We’ve heard feedback from you that you’ve wanted the ability to remove email and certificates from devices when you remove a user from being targeted by one of those profiles in Intune. That functionality is shipping this month! In the past, certificates and email profiles would remain on the device, even though you’d removed the user from being targeted.
If you find that email or certificates are being removed unexpectedly from users, please use the following troubleshooting steps:
- If you’ve configured an email profile, double check that the user is part of the targeted group.
- If the user is in the group, then you’ll want to check to see if the device is operating as expected – this troubleshooting documentation is quite helpful: https://docs.microsoft.com/intune/device-profile-troubleshoot
- If you’ve removed the user from the targeted group, then your user can either manually add the email to their devices; or you can add them back into the group.
- You can use graph calls or PowerShell to automate any of these steps.
You can use similar steps to troubleshoot certificate profiles.
Our documentation is being updated and re-published to provide details about removing SCEP and PKCS certificates, but in the meantime, including the updated doc below. We'll swap out a link to the documentation when it goes live.
Remove SCEP and PKCS certificates in Microsoft Intune
In Microsoft Intune, you can add SCEP and PKCS certificates to devices. These certificates can also be removed when you wipe or retire the device. There are some other scenarios where certificates are automatically removed, and some scenarios where certificates stay on the device.
This article lists some common scenarios, and the impact on PKCS and SCEP certificates.
[NOTE] To effectively remove and revoke certificates for a user being removed from AD or AAD, here is the order of operations to complete:
- Wipe or retire the user's device
- Then remove user from AD/AAD
Windows devices
SCEP certificates
- A SCEP certificate is revoked and removed when:
- A SCEP certificate is revoked when:
- Administrator changes or updates the SCEP profile
- Root certificate is removed when:
- SCEP certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
PKCS certificates
- A PKCS certificate is revoked and removed when:
- Root certificate is removed when:
- PKCS certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
- Administrator changes or updates the PKCS profile
- Configuration profile is removed from the group assignment
- Compliance policy is removed from the group assignment
iOS devices
SCEP certificates
- A SCEP certificate is revoked and removed when:
- A SCEP certificate is revoked when:
- Administrator changes or updates the SCEP profile
- Root certificate is removed when:
- SCEP certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
PKCS certificates
- A PKCS certificate is revoked and removed when:
- A PKCS certificate is removed when:
- Compliance policy is removed from the group assignment
- Configuration profile is removed from the group assignment
- Root certificate is removed when:
- PKCS certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
- Administrator changes or updates the PKCS profile
Android & Android Enterprise devices
SCEP certificates
- A SCEP certificate is revoked and removed when:
- An end user unenrolls
- Administrator runs wipe action
- A SCEP certificate is revoked when:
- Administrator runs retire action
- Device is removed from Azure Active Directory (AD) group
- Compliance policy is removed from the group assignment
- Configuration profile is removed from the group assignment
- Administrator removes the user or group from Azure Active Directory (AD)
- Administrator changes or updates the SCEP profile
- Root certificate is removed when:
- SCEP certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
PKCS certificates
- A PKCS certificate is revoked and removed when:
- Root certificate is removed when:
- PKCS certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
- Administrator changes or updates the PKCS profile
- Configuration profile is removed from the group assignment
- Compliance policy is removed from the group assignment
macOS certificates
SCEP certificates
- A SCEP certificate is revoked and removed when:
- An end user unenrolls
- Administrator runs retire action
- Device is removed from Azure Active Directory (AD) group
- Compliance policy is removed from the group assignment
- Configuration profile is removed from the group assignment
- A SCEP certificate is revoked when:
- Administrator changes or updates the SCEP profile
- SCEP certificates stay on the device (certificates aren't revoked nor removed) when:
- An end user loses the Intune license
- Administrator withdraws the Intune license
- Administrator removes the user or group from Azure AD
[NOTE] Using the wipe action to factory reset macOS devices is not supported.
PKCS certificates
PKCS certificates are not supported on macOS.