Remove SCEP and PKCS certificates in Microsoft Intune

In Microsoft Intune, you can add SCEP and PKCS certificates to devices. These certificates can also be removed when you wipe or retire the device. There are some other scenarios where certificates are automatically removed, and some scenarios where certificates stay on the device.

This article lists some common scenarios, and the impact on PKCS and SCEP certificates.

Note

To remove and revoke certificates for a user that's being removed from Active Directory (AD) or Azure AD, be sure to follow the steps in order:

  1. Wipe or retire the user's device
  2. Remove the user from AD or Azure AD

Windows devices

SCEP certificates

  • A SCEP certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
    • Device is removed from Azure Active Directory (AD) group
    • Compliance policy is removed from the group assignment
    • Configuration profile is removed from the group assignment
  • A SCEP certificate is revoked when:

    • Administrator changes or updates the SCEP profile
  • Root certificate is removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
    • Compliance policy is removed from the group assignment
  • SCEP certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD

PKCS certificates

  • A PKCS certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • Root certificate is removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • PKCS certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD
    • Administrator changes or updates the PKCS profile
    • Configuration profile is removed from the group assignment
    • Compliance policy is removed from the group assignment

iOS devices

SCEP certificates

  • A SCEP certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
    • Device is removed from Azure Active Directory (AD) group
    • Compliance policy is removed from the group assignment
    • Configuration profile is removed from the group assignment
  • A SCEP certificate is revoked when:

    • Administrator changes or updates the SCEP profile
  • Root certificate is removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
    • Compliance policy is removed from the group assignment
  • SCEP certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD

PKCS certificates

  • A PKCS certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • A PKCS certificate is removed when:

    • Compliance policy is removed from the group assignment
    • Configuration profile is removed from the group assignment
  • Root certificate is removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • PKCS certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD
    • Administrator changes or updates the PKCS profile

Android KNOX devices

SCEP certificates

  • A SCEP certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs wipe action
  • A SCEP certificate is revoked when:

    • Administrator runs retire action
    • Device is removed from Azure Active Directory (AD) group
    • Compliance policy is removed from the group assignment
    • Configuration profile is removed from the group assignment
    • Administrator removes the user or group from Azure Active Directory (AD)
    • Administrator changes or updates the SCEP profile
  • Root certificate is removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • SCEP certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD

PKCS certificates

  • A PKCS certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • Root certificate is removed when:

    • An end user unenrolls
    • Administrator runs wipe action
    • Administrator runs retire action
  • PKCS certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD
    • Administrator changes or updates the PKCS profile
    • Configuration profile is removed from the group assignment
    • Compliance policy is removed from the group assignment

Note

Android for work devices are not validated for the above scenarios. Android legacy devices (any non-Samsung, non-work profile device) are not enabled for certificate removal.

macOS certificates

SCEP certificates

  • A SCEP certificate is revoked and removed when:

    • An end user unenrolls
    • Administrator runs retire action
    • Device is removed from Azure Active Directory (AD) group
    • Compliance policy is removed from the group assignment
    • Configuration profile is removed from the group assignment
  • A SCEP certificate is revoked when:

    • Administrator changes or updates the SCEP profile
  • SCEP certificates stay on the device (certificates aren't revoked nor removed) when:

    • An end user loses the Intune license
    • Administrator withdraws the Intune license
    • Administrator removes the user or group from Azure AD

Note

Using the wipe action to factory reset macOS devices is not supported.

PKCS certificates

PKCS certificates are not supported on macOS.