificate profile in a web browser, go to https //intune microsoft com/ and log in from the main page, select devices > windows and select \[ configuration profiles ] select \[ create profile ] and enter the following settings setting required configuration platform windows 10 and later profile type templates template name scep select \[ create ] on the basics page, enter your profile name and description select \[ next ] on the configuration settings page, use the following settings setting required configuration certificate type device subject name cn={{aad device id}} certificate validity 2 years key storage provider (ksp) enroll in trusted platform module (tpm) ksp if present, otherwise software ksp key usage key encipherment, digital signature key size (bits) 2048 hash algoritihim sha 2 root certificate name of root certificate from the previous section extended key usage client authentication scep server urls https //\<ndes external url fqdn as shown in your azure app proxy list > /certsrv/mscep/mscep dll (such as https //ndesserver intune fx com/certsrv/mscep/mscep dll ) after entering all the necessary configuration settings, select \[ next ] on the assignments page, set which devices and users you would like to be included in this policy select \[ next ] on the applicability rules page, you can designate rules that systems must meet for the policy to be applied select \[ next ] on the review + create page, verify your configuration and select \[ create ] enable automatic device enrollment perform the following steps to enable automatic device enrollment in intune in a web browser, go to https //intune microsoft com/ and log in on the main page, go to devices > enroll devices and select \[ automatic enrollment ] set the mdm user scope to all and select \[ save ] for more information on configuring intune certificate profiles, refer to the microsoft documentation

Install the Intune certificate connector

Generic