How to Deploy Certificate Profiles in Configuration Manager


Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1


The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.

To deploy certificates to users or devices in System Center 2012 Configuration Manager, you must deploy certificate profiles to one or more collections of users or devices.

You can deploy trusted certification authority (CA) certificates, and user or device certificates. Before you deploy a user or device certificate, check whether the device has installed the trusted root CA certificate for those certificates. If the device does not have the trusted root certificate, perhaps because it is not a domain member or is from an untrusted forest, you must deploy the root CA certificate to the device in addition to deploying the user or device certificate.

Use the Deploy Certificate Profile dialog box to configure the deployment of certificate profiles. This configuration includes defining the collection to which the certificate profile will be deployed and specifying how often the certificate profile is evaluated for compliance.


If you deploy multiple company resource access profiles to the same user or device, the following behavior occurs:

  • If a conflicting setting contains an optional value, it will not be sent to the device.

  • If a conflicting setting contains a mandatory value, the default value will be sent to the device. If there is no default value, the entire company resource access profile will fail.


Before you can deploy certificate profiles, you must first configure the infrastructure and create certificate profiles. For more information, see the following topics:

To deploy a certificate profile

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then click Certificate Profiles.

  3. In the Certificate Profiles list, select the certificate profile that you want to deploy.

  4. On the Home tab, in the Deployment group, click Deploy.

  5. In the Deploy Certificate Profile dialog box, specify the following information:

    - **Collection**: Click **Browse** to select the user or device collection where you want to deploy the certificate profile.
    - **Generate an alert**: Enable this option to configure an alert that is generated if the certificate profile compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to Microsoft System Center Operations Manager.
    - **Random delay (hours)**: (For certificate profiles that contain Simple Certificate Enrollment Protocol settings only) – Specifies a delay window to avoid excessive processing on the Network Device Enrollment Service. The default value is **64** hours.
    - **Specify the compliance evaluation schedule for this certificate profile**: Specifies the schedule by which the deployed certificate profile is evaluated on client computers. This can be either a simple schedule or a custom schedule.
      <div class="alert">
      > [!NOTE]
      > <P>The profile is evaluated on client computers when the users log on.</P>
  6. Click OK to close the Deploy Certificate Profile dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor Certificate Profiles in Configuration Manager.