Configure a certificate profile for your devices in Microsoft Intune

You give users access to corporate resources through VPN, Wi-Fi, or email profiles. Using certificates, you can authenticate these connections. When you use certificates, your end users don't need to enter user names and passwords to authenticate.

You can use Intune to assign these certificates to devices you manage. Intune supports assigning and managing the following certificate types:

  • Simple Certificate Enrollment Protocol (SCEP)
  • PKCS#12 (or PFX)

Each of these certificate types has its own prerequisites and infrastructure requirements.


  1. Be sure the correct certificate infrastructure is set up. You can use SCEP certificates, and PKCS certificates.

  2. Install a root certificate or an intermediate Certification Authority (CA) certificate on each device so that the device recognizes the legitimacy of your CA. To install the certificate, create and assign a trusted certificate profile to each device. When you assign this profile, the Intune-managed devices request and receive the root certificate. You must create a separate profile for each platform. Trusted certificate profiles are available for the following platforms:

    • iOS 8.0 and later
    • macOS 10.11 and later
    • Android 4.0 and later
    • Android Enterprise
    • Windows 8.1 and later
    • Windows Phone 8.1 and later
    • Windows 10 and later


    Certificate profiles are not supported on devices that run Android Enterprise for dedicated devices.

  3. Create certificate profiles so that devices request a certificate to be used for authentication of VPN, Wi-Fi, and email access. The following profile types are available for different platforms:

    Platform PKCS certificate SCEP certificate PKCS imported certificate
    Android Yes Yes Yes
    Android Enterprise Yes Yes Yes
    iOS Yes Yes Yes
    macOS Yes Yes
    Windows Phone 8.1 Yes Yes
    Windows 8.1 and later Yes
    Windows 10 and later Yes Yes Yes

    Be sure to create a separate profile for each device platform. When you create the profile, associate it with the trusted root certificate profile that you've already created.

Further considerations

  • If you don't have an Enterprise Certification Authority, you must create one
  • If you use SCEP profiles, configure a Network Device Enrollment Service (NDES) server
  • Whether you plan to use SCEP or PKCS profiles, download and configure the Microsoft Intune Certificate Connector

Step 1: Configure your certificate infrastructure

See one of the following articles for help with configuring the infrastructure for each type of certificate profile:

Step 2: Export your trusted root CA certificate

Export the Trusted Root Certification Authorities (CA) certificate as a public certificate (.cer) from the issuing CA, or from any device that trusts your issuing CA. Don't export the private key (.pfx).

You import this certificate when you set up a trusted certificate profile.

Step 3: Create trusted certificate profiles

Create a trusted certificate profile before you can create a SCEP or PKCS certificate profile. A trusted certificate profile and a SCEP or PKCS profile are needed for each device platform. The steps to create trusted certificates are similar for each device platform.

  1. In Intune, select Device configuration > Manage > Profiles > Create profile.

  2. Enter the following properties:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is Trusted certificate profile for Android Enterprise device owner devices or Trusted certificate profile for iOS devices.

    • Description: Enter a description for the profile. This setting is optional, but recommended.

    • Platform: Choose the platform of your devices. Your options:

      • Android
      • Android Enterprise > Device Owner only
      • Android Enterprise > Work Profile only
      • iOS
      • macOS
      • Windows Phone 8.1
      • Windows 8.1 and later
      • Windows 10 and later
    • Profile type: Choose Trusted certificate.

  3. Browse to the certificate you saved in Step 2: Export your trusted root CA certificate, then select OK.

  4. For Windows 8.1 and Windows 10 devices only, select the Destination Store for the trusted certificate from:

    • Computer certificate store - Root
    • Computer certificate store - Intermediate
    • User certificate store - Intermediate
  5. When you're done, choose OK, go back to the Create profile pane, and select Create.

The profile is created and appears on the list. To assign this profile to groups, see assign device profiles.


Android devices may display a message that a third party has installed a trusted certificate.

Step 4: Create SCEP or PKCS certificate profiles

See one of the following articles for help with configuring and assigning each type of certificate profile:

After you create a trusted certificate profile, create SCEP or PKCS certificate profiles for each platform you want to use. When you create a SCEP certificate profile, enter a trusted certificate profile for that same platform. This step links the two certificate profiles, but you still must assign each profile separately.

Next steps

Assign device profiles
Use S/MIME to sign and encrypt emails
Use third-party certificate authority

See also

Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles

Troubleshooting SCEP certificate profile deployment in Microsoft Intune