![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 11%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,743 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Certificates provide authenticated access without delay through the following two phases:
• Authentication phase: The user’s authenticity is checked to confirm the user is who they claim to be.
• Authorization phase: The user is subjected to conditions for which a determination is made on whether the user should be given access.
Typical use scenarios for certificates include:
• Network authentication (for example, 802.1x) with device or user certs
• Authenticating with VPN servers using device or user certs
• Signing e-mail based on user certs
Intune supports Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography Standards (PKCS), and imported PKCS certificates as methods to provision certificates on devices. The different provisioning methods have different requirements, and results. For example:
• SCEP provisions certificates that are unique to each request for the certificate.
• With PKCS, a user can have the same certificate provisioned on each device they use.
• With Imported PKCS, you can deploy the same certificate that you’ve exported from a source, like an email server, to multiple recipients. This shared certificate is useful to ensure all your users or devices can then decrypt emails that were encrypted by that certificate.
To provision a user or device with a specific type of certificate, Intune uses a certificate profile.
In addition to the three certificate types and provisioning methods, you’ll need a trusted root certificate from a trusted Certification Authority (CA). The CA can be an on-premises Microsoft Certification Authority, or a third-party Certification Authority. The trusted root certificate establishes a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued. To deploy this certificate, you use the trusted certificate profile, and deploy it to the same devices and users that will receive the certificate profiles for SCEP, PKCS, and imported PKCS.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure
Here is the configuration guide:
• Configure a trusted certificate profile
• Configure infrastructure to support SCEP certificates with Intune
• Configure and manage PKCS certificates with Intune
• Create a PKCS imported certificate profile
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)