Intune Certificate Deployment Step by Step Guide

The first before deploying SCEP certificate is to check the prerequisites of Intune certificate deployment. I’m going share the details of Microsoft PKI related certificate deployments in this video post. If you have a non-Microsoft PKI environment, you need to check the supportability of Intune.

SCEP does not support all third-party Certificate Authority (CA), providers.  In the recently Ignite Microsoft announced new 3rd party certificate authority partners. Recently, Intune included support for Device based SCEP deployment. Intune already supported User-based SCEP certificate.

Newly Announced Certificate Authority Partners

Intune Certificate Deployment

  1. Entrusted Datacard
  2. GlobalSign
  3. EJBCA
  5. Digicert

The above is the list of  3rd party CA partners supported by SCEP. Hence you can deploy SCEP Certificate from these CAs via Intune. If you have a customer looking for any of the other third part CA to support SCEP, you can contact Microsoft and they will able to help you with the onboarding process.

Prerequisite for SCEP Certificate Deployment via Intune

Following are the Prerequisites for Intune Certificate Deployment. SCEP Certificate deployment to users and devices.

  1. PKI or CA infrastructure
  2. NDES Server
  3. Azure AD App Proxy Connector
  4. Microsoft Intune Certificate Connector:

I would recommend reading Microsoft documentation to get more details about SCEP or Intune certificate deployment prerequisites.

How to Create a SCEP certificate Certificate

Before deploying SCEP Certificate, you need to deploy PKI or CA chain of certificates to your devices or users.

  1. Root CA Cert
  2. Intermediate or Issuing CA cert 1
  3. Intermediate or Issuing CA cert 2
  4. Intermediate or Issuing CA cert 3 etc..
  5. SCEP Certificate issuing from CA

You need to make sure all the intermediate or Issuing CA certs have already reached the device. Once all the required certs are already there in the machine, you can deploy SCEP Certificate to the user or device. The device certificate can be secured using TMP chip.

As I mentioned in the above video, you can log in to the Azure portal with correct Intune RBAC access and create a SCEP certificate deployment profile.

  1. Azure portal
  2. Intune Blade
  3. Device Configurations – Profiles
  4. Create Profile
  5. Platform – Windows 10 or later
  6. Profile Type – SCEP Certificate
  7. SCEP Certificate Type – User or Device
  8. More details available

Intune Certificate Deployment SCEP Certificates

Troubleshoot on Intune Certificate Deployment Issue?

I have already shared a post about the Intune application, certificate or profile deployment troubleshooting options. I would recommend readin that post for more troubleshooting details from Intune side.

Other part of troubleshooting is done from CA, NDES, NDES Intune connector, Azure App Proxy connector etc…

Troubleshoot Intune Deployments – Applications Policies Profiles Intune Issues

Troubleshooting Intune deployments are challenging for new admins in device management world. The above video will help you to troubleshoot Intune deployment issues.

Phases of Intune Troubleshooting

There are FOUR (4) phases in Intune Deployment Troubleshooting. All these four steps are explained in this videos. You can find more details below.

  • Server/Cloud Console Side – Intune Health check
  • Server/Cloud Console Side – Intune Troubleshooting Blade
  • Server/Cloud Console Side – Deep dive into Intune App Deployment Troubleshooting
  • Client Side (Device Side) – Troubleshooting Logs/Events etc

It was far more difficult to troubleshoot on Intune issues at the time of Silverlight console. But after migrating to Azure portal Intune troubleshooting became more easy.

How to Start Intune Troubleshooting

  • Login to Azure portal –
  • Navigate to Intune Blade
  • Click on Troubleshoot node
  • Click on Select User button
  • Search and select the user id which you want to troubleshoot
  • Click Select to start Intune troubleshooting
  • Troubleshooting blade will give you all the details of selected user
  • Drill down each part of troubleshooting guide get into the root of the Intune issue

Troubleshoot Intune Issues

Most of us know how to start troubleshooting with Intune Silverlight console. Intune troubleshooting made easy after the migration to Azure portal. More details Troubleshooting on Windows 10 MDM issues are pretty new for most of us. The importance of MDM policies are getting increased day by day. In this blog post you will see tips to start MDM way of Windows 10 troubleshooting.

How to Troubleshoot Windows 10 Event Logs

Windows 10 MDM Issues Troubleshooting using registry WMI and Event Logs. More detailed discussions are available in the following blog post –

Intune Error Codes Table

Intune error codes can find the details of Intune Apps, Intune Policies, and Intune compliance policies.  you’ll be able to review applications installation status and enrollment status for devices. Here’s a list of user details you can view for each user in the Troubleshooting portal:

  • User status
  • Group assignment
  • Application and policy Assignments
  • App protection Status
  • Compliance issues
  • Device status
  • Device details such as OS type and version


How to Delete Azure AD Device

SCCM Admin Console Walkthrough Video Guide

Device Management training videos to start learning SCCM device management technology. SCCM is managing more than 70% corporate Windows PCs in the world. I call this series of video posts as SCCM Educational post series. I would love to cover the basic things of SCCM in this series of posts. In case you are a newbie to SCCM Admin Console then this is the helpful guidelines for you.

The Above video explains the details of SCCM Admin Console nodes. SCCM console buttons will give you an overall idea about UI capabilities. This post will help to learn and understand SCCM in a better way. I always think about a teaching technique which starts from the SCCM console. Do you think it would be ok to start SCCM learning with SCCM console overview?

SCCM Admin Console – More Details

SCCM console gives admin access to manage and monitor all the policies, applications, OD deployments, etc.. for the devices you manage with SCCM. Administrators use the SCCM Admin console to manage the SCCM environment. Each SCCM console can connect to a CAS or a primary site. You can’t connect an SCCM console to a secondary site.

An SCCM admin sees objects in the console based on the permissions assigned to their user account. For more information about role-based administration, see Fundamentals of role-based administration.

When you install the site server, you can install the SCCM Admin console at the same time. To install the console separate from site server installation, run the standalone installer. You can run the console from Windows 10 machines and manage the devices which you want to manage. You can install the SCCM console by using the standalone installer.

If you like to read more about this in a documentation format, I would recommend reading my previous post from the following link


More Blog posts related to SCCM/Intune/Windows 10/Hyper-V/Cloud/IT Pro/Azure –

Learn SCCM Read

Learn Intune Read –

Learn Windows 10 Read –

Learn Hyper-V Read –

Learn About Cloud Read –

Learn about Azure Read –

Learn About IT Pros Events –

Learn about me –

Another Blogs related to SCCM Videos (now related to SCCM Admin Console ) –

PWA Windows Desktop and Mobile Experience

PWA is Progressive Web Application. is my new blog and this blog is PWA enabled website. This blog is more for video blogs than text content. In this video post, you will see PWA Windows Desktop video experience. I will also cover PWA iOS and Android Mobile experience.

Google announced Desktop progressive web apps support for Chrome 70 or later. Once your website is PWA enabled, it (web site) can be ‘installed’ on the user’s device much like native apps. They’re fast.

PWA Windows Desktop apps provide more integrated, reliable experience because they launched in the same way as other apps, and run in an app window, without an address bar or tabs.

Advantages – PWA Windows Desktop

  • Fast
  • Integrated
  • Reliable
  • Engaging

PWA for Windows Devices

In this section, you will see how to install app (PWA) on Windows 10 desktop using Chrome 70 or later. PWA Windows Desktop experience is exaplained also in the video tutorial above.

  • Update your Chrome version to 70 or later on Windows 10 device
  • Launch (Re Launch) Chrome
  • Open or anyother PWA enabled website
  • Click options button as you can in the below picture
  • Click on Install “How to Manage Devices” button. How To Manage Devices is the name which I provided for this website.
  • Click on Install button from Install App popup
  • Launch the Desktop or Start menu shortcut to launch the PWA Windows Desktop app for HowToManageDevices blog
PWA Windows Desktop and Mobile Experience 3
Click on Install How To Manage Devices option
PWA Windows Desktop and Mobile Experience 4
Click on Install Button from Install App popup 
PWA Windows Desktop and Mobile Experience 5
Here is the PWA Windows Desktop Experience

PWA for iOS Devices

The following are the steps which we need to follow to get PWA iOS experience for you. The PWA Windows Desktop experience is different from this iOS experience. You can use Safari (default browser) on your iOS device.

  • Launch Safari
  • Go to (any website which is PWA enabled)
  • Click on Share button
  • Click on Add to Home Screen button
  • Click on ADD button
  • Click on App button  (HTMD) created on your iOS home screen
PWA Windows Desktop
Click on SHARE button from Safari Browser
PWA Windows Desktop and Mobile Experience 6
Click on Add to Home Screen Button
PWA Windows Desktop and Mobile Experience 7
Click on Add button to add PWA app to home page
PWA Windows Desktop and Mobile Experience 8
Click on the How To Manage Devices (HTMD) Icon
PWA Windows Desktop
PWA Windows Desktop and Mobile Experience 19

PWA Android Experience

PWA Android Experience is better than iOS and PWA Windows experience of obvious reasons.  The following are the steps which we need to follow to get PWA iOS experience for you. I have a video which explains PWA Windows Desktop experience.

  • Launch Chrome browser
  • Launch the PWA enabled website
  • Click options button from chrome browser
  • Click on Add to Home Screen option
  • Click on Add button from the popup
  • Click OK on the next pop screen
  • Click on PWA app (HTMD) icon from home screen
PWA Windows Desktop
Click on Add to Home Screen option
PWA Windows Desktop
Click on ADD button from popup
PWA Windows Desktop
Click on OK button
PWA Windows Desktop
Launch PWA (HTMD) icon from Home Screen


Who helped me to design PWA enabled blog ?

Create Office 365 ProPlus Client Package

I have create this video a year back and there are many changes in the recent months. SCCM client installation wizard has integrated with Office Customization Tool. Office 365 ProPlus Client Package creation made easy in the latest version of SCCM. You need to remember that an internet connection is required to complete the Office 365 ProPlus client package creation wizard.

The office 365 ProPlus client package creation wizard includes an online Office Customization Tool. This tool needs an internet connection as this office customization tool is launched is web-based tool.

If you are looking for solution to update Office 365 ProPlus client with latest patches, then following post shall help you. I have another post which explain about “How to Deploy and Install Office 365 Software Updates (patches) with SCCM ADR“.

Launch Office 365 ProPlus Client Package Creation wizard

 Office 365 ProPlus client package
  • Launch SCCM console from a internet connected machine
  • Navigate to \SoftwareLibrary\Overview\Office 365 Client Management dashboard
  • Click on the + Office 365 Installer from the Office 365 Client Management Dashboard
  • Give the NAME of Office 365 Client Package
  • Browse to a location mostly on the file server or SCCM server package source folder.
  • Click on Next button
  • Click Office Customization tool to customize and import your xml file to SCCM application configuraion engine. Select Office 365 ProPlus Client Package from the menu options. This part is not covered in the above video tutorial.
  • Wait for the Office 365 client Package creation wizard to finish. This wizard will download the source files from the internet and save it to package source folder.
  •  Finish to close the wizard

When Microsoft publishes a new Office 365 proplus client update to the Office Content Delivery Network (CDN), Microsoft simultaneously publishes an update package to Windows Server Update Services (WSUS). Then, SCCM synchronizes the Office 365 ProPlus client update from the WSUS catalog to the site server. SCCM can then download the update and distribute it to distribution points selected by the administrator.


How to Deploy and Install Office 365 Applications via SCCM CB

How to Manage updates to Office 365 ProPlus

SCCM Patch Management Process With WSUS And SUP

Delete Azure AD Devices – AAD Device Management

Azure Active Directory is an identity solution from Microsoft. But Azure AD helps to perform device management actions also. Most organizations use Intune to manage AAD devices. In this video, you will learn how to delete Azure AD Devices.

The Devices registed to Azure AD are visible in Azure portal. You can login to Azure portal with Azure AD admin privileges to delete devices from there. You can also delete Azure AD devices if you have Intune Administrator access.

How to Get Devices into Azure AD Management?

You have two options to get a device under the Azure AD Management.

  • 1.Registering – iOS, Android, and Windows
  • 2.Joining – Windows

In bith the above scenarios Azure AD devices can be managed by MDM Solution like Intune. Registering a device to Azure AD enables you to manage a device’s identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. You can also Delete Azure AD devices and remove their identities from AAD.

Delete Azure AD Devices

How To Disable an Azure AD Devices

  • Login to Azure Portal with required permissions
  • Go to Azure Active Directory blade in Azure portal
  • Select All Devices option
  • Search the devices with Device Name or You can search with User Name
  • Select one device and click on Disable button as shown in the above video

How To Delete Azure AD Devices

  • Login to Azure Portal with required permissions
  • Go to Azure Active Directoty blade in Azure portal
  • Select All Devices option
  • Search the devices with Device Name or You can search with User Name
  • Select one device and click on DELETE button as shown in the above video


Learn How to Delete or Disable Devices from Azure Active Directory

What is device management in Azure Active Directory?

SCCM Patch Management Process with WSUS and SUP

I have recorded this video more than a year back and I don’t have audio explanation in this video. But this video covers end to end Software update or SCCM Patching Process for IT Admins. If you are new to SCCM and wanted to understand the SCCM patch management Process, then this video is your starting point.

Unlike other deployment types, software updates are all downloaded to the client cache. This is regardless of the maximum cache size setting on the client.

High-Level Process of SCCM Patch Management

  • Install WSUS
  • Install SUP & verify Installation log files
  • Software Update Component Configuration – Classifications/Products
  • Software Update Sync – Log file WsyncMgr.log
  • Selection of Patch/Software Update and Creation of Software Update Group
  • Deployment of Software Update Group
  • Client Side Experience Windows 10 device
  • What happened to WindowsUpdate.log? Event Logs ?
  • How to Speed up SCCM policy SCCM Patch Management Process?
  • Windows 10 SCCM Client side logs – Reboot required ? If yes reboot the Windows 10
  • Check the Default compliance reports to confirm the SCCM Patch management compliance percentage of your environment.

Software updates in SCCM provides a set of tools and resources that can help manage the complex task of tracking and applying patches to Windows client computers. An effective software update management process is necessary to maintain operational efficiency, overcome security issues, and maintain the stability of the network infrastructure. However, because of the changing nature of technology and the continual appearance of new security threats, effective software update management requires consistent and continual attention.

SCCM Patch Management

The SCCM Patch Management process is known as Software Updates in SCCM. In this Video, we will see, the components needed for SCCM software update, how to get SCCM synced Microsoft update for Patching, How to select and download a list of patches, How to deploy patches, How to troubleshoot on patching issues, Patching experience at client side, SCCM log files related to patching.


How to Deploy software updates with SCCM

How to Define SCCM CB Patching Process – Implementation Guide

SCCM Blog posts –

SCCM Restore Recovery Guide

I recorded this video few years back. It was one of the first video where I started explaining things while I was showing the steps. SCCM restore process is changed with the release of SCCM CB. Now you have several options to recover SCCM primary server and CAS.

This video is part of the collection of Video tutorials which I made previously. This video tutorial will help to understand the process and that will in tern help to troubleshoot on SCCM CB restore or recovery issues in better way.

What is SCCM CD.Latest Folder

CD.Latest folder is important for SCCM restore or recovery of a standalone primary server. If you do not have the correct CD.Latest folder and its contents available, you cannot recover a site and it must be reinstalled.

The SCCM Installation should be done from CD.Latest folder in a scenario where your SCCM version is not a baseline version. The CD.Latest folder contains a folder named Redist which contains the redistributable files that setup downloads and uses. These files are matched to the version of Configuration Manager files found in that CD.Latest folder. When you run Setup from a CD.Latest folder, you must use files that are matched to that version of Setup. To do so you can either direct Setup to download new and current files from Microsoft, or direct Setup to use the files from the Redist folder included in the CD.Latest folder. This folder backup is important for a successful SCCM restore and recovery scenario.

Prerequisite of SCCM Restore

Hostname of the server Should be same Drive Letters should be same as the previous SCCM primary server Installation Path should be same as the previous Primary server Should have same OS patch level for the server Better to have the same IP to avoid opening up new Firewall ports All the prerequisite apps should be installed (ADK, WSUS etc..) SQL Databased is already restored (manually) – if you are using SQL DB based backup

SCCM Restore and Recover scenarios are explained in the video tutotial.
SCCM Restore – Recover Scenarios


I have some previous posts which explains about the entire SCCM restore and recovery processes in details. I would recommend reading those to get more details.

More details about the importance of SCCM CD.Latest folder is explained in the following Microsoft documentation.

SCCM Related Posts –

SCCM Upgrade Task Sequence Template

SCCM offers Windows 10 upgrade Task Sequence. Before starting about creating the Windows 10 upgrade task sequence. Let’s complete the prerequisite. The prerequisite is to create Windows 10 operating system upgrade package. SCCM Upgrade Task Sequence to upgrade template can be used to upgrade Windows 10 to the latest version.

SCCM Upgrade Task Sequence template is available out of box in the latest version of SCCM. Open SCCM CB console and navigate via  Software Library workspace, right-click the Operating System Upgrade Packages node, then select Add Operating System Upgrade Package.

Browse to the data source for the operating system upgrade package. Specify the operating system upgrade package. Provide the Windows 10 Enterprise x86 or x64 binary network share location. Select the Architecture of the Windows 10 and the base language.

On the next page, enter the name of the Windows 10 upgrade package. And that is it you are done.

Open SCCM console and navigate via Software Library workspace – right-click the Task Sequences node, and then select Create Task Sequence. On the Create a new task sequence page, select Upgrade an operating system from upgrade package and then click Next.

Enter the name of the Task sequence – Windows 10 Enterprise Upgrade. Upgrade the Windows operating system page of the wizard you need to select the Windows 10 upgrade package which we created as a first step. The wizard will list down all the available Windows 10 editions as part of Windows 10 upgrade package.

SCCM Upgrade Task Sequence

Windows Upgrade using SCCM Upgrade Task Sequence

Use task sequences in SCCM to automatically upgrade an OS on a destination computer. This upgrade can be from Windows 7 or later to Windows 10, or from Windows Server 2012 or later to Windows Server 2016. Create a task sequence that references the OS upgrade package and any other content to install, such as applications or software updates.


Setup Android Device Management – Intune

The above video tutorial is created one year back. And now Google announced that device admin won’t be supported for Android device management for upcoming versions of Android. Android Enterprise will be the only supported version for device management with Microsoft Intune.

The above video explains – Prerequisites of Android Enterprise, Intune portal admin configurations, Add Google play apps to Google Work, Android enterprise Device enrollment, Work profile creation and Removal of Android for work profile.

Prerequisite for Android Device Management

  • Devices with Android 5.0 Lollipop and later will only have work profile and Android Enterprise support as per Google (Android Device). This is nothing to do with Microsoft and Intune.
  • Some of the Android Enterprise settings are available only for Android 6.0 and later.
  • It’s important to understand Android Enterprise does NOT support all androiddevices in the market- list of supported devices –here.
  • Bind your Intune and Google for Work account from Intune portal. Because Azure Intune blade is not enlightened with this feature yet.
  • Create a Google account or use existing account to sign up for Android Enterprise with EMM provider. More details here
  • Add applications from Google Play to Google for Work store and then sync these apps to Intune (Android Device). You can click on Sync button in Intune console to initiate a new sync between Intune and Google store for work.
  • Sync the apps from Intune console – Admin > Mobile Device Management > Android for Work. After Sync the apps will be visible under – Intune console – Apps – Volume Purchased app
Android Device Management with Intune

Google state device admin will remain supported in Oreo now and through the next major release, Android P. Once Android Q is announced, Android Enterprise will be the only available solution for device management going forward.

Google finally announced device admin will not be supported in future for device managment. So I won’t suggest to use use normal Android Device managment with Intune.