Introduction

  • 3 minutes

Your organization manages hundreds of devices. Each one needs a certificate to authenticate to corporate Wi-Fi, VPN, or email. Today that means maintaining an on-premises Network Device Enrollment Service (NDES) server, an Intune certificate connector, and a CA infrastructure that requires patching, monitoring, and emergency response when something goes offline.

Microsoft Cloud PKI removes that infrastructure dependency. You create your certification authorities (CAs) directly in the Microsoft Intune admin center - no servers, no connectors, no NDES. Once configured, devices enroll for certificates automatically using Simple Certificate Enrollment Protocol (SCEP). The full certificate lifecycle, from initial issuance through automatic renewal, runs without administrative intervention.

PKI hierarchy diagram showing a vertical chain of trust from a Root CA to an Issuing CA, ending with three individual Device Certificates.

In this module, you'll build a complete Cloud PKI deployment. You'll create a root CA and issuing CA, deploy device trust, configure SCEP certificate profiles, and use built-in monitoring tools to track certificate health across your organization.

Example scenario

Suppose you're an endpoint administrator at Contoso, a healthcare organization with 800 managed devices across multiple sites. Contoso uses certificates for Wi-Fi authentication and VPN access. The current on-premises PKI is reaching end of life, and leadership has asked you to move certificate management to the cloud. You need a solution that automates certificate issuance, handles renewals without manual work, and provides visibility into certificate health—all without on-premises servers or connectors.

What will we be doing?

In this module, you will:

  • Describe what Microsoft Cloud PKI is and how it fits into a certificate-based security strategy
  • Create a root CA and issuing CA hierarchy in the Microsoft Intune admin center
  • Configure trusted certificate profiles and SCEP certificate profiles to automate certificate issuance
  • Set certificate validity periods and renewal thresholds to maintain continuous authentication
  • Monitor certificate health and resolve common certificate issues

What is the main goal?

By the end of this module, you'll be able to configure and manage a cloud-based public key infrastructure (PKI) using Microsoft Intune, enabling automatic certificate enrollment and renewal across all managed devices—with no on-premises infrastructure required.