Remove SCEP and PKCS certificates in Microsoft Intune

In Microsoft Intune, you can add Simple Certificate Enrollment Protocol (SCEP) and Public Key Cryptography Standards (PKCS) certificates to devices. These certificates can also be removed when you wipe or retire the device.

There are some other scenarios where certificates are automatically removed, and some scenarios where certificates stay on the device. This article lists some common scenarios, and the impact on PKCS and SCEP certificates.

Note

To remove and revoke certificates for a user who's being removed from on-premises Active Directory or Azure Active Directory (Azure AD), follow these steps in order:

  1. Wipe or retire the user's device.
  2. Remove the user from on-premises Active Directory or Azure AD.

Windows devices

SCEP certificates

A SCEP certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.
  • The device is removed from an Azure AD group.
  • A certificate profile is removed from the group assignment.

A SCEP certificate is revoked when:

  • An administrator changes or updates the SCEP profile.

A root certificate is removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

SCEP certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.

PKCS certificates

A PKCS certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

A root certificate is removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

PKCS certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.
  • An administrator changes or updates the PKCS profile.
  • A certificate profile is removed from the group assignment.

iOS devices

SCEP certificates

A SCEP certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.
  • The device is removed from the Azure AD group.
  • A certificate profile is removed from the group assignment.

A SCEP certificate is revoked when:

  • An administrator changes or updates the SCEP profile.

A root certificate is removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

SCEP certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.

PKCS certificates

A PKCS certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

A PKCS certificate is removed when:

  • A certificate profile is removed from the group assignment.

A root certificate is removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

PKCS certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.
  • An administrator changes or updates the PKCS profile.

Android KNOX devices

SCEP certificates

A SCEP certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.

A SCEP certificate is revoked when:

  • An administrator runs the retire action.
  • The device is removed from an Azure AD group.
  • A certificate profile is removed from the group assignment.
  • An administrator removes the user or group from Azure AD.
  • An administrator changes or updates the SCEP profile.

A root certificate is removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

SCEP certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.

PKCS certificates

A PKCS certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

A root certificate is removed when:

  • A user unenrolls.
  • An administrator runs the wipe action.
  • An administrator runs the retire action.

PKCS certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.
  • An administrator changes or updates the PKCS profile.
  • A certificate profile is removed from the group assignment.

Note

Android for Work devices are not validated for the preceding scenarios. Android legacy devices (any non-Samsung, non-work profile devices) are not enabled for certificate removal.

macOS certificates

SCEP certificates

A SCEP certificate is revoked and removed when:

  • A user unenrolls.
  • An administrator runs a retire action.
  • The device is removed from an Azure AD group.
  • A certificate profile is removed from the group assignment.

A SCEP certificate is revoked when:

  • An administrator changes or updates the SCEP profile.

SCEP certificates stay on the device (certificates aren't revoked or removed) when:

  • A user loses the Intune license.
  • An administrator withdraws the Intune license.
  • An administrator removes the user or group from Azure AD.

Note

Using the wipe action to factory reset macOS devices is not supported.

PKCS certificates

PKCS certificates are not supported on macOS.