Configuration for CBE

Follow this guide to set up Certificate Deployment with Intune.

Root Certificate

  1. Download and save your CA Certificate (.cer).

  2. Go to Intune > Devices > Windows > Configuration profiles.

  3. Create a profile for Windows 8.1 and later with type Trusted certificate in Microsoft Intune

  4. Upload your previously downloaded .cer file.

  5. Please choose All Users and/or All Devices or a dedicated group for assignment.

User Client Certificates

  1. Create a profile for Windows 8.1 and later with the type SCEP certificate in Microsoft Intune

  2. Certificate type: User

  3. Subject Name format : CN = {{UserName}}, E={{EmailAddress}}

  4. Subject alternative name: User principal name (UPN), '{{UserPrincipalName}}'

  5. Certificate Validity Period: 1 year

  6. KSP: Enroll to Trusted Platform Module (TPM) KSP, otherwise fail

  7. Key usage: Digital signature and Key encipherment

  8. Key size: 2048

  9. Hash algorithm: SHA-2

  10. Root certificate: Profile created from before

  11. Extended key use: Client Authentication.

  12. SCEP Server URL: Enter your SCEP Server URL. (This can be found on your respective CA's Dashboard)

You're all setup!🥳

You can check the certificate deployment by logging into your device and checking the Certificate Manager.