Integrate InTune with Onsite CA - PFX Distribution (No inbound connection to CA required)

FYI - You can’t install the InTune NDES Connector in PFX mode on the same Server as the Microsoft CA Server as it will just give you errors when you try to get a certificate pushed out to a device (this has been left out of the Microsoft article as discussed with Microsoft Support)

Found this great article if you want to integrate InTune with onsite Microsoft CA Server using InTune Certificate Connector but can’t allow inbound connection to CA Server and doesn’t require NDES/SCEP service

This is called PFX Distribution where InTune will get the identity certificate on the device/users behalf through outbound connection from InTune Certificate Connector to AzureAD/InTune

How to Create and Deploy PFX Certificate Profiles in Intune Standalone

There are also a few more articles which are a must read if you want to use SCEP Distribution where the device gets the identity certificate directly from the Microsoft CA NDES service which requires inbound connection (or through Azure Application Proxy Service but this proxy service requires Azure AD Basic or Premium License)

Once you have integrated your CA Server you just need to upload the Microsoft CA Root Certificate to Office365 via the following which does require the Microsoft CA Server CRL to be accessible over the internet from Office365/Azure AD so you can then do certificate based authentication for email (iOS, Android, Windows)

You can perform cert based auth directly from device for ActiveSync to Office365 without the requirement for an ADFS Server

All you need to do is upload the Root CA Certificate (and intermediate if you have 2 CA Servers) into

  • Windows Powershell and run as administrator
  • Type “ Install-module azuread ” and hit enter, then Y and A
  • Type “ Connect-AzureAD ” and hit enter
  • Type “ Get-AzureADTrustedCertificateAuthority ” and hit enter (should be no results as you have not added Root Certs yet
  • Type $cert=Get-Content -Encoding byte " C:\Temp\LocalCA.cer ” (.cer file location of Root CA Cert)
  • Type "$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation"
  • Type "$new_ca.AuthorityType=0 "
  • Type "$new_ca.TrustedCertificate=$cert"
  • Type $new_ca. crlDistributionPoint = ""
  • Type "New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca"
  • Type “ Get-AzureADTrustedCertificateAuthority ” and hit enter (should be the Root Cert you just uploaded)

You can now create a user/device certificate with the users Email Address in the Subject and Subject Alternative Name to use for authentication for ActiveSync email to “

SCEP Distribution

Pros & Cons

Simple Certificate Enrollment Protocol (SCEP)

  • Mobile device generates the private/public key pair;
  • Unlike PFX method, the private key never leaves the device;
  • Unique key and certificate on every device allows certificate revocation for just a specific device;
  • Has larger infrastructure footprint compared to PFX (complex);
  • Supports Windows Hello for Business certificate based scenario.

Personal Information Exchange (PFX)

  • MDM servers generates private key and certificate and deploys it to the mobile device.
  • Entire certificate is self-contained and can be issued on behalf of the user and stored in Intune’s KRA (Key Recovery Agent)
  • The same certificate can be distributed to multiple devices of the same user. Thus, provides S/MIME support for email encryption and digital signatures
  • Has smaller infrastructure footprint compared to SCEP (simplified).


Although the PKCS connector seems to work rather well the Intune PKCS profits are limited around the CN format. You can only use the common name or email address in the CN.
Same with the SAN fields they are pre-defined and it is not possible to burn custom value into the fields.

1 Like