Wednesday, 9 December 2015

EMS (Intune) : Configuring Certificate Profile with Microsoft Intune to access company profiles (Email, Wi-Fi and VPN) - Part 3

Hello Everyone,

I am writing this blog to share screenshots for configuring certificate profiles with Intune. 

Certificate profiles are used for authentication purpose which used trusted root certificate and helps user to access on-premises resources like email, WiFi and VPN profiles with secure process (using enterprise public key infrastructure). This helps users to configure devices automatically without any manual process or out of band process.

So, below are the prerequisites and steps by steps activities with screenshots. Hope this will help you in configuring :)

Management Capabilities:

  • Android
  • iOS
  • Mac OS X
  • Windows 8.1
  • Windows Phone 8.1


You can create 3 types of certificate profiles (PKCS #12 , SCEP and Trusted Root certificate profiles) and below are prerequisites for above certificate profiles:

  • Domain Controller
  • Certificate Authority Server - Only Enterprise root CA server will work.
  • NDES (Network Device Enrollment Service) Server - This can not be installed on CA server. The server on which it is configured must communicate with CA Server and also must have internet connectivity.
  • NDES Service account - This must have enterprise admin rights and must be member of  local Administrator and IIS_IUSRS group of NDES Server.
  • Intune Certificate Connector - Download this connector from Intune administrator console (

Lets start with practical steps with screenshots:

STEP 1: Configure Certificate Authority:

-> Create Service account for NDES Server and make member of enterprise admin group:

-> Create Certificate Template with below configurations:

  • Template Display Name:

    • On the Subject Name tab, select Supply in the request:

        • On the Extension Tab, change Application Policies description to Client Authentication:

        • On the Security Tab, Add the NDES Service account and give Read and Enroll permissions:

        • Click Apply and OK:

        -> Publish Certificate Template to Certificate Authority:

        -> Verify if published template is visible in Certificate Template Folder:

        STEP 2: Install prerequisites for NDES Server and Configure it:

        -> You must login with NDES Service account.
        -> Set spn for NDES service account:

        -> Install ADCS Role on the server to Install NDES:

        -> Select only Network Device Enrollment Service:

        -> After installation, do not close window. Click on "Configure Active Directory Certificate Service on the destination server":

        -> NDES Configuration windows will open, now follow steps as per below:

        -> Select NDES Service account:

        -> Close all windows now.

        -> Open registry to edit for configuring certificate templates value with Certificate created in CA server: (Path: HLM\Software\Microsoft\Cryptography\MSCEP)

        -> Restart IIS by command "iisreset":

        -> Now, Install and Bind certificate on NDES Server by requesting a certificate with Server and Client Authentication from CA Server:

        -> Open registry and add below DWORD value on path: "HLM\System\CurrentControlSet\Services\HTTP\Parameters" :
        • MaxFieldLength - 65534
        • MaxRequestBytes - 65534

        STEP 3: Enable, Install and Configuring Intune Certificate Connector:

        -> Open Intune Admin console ( -> Go to Admin Tab -> Click on Certificate Connector and then Click on "Configure on-premises certificate connector":

        -> Now, Download Intune Certificate connector by clicking on "Download Certificate Connector":

        -> Install Certificate connector on NDES Server:

        -> Click Sign-in:

        -> Provide credentials in Advance Tab:

        -> Click Apply and Close windows. Open Service console and restart "Intune Connector Service":

        STEP 4: Configuring Certificate Profiles:

        -> Export trusted root certificate from CA server which will be used in configuring trusted root certificate profile. (Using Trusted CA certificate profile, SCEP and PFX certificate profiles will be created which will be further used in EMAIL, WiFi and VPN Profile configurations):

        -> Create Trusted CA Certificate profile:

        -> Click Save Policy.

        -> Create SCEP Profile:

        -> Click Save Policy.

        -> Create .PFX profile:

        -> Click Save Policy. Now these profiles are ready for deployment. These can be deployed on user or device groups as well. All policies will be applied to applicable device platforms respectively.

        NOTE: These above created profile policies are for Android Devices. Same can be configured for iOS, Mac OS X and Windows devices. (Note: PFX profiles is not available for iOS and Mac OS X as of now.)

        STEP 5: Creating E-mail Profile using above certificate profiles:

        -> Create Email Profile policy:

        -> Finally, All Profiles and policies are ready to deploy:

        NOTE: Email Profiles for iOS and Windows are configured similarly(See steps for the same in below  shared reference links). Also, same certificate profiles will be used for VPN and WiFi profiles.

        Reference URLS:

        Hope above steps helps you in configuration :).

        I will share more posts in future and will keep updated...

        For any query or suggestion, please feel free to post me back... If this helps anyone then I will feel appreciated!!!

        Thanks in Advance for Your time to go through it!!!


        1. The article posted was very informative and useful. You people are doing a great job. Keep going.
          company formation hong kong

        2. This comment has been removed by the author.

        3. Hi I am trying to configure the same on maas360. The steps seems to be similar. I didnt understand how to do this bit "Now, Install and Bind certificate on NDES Server by requesting a certificate with Server and Client Authentication from CA Server:" Could you please elaborate?