Deploy Email Protection Certificate (S/MIME) Using Microsoft Intune Cloud PKI Certificate Services

In this article, we explore deploying S/MIME email protection certificates using Microsoft Intune Cloud PKI. This guide is part of a series on certificate deployment in a Modern Workplace environment, integrating Intune, Windows 11, and Cloud PKI.

🔗 Reference: Microsoft Cloud PKI Certificate Deployment Guide

You Should Know:

1. Prerequisites for S/MIME Deployment

• Microsoft Intune subscription
• Azure AD Premium P1 or P2
• Windows 11 devices enrolled in Intune
• Outlook configured for S/MIME

2. Configuring Cloud PKI in Intune

1. Navigate to Intune Admin Center

• Go to Devices → Certificates → Cloud PKI.

2. Create a New Certificate Profile

• Select SCEP Certificate for S/MIME.

3. Define Certificate Properties

• Set Subject Name Format (e.g., CN={{UserName}}).
• Configure Key Usage for Email Protection.

3. Deploying S/MIME via Intune

• Assign the certificate profile to a security group.
• Use PowerShell to verify deployment:

  Get-ChildItem -Path Cert:\CurrentUser\My -DocumentEncryptionCert 
  

4. Enabling S/MIME in Outlook

1. Open Outlook → File → Options → Trust Center.

2. Go to Email Security → Settings.

1. Select the deployed certificate under Certificates and Algorithms.

5. Verifying S/MIME Functionality

• Send a test email with Encrypt & Sign options.
• Check certificate validity with:

  certmgr.msc 
  

What Undercode Say:

Microsoft Intune Cloud PKI simplifies S/MIME deployment but has limitations compared to third-party solutions like SCEPman. Key takeaways:
– Pros: Native Intune integration, automated deployment.
– Cons: Limited to Intune-managed devices, no full PKI features.

For advanced PKI needs, consider hybrid solutions or third-party tools.

🔧 Useful Commands:

• Check Intune-Managed Certificates:

  Get-ChildItem -Path Cert:\LocalMachine\My 
  

• Export Certificate for Backup:

  Export-Certificate -Cert "Cert:\CurrentUser\My\<Thumbprint>" -FilePath "C:\smime.cer" 
  

• Linux OpenSSL Equivalent (for Hybrid Environments):

  openssl pkcs12 -in smime.pfx -out smime.pem -nodes 
  

Expected Output:

• Successful S/MIME deployment in Outlook.
• Verified email encryption and signing.
• Audit logs in Intune for certificate issuance.

🔗 Further Reading: Microsoft Docs – Cloud PKI

References:

Reported By: Jan Mulder – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram