802.1x certificate deploy from intune

Handian Sudianto 7,301 Reputation points
2026-06-22T08:18:38.6633333+00:00

I was success setup and push certificate configuration for each user for 802.1x authentication from intune. The deployment time when user logon to the endpoint until certificate installed up to 20 minutes. Now i want to know can we improve the time so when user logon to the endpoint then the certificate will be installed not more than 5 minutes?

Microsoft Security | Intune | Configuration
0 comments No comments

Answer accepted by question author

Marcin Policht 94,615 Reputation points MVP Volunteer Moderator
2026-06-22T11:05:22.64+00:00

This is going to be challenging because user-specific certificate policies and SCEP requests can only begin after the user logs in, triggers a policy sync, and passes conditional access. You should be able though to optimize your setup.

First, pre-deploy your Trusted Root CA. User certificates will fail or stall if the device does not already have the Trusted Root CA certificate installed. Ensure the Root CA and Intermediate CA profiles are assigned to the Device Group rather than the User Group. This ensures the device trusts the certificate infrastructure before the user ever logs in.

Second, adjust your synchronization settings. If these are Autopilot devices, deploying them with User Affinity establishes the device-to-user link early in the onboarding phase. Additionally, make sure your SCEP profile is assigned directly to User Groups instead of Device Groups. When assigned to users, Intune queues the certificate payload the moment the user authenticates to the OS and checks in with the Microsoft Graph API.

Third, look at your backend and network enhancements. Ensure the device has a temporary internet connection immediately upon reaching the desktop. If devices are stuck behind restrictive network filters or Conditional Access blocks, the Intune sync will fail or hang. If you use on-premises NDES/PKI, ensure your Intune Certificate Connector and NDES servers are updated to the latest version. For cloud-native environments, switching from on-premises NDES to Microsoft Cloud PKI can bypass on-premise Active Directory and IIS server latency.


If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.