This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We currently have an on-premisses CA through which we deploy 802.1x certificates via GPO on the domain. We would like to migrate this certificate auto enrolment to be done via Endpoint Manager. Is there anyone that can guide me to the appropriate documentation required to do so?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Your question is more related with Intune which our forum doesn't focus on. I will remove our win10 network tag and add the related Intune tag. Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
You can use SCEP or PKCS to provision certificates. Official documentation is here https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure
Theres pro's and con's listed here on this link https://www.reddit.com/r/Intune/comments/hruiu8/scep_vs_pfx/
So this means that with a PKCS connector I can deploy certificates automatically like when we deploy them via GPO.
I know I have to use the trusted certificate profile to deploy the certs for the root ca and intermediate ca's to the trusted root and trusted intermediate certificate deployment.
What I still do not understand is how to configure PKCS to deploy the certificate, as per best practices guidelines we switch off the root CA and leave the intermediate CAs online. So when creating the PKCS certificate deployment profile if i select the root ca certificate profile does this still work with the root ca switched off or do i need to select the intermediate ca?
Deploying a trusted root cert and issuing certs using the PKCS connector or SCEP are two different things. Also, in a multi-tier PKI, only the issuing sub-CA is directly involved to issue certificates. If that were not the case, having an offline root CA would not be possible.
The docs for setting up the PKCS connector for Intune are at https://learn.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure.