Summary

Completed

In this module, you configured Microsoft Cloud PKI in Microsoft Intune to automate certificate issuance and lifecycle management across your organization's managed devices—without any on-premises infrastructure.

You created a root CA and issuing CA hierarchy in the Intune admin center, deployed trusted certificate profiles to establish device trust, and configured SCEP certificate profiles to enable automatic enrollment. You then set certificate validity periods and renewal thresholds to ensure devices renew certificates before they expire, even when they check in infrequently.

You also used the Cloud PKI reporting dashboard to monitor certificate health, interpret Active, Expired, and Revoked states, and identify devices that may need attention. You learned how the Certificate Revocation List (CRL) works, how to review audit logs for administrative accountability, and how to build proactive alerts using compliance policies and Microsoft Entra monitoring.

Key takeaways

• Microsoft Cloud PKI is a fully cloud-hosted PKI solution available in the Microsoft Intune Suite and as a standalone add-on. It requires no on-premises NDES servers or Intune certificate connectors.
• A two-tier CA hierarchy—root CA plus issuing CA—provides the security separation needed for enterprise certificate management. Each issuing CA includes a built-in SCEP service.
• SCEP enrollment is fully automated: devices generate a private key locally (which never leaves the device), submit a CSR to Cloud PKI, and receive a signed certificate. The administrator configures the profile once; devices handle the rest.
• The renewal threshold controls how early Intune triggers renewal. Use a higher threshold (30–40%) for remote devices that check in less frequently, to ensure they always have time to renew before certificates expire.
• The Cloud PKI dashboard and Devices > Monitor > Certificates provide visibility into certificate states across all managed devices. Reports update every 24 hours; the Devices monitor has no 1,000-record limit.
• Audit logs record every administrative action—CA creation, revocations, and property changes—supporting your compliance and accountability requirements.

Next steps

Now that you've implemented Cloud PKI, consider these next steps:

• Link your SCEP certificate profiles to Wi-Fi and VPN profiles to enable certificate-based network authentication without passwords.
• Explore the Bring Your Own CA (BYOCA) option if your organization needs to chain to an existing on-premises or third-party root CA.
• Route Microsoft Entra sign-in logs to Azure Monitor and create alert rules to catch certificate authentication failures before they affect users.

Learn more

• Microsoft Cloud PKI overview
• Configure and use Microsoft Cloud PKI with Microsoft Intune
• Monitor Cloud PKI certificates
• Use a Bring Your Own CA with Microsoft Cloud PKI
• Configure a SCEP certificate profile in Intune