This guide covers the steps to deploy a trusted root certificate using Intune. I will also go over how to export the root cert from an Enterprise CA and install it on Windows devices using a Trusted Certificate profile in Intune.
A root certificate is a public key certificate that identifies a root certificate authority (CA). On your Windows devices, the Trusted Root Certification Authorities certificate store contains the root certificates of all CA’s that Windows trusts.
One of the prerequisites for using PKCS certificates with Intune requires an exported copy of your root certificate from your Enterprise CA. While exporting the root certificate is a manual process, Intune makes it easier for administrators to place this certificate in the Trusted Root CA certificate store.
In one of my previous guides, I covered the implementation of PKI certificates for SCCM. The root CA cert had to be exported first out of Enterprise CA and then assigned to the management point to fully switch to HTTPS. This guide follows the same steps for exporting the trusted root certificate, but the method for distributing the certificate differs.
Step 1: Export Root Certification Authority Certificate
To install a trusted root certificate on Windows devices with Intune, you’ll first need to export it from the internal certificate authority. Use the following steps to achieve that.
- Log into the Root Certification Authority server with an Administrator Account.
- Right-click Start and select Run.
- Run the below command to export the root CA certificate.
certutil -ca.cert ca_name.cerIf you wish to export the certificate to a different location, just specify the path in the command. The below command exports the RootCertificate.cer to C:\ drive. The exported root certificate should end with.cer as an extension. Don’t change the file extension after exporting at any cost.
certutil -ca.cert C:\RootCertificate.cer
To verify if the certificate was successfully exported, navigate to the folder location specified in the above command and confirm that the trusted root certificate was exported.
Additionally, you can view the details of this exported root cert. Right-click on the certificate and select open. On the General tab of the Certificate window, you can see the details, such as certificate issuer details, certificate validity, etc.
Note: You should see the same cert details on Windows endpoints after installing a trusted root certificate via Intune.
Step 2: Deploy Trusted Root Certificate using Intune
Let’s create a trusted root certificate profile in Intune for deploying the root certificate to Windows devices. Sign in to the Microsoft Intune admin center. Go to Devices > Windows > Manage Devices > Configuration. Select Create > New Policy.
On the Create a profile page, choose Windows 10 and later as Platform and Profile Type as Templates. From the list of templates, select Trusted Certificate and click on the Create button.
On the Basics tab, enter the name for the trusted certificate profile and add a brief description. The following details are specified in the below screenshot:
- Name: Install trusted root certificate
- Description: A root certificate that you can assign to devices that use SCEP and PKCS certificates to authenticate with your organization’s resources.
Click Next.
On the Configuration Settings tab, click on the upload icon and select the root certificate that we exported in the previous step.
When it comes to choosing the Destination store, there are three options to select from:
- Computer certificate store – Root
- Computer certificate store – Intermediate
- User certificate store – Intermediate
Choose Computer Certificate Store – Root as your destination store. Selecting this option directs the policy to install the root certificate in the Certificates > Trusted Root Certification Authorities > Certificates folder on the local computer.
Click Next.
In the Assignments window, select the device groups to which you want to assign this policy. I recommend deploying the profile to a pilot device group first and then expanding it to more devices if the testing is successful. Select Next.
The Applicability Rules let you define the conditions to apply this profile. Intune will apply this profile to the devices that meet the criteria you’ve defined. This is useful if you want to apply this profile to a specific group of devices that meet certain criteria, such as OS edition or OS version. You may skip this step as it is not mandatory to configure. Click Next.
On the Review + Create tab, go through the settings you’ve configured so far. Click Create to complete the creation of a Trusted Certificate profile.
After you create the trusted certificate profile in Intune, a notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The profile we created can be found in the configuration profiles section of the admin center.
Step 3: Sync your devices with Intune
If you’re testing this policy on a set of pilot devices to confirm its working, you can manually sync the policies on these devices with Intune. This will speed up things and ensure the devices will immediately obtain the latest policies, configurations, and updates from Intune. Make sure the devices are online before you force them to sync with Intune.
Step 4: Monitor the Root Certificate deployment
After assigning the policy to the device groups, the next step is to check how many devices have successfully received the policy settings in Intune.
In the Intune admin center, select the Trusted Root Certificate deployment policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices that successfully received the policy settings.
To view the device names that have successfully received the policy settings, click on View Report. In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.
Step 5: Verify the Trusted Root Certificate Installation
This last step in the guide shows how to verify if the trusted root certificate is successfully installed by Intune on the Windows endpoints. As described earlier, the root certificate that we distributed via Intune policy is expected to be added to the Trusted Root Certification Authorities certificate store on the Windows device. Let’s see how to check that.
To check the trusted root certificate, sign in to a Windows 11 device. Right-click on Start and select Run. Type the shortcut command “certlm.msc” and click OK to open the Certificates snap-in. Expand Certificates > Trusted Root Certification Authorities and select the Certificates sub-folder. In the right pane, look for the root CA cert installed via the Intune policy. The certificate can be quickly identified with its name, which is usually the common name of the CA.
The below screenshot shows the trusted root certificate installed by Intune policy with the name PRAJWAL-CORPAD-CA.
When you open the certificate, you will find additional information such as who issued the certificate and who it was issued to, as well as the certificate’s validity. This data matches with the root CA cert that we exported from the internal on-premises CA.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.
