Hi, let’s discuss the Allow or Disallow users to Manage Installed CA Certificates for user in the Settings Catalog of Microsoft Intune. There are different types of policies and settings available. One of these settings is under Microsoft Edge, Certificate Management Settings.
This setting lets you control whether users can manage CA (Certificate Authority) certificates on their devices. You can choose to allow full access, limited access, or no access at all, depending on your organization’s needs. This certificate policy, you decide how much control users have over certificates on their device. Certificates are used to help websites and services prove they are safe and trusted.
This policy helps control who can manage these certificates. The first option is All (0). This means users can do everything with certificates. They can add, remove, or change trust settings for any certificate. But it can also be risky because users might trust a bad certificate by mistake.
The second option is User Only (1). This means users can only manage certificates they add themselves. They cannot change the ones already installed by the system or organization. This is safer than the first option and still lets users add their own certificates if needed for their work.
Table of Contents
What Does the Certificate Management Setting Control?
It controls whether users can add, remove, or change installed CA (Certificate Authority) certificates on their devices.
Allow users to Manage Installed CA Certificates for user
Above we discussed a lot of things about the CA Certificates in Microsoft Edge. now let’s discuss how this policy deployed through MS Intune. Sign in to the Intune admin center, then navigate through Devices> Configuration> +Create Policy then Select the platform as Windows 10 and later and the policy type as Setting catalog in the create Profile Window then click on the create.
- Enable Fast First Sign In Policy under Authentication in Intune Settings Catalog
- How to Configure Check for Signatures before Running Scan Policy using Intune
- 3 Ways To Configure Microsoft Defender Antivirus Policies For Windows 11 Using Group Policy Intune Policy
Basic Information – The First Tab
Now you are on the first tab called Basics. Here, you need to enter the basic details such as the Name and Description of the policy. The policy name is very important because it act as the identifier for the policy after it is created. Once you’ve filled in the basic details, click Next to move to the next tab.
How to Add Settings – Configuration Settings
After completing the basic steps, you will reach the Configuration Settings page. Here, you will see an “Add settings” option. Click on it. A Settings Picker window will appear. In the search bar, type “Microsoft Edge” and select the Certificate Management category from the results.
This category includes 22 different settings related to certificate management. From these, find and select the setting called “Allow users to manage installed CA certificates.”
Enable the policy for Certificate Management
After selecting the Manage Installed CA Certificates for user option, you will be directed to the Configuration settings main page. Here, you will notice that the policy is disabled by default. If you wish to proceed without making changes, simply click Next.
Enable the Policy for Certificate Management
If you want to enable the policy, you can easily do that for that. You have to toggle the Pan left to the right then, it turns to be blue color and its labelled. Now enabled, then click on the next to continue with the procedure.
Scope Tags
The Scope tags tab is the policy creation process another section. Scope tags have no required role in this configuration, so you can skip this section by clicking Next. Scope tags are used for role-based access and organizational control, but they are not necessary in this case. Skipping this step will not affect the functionality of the policy.
Know the Assignments
The Assignments section is very important because it allows you to add groups to the policy. Here, you can select the appropriate organizational group. After selecting the group, click Next to proceed.
- You have to add groups only from the “Include” section to ensure the policy is applied correctly.
Monitoring Status
To view a policy’s status in the Intune portal, go to Devices > Configuration, then select the policy by its name. Check the status to ensure it shows Succeeded 1, indicating successful deployment. To speed up the process, you can perform a manual sync from the Company Portal. If the status does not update immediately, allow a few minutes for the sync to complete before checking again.
Know Client-Side Verification
You can verify the confirmation in the Event Viewer by looking for Event ID 813 or 814. To access this, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Device Management Enterprise Diagnostic Provider > Admin.
| Policy Details |
|---|
| MDM PolicyManager: Set policy string, Policy: (CACertificateManaqementAllowed), Area: microsoft_edqev133~Policy~microsoft_edqe~CertificateManaqement), EnrollmentID requestinq merqe: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (S-1-12-1-3449773194- 1083384580-749570698-1797466236), Strinq: ( ), Enrollment Type: (0x6), Scope: (0x1). |
- Now you can see a list of policy-related events.
- I found the policy details in the Event ID 814.
Remove Policy Group
To remove a group from a policy in Microsoft Intune, start by navigating to Devices > Configuration profiles, then search for the specific policy you want to modify. Once you locate it, click on the policy to open its details or monitoring status. Scroll down to the Assignments section and click the Edit option. From there, remove the group you want to remove.
Delete the Policy
To delete a policy in Microsoft Intune, first sign in to the Microsoft Intune Admin Center. Navigate to Devices and then select Configuration profiles. Locate and select the specific policy you want to remove. Once you’re on the policy details page, click the 3 -dot menu (⋯) in the top right corner and choose Delete from the available options. A screenshot is provided below to assist you with the process.
For more information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.