Creating Intune profiles for Windows in Azure
Create the following profiles for enrolling Microsoft Windows devices with Intune.
A root CA profile
An issuing CA profile
A SCEP profile
To create a Windows profile for Intune
Log into endpoint.microsoft.com as a user with administrative privileges.
Go to Devices > Windows > Configuration profiles.
Click Create profile.
Configure the values described in the following sections.
Create a profile
In the Create a profile dialog, select the following values for each Windows profile.
|
Setting |
root CA profile |
issuing CA profile |
SCEP profile |
|
Platform |
Windows 10 and later |
Windows 10 and later |
Windows 10 and later |
|
Profile type |
Templates |
Templates |
Templates |
|
Template name |
Trusted certificate |
Trusted certificate |
SCEP certificate |
Basics
In the Name field of the Basics page, type the name of the profile – for example:
ABC Root
ABC Issuing
ABC Digital Signature SCEP Cert
Optionally, add a description of the profile purpose.
Configuration settings
When creating a root or issuing CA profile for Windows, configure the following settings on the Configuration settings page.
|
Setting |
Root CA profile |
Issuing CA profile |
|
Certificate file |
The root Certification Authority certificate |
The issuing Certification Authority certificate |
|
Destination store |
Computer certificate store - Root |
Computer certificate store - Intermediate |
See Downloading a CA certificate to download CA certificates.
When creating a SCEP profile for Windows, configure the following settings on the Configuration settings page.
|
Setting |
Value |
|
Certificate type |
Select User. |
|
Subject name format |
The syntax of the certificate subject names. This field supports the variables described in https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep |
|
Subject alternative name |
The value of each attribute in the certificate subject alternative name. Optional. |
|
Certificate validity period |
The validity period of the certificates. |
|
Key storage provider (KSP) |
Select Enroll to Software KSP for Windows 10 Intune enrollments; select any of the listed values for Windows 11. |
|
Key usage |
The key usage of the enrolled certificates. |
|
Key size (bits) |
Select 2048 (Entrust PKIaaS does not support key sizes below 2048). |
|
Hash algorithm |
Select SHA-2. |
|
Root certificate |
Select the root CA profile |
|
Extended key usage |
Select Client Authentication. |
|
SCEP Server URLs |
Paste one of the URLs obtained when Getting the Intune Service URL. |
Assignments
On the Assignments page, select the user group of the Intune-enrolled devices.
Applicability Rules
On the Applicability Rules page, select optional filters for the selected group – for example, the operating system of the devices.
Review and create
On the Review + create page, check the settings of the new profile and click Create to confirm the profile creation.