In this blog post, we’ll check how to Deploy Trusted Root Certificate using Intune Configuration Policy. It’s an essential step for enabling secure communications in enterprise environments. Trusted root certificates ensure that devices can validate the authenticity of services such as internal web portals, VPN connections, or Wi-Fi networks that use certificates issued by a private Certificate Authority (CA).
Without these certificates, users might face SSL errors, failed authentication, or warning messages when connecting to internal resources. In Microsoft Intune, administrators can create a Device Configuration Profile specifically for Windows 10/11 devices to deploy the trusted root certificate.
Choosing the Trusted certificate profile type. The .cer file (in Base-64 encoded X.509 format) representing the root certificate is uploaded, and the profile is then assigned to the appropriate device groups. Intune automatically pushes the certificate to the trusted root certification authorities store on managed Windows devices.
This method ensures consistent certificate distribution across all enrolled Windows devices, enhancing the reliability and security of corporate services. With Intune’s built-in reporting and compliance features, administrators can track deployment success and identify devices that are missing critical certificates. By automating this process, organizations reduce the risk of misconfiguration, strengthen endpoint security, and maintain user productivity with minimal manual intervention.
Table of Contents
Export a Trusted Root Certificate
First, we need to export a trusted root certificate from the Internal Certificate Authority (CA). In this example, I have exported “HTMD – Root CA.cer” to demonstrate this policy deployment. To export the cert, execute the command from your CA Server. Open Command Promt as Administrator and run “certutil -ca.cert HTMD – Root CA.cer“
| Issued to | Issued by | Valid from |
|---|---|---|
| HTMD – Root CA | HTMD – Root CA | 6/15/2025 to 6/15/2030 |
- Create Root and Issuing CA using Intune Cloud PKI Service
- Microsoft Intune Enhances PKCS Certificate Issuance with SID Support
- Check Management Certificate Expiration Date in Intune
Create a Configuration Policy to Deploy Trusted Root Certificate in Intune
Follow these steps to deploy the Trusted Root Certificate Configuration Policy using Microsoft Intune. First, sign in to the Microsoft Intune Admin Center with your administrator credentials.
- Navigate to Devices > Windows > Manage devices > Configuration
- Click on +Create > +New Policy
Next, we will create a new configuration profile from scratch. First, we need to provide the options mentioned below.
- Platform: Windows 10 and later
- Profile type: Templates
- Template name: Trusted Certificate
Note! Templates contain groups of settings, organized by functionality. Use a template when you don’t want to build policies manually or want to configure devices to access corporate networks, such as configuring WiFi or VPN. Learn more.
On the Basics details pane, we can name the configuration policy as “HTMD – Trusted Root Certificate Deployment” if needed, briefly describe the policy’s use (here, I am using “HTMD – Root CA.cer”), and then click Next.
Note! Import the trusted root certificate from your Certification Authority and assign it to devices that use SCEP and PCKS certificates to authenticate with your org’s resources.
We can now add the required settings to the Configuration settings pane. First, upload the Certificate file, browse and select our exported Root CA, i.e, “HTMD – Root CA.cer“, and the Destination store choose “Computer certificate store – Root” from the drop-down. You can also have options like “Computer certificate store – Intermediate” and “User certificate store – Intermediate”.
On the next page, leave the Scope tags as Default. If your tenant has custom scope tags, you can select them based on your policy needs, then click on Next.
Here, I am assigning the configuration policy to the “HTMD – Test Computers” device group. To do this, click on “Add Groups” and select the desired device group under the “Included Groups” option. In this example, I am not using any filters, and the “Excluded Groups” option has been left blank.
On the next pane, specify how to apply this profile within an assigned group. Intune will only apply the profile to devices that meet the combined criteria of these rules. Find the below-mentioned Applicability Rules selected.
- Rule – Assign profile if
- Property – OS edition
- Value – Windows 10/11 Enterprise
On the Review + create page, carefully review all the settings you’ve defined for the HTMD – Trusted Root Certificate Deployment policy. Once you’ve confirmed everything is correct, select “Create” to deploy the policy.
- Support Device Authentication Using Certificate Policy Intune
- Most Restrictive Elevation Behaviour with Intune Endpoint Privilege Management
- Best Guide to Configure Windows LAPS Automatic Account Management using Intune
Monitor the Trusted Root Certificate Deployment
The configuration policy has been deployed to the HTMD – Test Computers, a Microsoft Entra ID Device group. Once the device is synced, the policy will take effect immediately. To monitor the policy deployment status from the Intune Portal, follow the steps below.
- Navigate to Devices > Windows > Configuration > Search for the “HTMD – Trusted Root Certificate Deployment” configuration policy.
- Under the Device and user check-in status, you can see the policy’s deployment status
End User Experience
We can now verify whether the Trusted Root Certificate deployment is worked or not. Logging to the device affected by the policy. Next, we can check the status of the policy using the Manage computer certificates. To do this, open the Local Computer Certificates on the device.
- Open Run > Type Certlm.msc > Under Certificates – Local Computer > Trusted Root Certification Authorities > Certificates
You can able to see the HTMD – Root CA is successfully deployed. The screenshot below shows that the policy was successfully applied to the system, and it worked as expected!
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. Writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out my profile on LinkedIn.